Evaluate vendor security / HECVAT

Problem

• How are vendor security assessments evaluated by ISO?

Scope

• The primary goal of HECVAT is to:
  • Provide a common language for security assessments
  • Allow schools to verify that a vendor's products meet strict regulatory requirements and institutional safety standards
  • Ensure institutions can protect sensitive campus data and ensure that external partners operate with the same level of integrity as the institution itself
  • Miami staff and faculty may use this documentation as a reference to how HECVAT is evaluated by ISO

Resolution

Definition: What is HECVAT?

• The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a critical framework utilized by colleges and universities to rigorously vet the security and privacy protocols of third-party service providers
• HECVAT is a standardized assessment framework designed specifically for the unique needs of the higher education sector. It functions as a comprehensive questionnaire that vendors complete to disclose their information security practices

The Assessment Process

The HECVAT workflow is designed to move from data collection to informed decision-making through three distinct phases:

1. Vendor Submission

The process begins when a prospective vendor fills out the HECVAT questionnaire. This document is exhaustive, requiring the vendor to provide detailed evidence regarding:

• Data Protection: How information is encrypted and stored
• Incident Response: Plans for managing and reporting data breaches
• Compliance: Alignment with standards like FERPA, HIPAA, or GDPR

2. Review & Validation

Once submitted, the institution’s information security team performs a deep dive into the responses.

• Initial Screening: Checking for "deal-breakers" or missing information
• Verification: The team may request SOC2 reports, conduct follow-up interviews, or perform technical audits to ensure the vendor’s claims match their actual practices

3. Risk Analysis and Final Decision

The final stage involves weighing the vendor’s security posture against the specific needs of the project.

• Sensitivity Check: Is the vendor handling public directory info or sensitive student records?
• Stakeholder Review: Security experts and department leaders review the final risk profile
• Outcome: The vendor is either approved, rejected, or asked to implement specific security remediations before a contract is signed

Notes

• For a deeper look into the HECVAT framework or to download the latest templates, visit the EDUCAUSE HECVAT Resource Page

User

• Miami University Staff and Faculty

Environment

• IT Services Security, Compliance and Risk Management