ABGHIJKLMNOPQRSTUVWXYZ
1
Worksheet to introduce the Higher Education Community Vendor Assessment Toolkit (HECVAT) and explain what it is.
2
3
Shared Assessments Introduction
4
5
Campus IT environments are rapidly changing, and the speed of cloud service adoption is increasing. Institutions looking for ways to do more with less see cloud services as a good way to save resources. As campuses deploy or identify cloud services, they must ensure the cloud services are appropriately assessed for managing the risks to the confidentiality, integrity, and availability of sensitive institutional information and the PII of constituents. Many campuses have established a cloud security assessment methodology and resources to review cloud services for privacy and security controls. Other campuses don’t have sufficient resources to assess their cloud services in this manner. On the vendor side, many cloud services providers spend significant time responding to the individualized security assessment requests made by campus customers, often answering similar questions repeatedly. Both the provider and consumer of cloud services are wasting precious time creating, responding to, and reviewing such assessments.
6
7
The Higher Education Community Vendor Assessment Toolkit (HECVAT) attempts to generalize higher education information security and data protections and issues for consistency and ease of use. Some institutions may have specific issues that must be addressed in addition to the general question sets provided in the toolkit. It is anticipated that the HECVAT will be revised over time to account for changes in services provisioning and the information security and data protection needs of higher education institutions.
8
9
The Higher Education Community Vendor Assessment Toolkit:
10
● Helps higher education institutions ensure that vendor services are appropriately assessed for security and privacy needs, including some that are unique to higher education.
11
● Allows a consistent, easily adopted methodology for campuses wishing to reduce costs through vendor services without increasing risks.
12
● Reduces the burden that service providers face in responding to requests for security assessments from higher education institutions.
13
14
The Higher Education Community Vendor Assessment Toolkit is a suite of tools built around the original HECVAT (known now as HECVAT - Full) to allow institutions to adopt, implement, and maintain a consistent risk/security assessment program. Tools include:
15
HECVAT - Triage: Used to initiate risk/security assessment requests; review to determine assessment requirements
16
HECVAT - Full: Robust questionnaire used to assess the most critical data-sharing engagements
17
HECVAT - Lite: A lightweight questionnaire used to expedite the process
18
HECVAT - On-Premise: Unique questionnaire used to evaluate on-premise appliances and software
19
20
The HECVAT (and Toolkit) was created by the Higher Education Information Security Council Shared Assessments Working Group. Its purpose is to provide a starting point for the assessment of vendor provided services and resources.  
21
The current version, documentation, and other information about HECVAT can be found at:
22
https://www.educause.edu/hecvat
23
24
A listing of completed HECVATs can be found in the REN-ISAC Community Broker Index at:
25
https://www.ren-isac.net/hecvat/cbi.html
26
27
Connect with your higher education peers by joining the EDUCAUSE HECVAT Users Community Group at https://connect.educause.edu
28
29
If you would like to reach out to the HECVAT Team, we can be reached at: hecvat@educause.edu.
30
31
(C) EDUCAUSE 2023
32
This work is licensed under a Creative Commons Attribution-Noncommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).
33
34
This Higher Education Cloud Vendor Assessment Toolkit is brought to you by the Higher Education Information Security Council, and members from EDUCAUSE, Internet2, and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC).
35
Proceed to the next tab, Instructions.
36
End of worksheet
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100