The EDUCAUSE Higher Education Information Security Council (HEISC) launched the latest version of the Higher Education Community Vendor Assessment Toolkit (HECVAT and HECVAT Lite v3). The new version has gone through a substantial overhaul to ensure the questions reflect the modern cloud research environment. More information about the new and improved HECVAT can be found on EDUCAUSE’s website.
The HECVAT is designed specifically for colleges and universities to measure vendor risk. It is presented as a questionnaire that focuses on the unique needs of a college or university. It can also be used by solution providers to demonstrate their organization’s adherence to the security expectations outlined by the HEISC. Providers are encouraged to fill out the HECVAT and share it in the Community Broker Index.
During the development of v3 of the HECVAT and HECVAT Lite, the HEISC Shared Assessments Working Group reached out to representatives of the higher ed community with expertise in industry standards (e.g., CIS Security Controls, HIPAA, ISO 27002:2013, various NIST frameworks, and the Trusted CI Framework) to conduct a “crosswalk.” Trusted CI contributed to the crosswalk by mapping the HECVAT questions to one or more of the 16 Musts in the Trusted CI Framework. Trusted CI has also published guidance on applying the HECVAT for NSF research projects.
Our collaboration with EDUCAUSE on the HECVAT v3 was prompted by Trusted CI’s recent engagement with Ohio Supercomputer Center. We are very proud to have contributed to this important project. During our Fall 2021 engagement, OSC successfully completed the HECVAT-Lite Version 3 questionnaire on request by a research project at another university that planned to use OSC’s HPC services. OSC's HECVAT can be accessed through the Community Broker Index.
Trusted CI will be presenting a webinar on the new version of the HECVAT on Monday January 24th at 11am Eastern. Registration information is available at trustedci.org/webinars.
