Introduction
This guide is for those in departments considering or using external vendors for services that involve handling important University data and services that have high availability requirements. The highlights the use of the Higher Education Community Vendor Assessment Toolkit (HECVAT) in assessing these vendors to ensure they meet the necessary risk standards. This process is vital for protecting our students, customers, and the University from the risks associated with data breaches and service disruptions. Whenever an external vendor handles University data or provides critical services, that vendor becomes a partner in protecting sensitive information and ensuring continuous service availability.
Higher Education Community Vendor Assessment Toolkit (HECVAT)
- What it is: The HECVAT is a standardized questionnaire created by and for the higher education community (universities and colleges). It's designed to help institutions like ours assess how well potential vendors (especially technology service providers) meet our requirements for cybersecurity, data privacy, and compliance with laws like FERPA. Think of it as a detailed checklist that vendors fill out to give us a picture of their security practices.
- Why it matters to you: This is the first major piece of documentation we ask a potential vendor to complete. It provides a broad understanding of a vendor's security posture before diving into specifics. Newer versions include questions on privacy and AI.
- Learn more about the Higher Education Community Vendor Assessment Toolkit
Draft Email to Vendors 📧
Below is a draft email that can be useful for requesting a HECVAT as a part of the IT Procurement Risk Review process.
Subject: St. Cloud State University - Documentation Request
St. Cloud State University is committed to protecting its information assets and ensuring that all third-party solutions meet our institutional security standards.
As part of our IT Risk Review process, we have identified your solution as requiring further evaluation due to its access to or handling of University data. To support this review, we request that you provide a completed Higher Education Community Vendor Assessment Toolkit (HECVAT). This tool helps us better understand your organization’s security posture and how it aligns with our requirements.
You can access the HECVAT templates and guidance here:
https://www.educause.edu/higher-education-community-vendor-assessment-toolkit
If you are unable to provide a completed HECVAT at this time, we would appreciate the opportunity to meet with your team to discuss your security practices. Please let us know who we can work with to coordinate such a meeting.
Along with the HECVAT please share any additional security-related documentation that supports a timely and thorough risk review. This may include penetration test results, security whitepapers, security program links, or certifications.
Thank you for your cooperation and support. We look forward to working with you to complete this important step in our review process.