The Chancellor’s Office wanted to share a free tool for assessing security risk associated with potential vendors: the Higher Education Community Vendor Assessment Toolkit (HECVAT). The toolkit is created and regularly updated by EDUCAUSE’s Higher Education Information Security Council’s Shared Assessments Working Group.
The HECVAT includes standard questions necessary for a security assessment during procurement processes. While there will often be unique or specialized items that colleges and districts will want to assess that are outside of its scope, there are four toolkits available depending on the type of product being assessed. Additionally, there is a Community Broker Index of products that can provide an already-completed HECVAT. These free tools can be an important component of ensuring proper stewardship of sensitive data through consistent procurement assessment practices.
Further information about the HECVAT, including a community user group that requires membership, is available through EDUCAUSE.
The Chancellor’s Office is working with the CollegeBuys team, housed at the Foundation for California Community Colleges, to determine how HECVATs can be incorporated into their analysis and/or information provided to colleges/districts about systemwide contracts.