Jotform Enterprise

HECVAT

Higher Education Cloud Vendor Assessment Toolkit

About HECVAT

The Higher Education Community Vendor Assessment Toolkit, also known as HECVAT, is a self-assessment questionnaire framework used by higher education institutions to ensure that their cloud services and software vendors meet security and data standards. HECVAT was created by the Higher Education Information Security Council (HEISC), with help from EDUCAUSE, Internet2, and REN-ISAC. The tools in the assessment are standardized to make sure that the majority of higher education institutions follow the same security protocols and practices.

As of 2023, Jotform is proud to announce that we have completed the HECVAT self-assessment for Jotform Enterprise. You can create your education forms and apps with peace of mind using Jotform Enterprise.

Jotform's HECVAT self-assessments are available on REN-ISAC's Cloud Broker Index.

Contact Sales

What is HECVAT, and why is it important?

Introduction

What is HECVAT? Though it may sound like one of those words you couldn’t quite pronounce in your high-school German class, HECVAT is actually an American acronym related to information security in higher education.

More than 150 private and public universities across the country — including Carnegie Mellon, Princeton, and Rice — use HECVAT as a way to assess vendor risk.

But there’s more to HECVAT than we can sum up in a single paragraph, which is why we created this detailed article. Keep reading to learn more about HECVAT and its assessment tools in the sections below.

What is HECVAT?

HECVAT stands for the Higher Education Community Vendor Assessment Toolkit. The Higher Education Information Security Council (HEISC) created it in collaboration with the computer networking consortium Internet2 and cybersecurity alliance REN-ISAC.

The HECVAT is a suite of tools designed to help higher education institutions measure vendor risk with regard to information security. As part of the vendor evaluation process, colleges and universities may ask vendors to complete one of several HECVAT questionnaires to affirm that sufficient information and cybersecurity policies are in place to protect institutions’ sensitive information and the personally identifiable information (PII) of students, staff, and other stakeholders.

About HECVAT’s collaborators

HECVAT questionnaires are trusted evaluation tools because three expert information networking and security teams cooperatively developed them:

HEISC. Established in 2000, HEISC is a team of information security and privacy professionals dedicated to helping higher education institutions improve information security governance, compliance, and data protection.
Internet2. Formally titled the University Corporation for Advanced Internet Development (UCAID), Internet2 is a nonprofit consortium that includes higher education and research institutions, government entities, corporations, and cultural organizations. Its purpose is to provide a “secure high-speed network, cloud solutions, research support, and services tailored for research and education.”
REN-ISAC. The Research and Education Networks Information Sharing and Analysis Center is an international alliance that provides cybersecurity news reports, alerts, and advisories, along with analysis of cybersecurity threats and mitigation solutions. The alliance has over 700 member institutions.

Why is HECVAT important?

According to a 2022 survey by cybersecurity firm Sophos, 64 percent of higher ed institutions experienced at least one ransomware attack in 2021, up from 44 percent in 2020. A staggering 74 percent of these attacks were successful. Compare this success rate to the global average of 65 percent.

Ransomware attacks have a material impact on organizations, especially those in higher education. The Sophos survey notes that nearly all (97 percent) higher ed respondents in the public sector stated that an attack had impacted their ability to operate, while 96 percent of higher ed respondents in the private sector said an attack caused their institution to lose business or revenue.

Why do these institutions make such an appealing target for bad actors? Consider these factors:

They have tons of data. Colleges maintain a wealth of personal data about students and faculty, not to mention research data from government agencies and academic partners.
Their networks are more susceptible to attack. Larger, well-established universities tend to maintain legacy systems that often have more vulnerabilities than modern systems. In addition, the numerous personal and campus devices and software that connect to these systems present many opportunities for attacks, especially if individuals who use them prioritize convenience over safety.
They have limited budgets. Public and private institutions alike often have limited budgets; they also tend to allocate financial resources to more visible, marketable departments — like athletics — over IT and cybersecurity.

With such troubling cybersecurity trends and the target factors above, it’s no wonder why a security method like HECVAT is needed in higher ed. This toolkit enables colleges to save time, standardize their risk assessment of vendors, and ensure those vendors are appropriately assessed in the areas of security and privacy.

4 HECVAT tools

The HECVAT suite of tools includes four questionnaires that enable higher education institutions to adopt, implement, and maintain a consistent risk and security assessment program. Each questionnaire represents a different level of rigor, and one is actually meant for internal use.

Note: All current versions of these tools are available as downloadable Excel files on the EDUCAUSE HECVAT web page.

1. HECVAT — Triage

Unlike the Full, Lite, and On-Premise tools you’ll learn about below, the Triage tool isn’t meant for vendors to complete — this is a common misunderstanding of those not familiar with HECVAT. Instead, this tool is meant for internal “requesters,” such as departments and individual faculty members who want to share institutional data with a third-party provider or software solution.

Through this tool, the requester documents and summarizes their data sharing intent, scope, elements, and technology requirements through about 35 questions across six categories such as use case, procurement, and institution technology. Completing the questionnaire is a prerequisite to IT initiating a risk and security assessment and using the other tools to assess vendors.

Here are a few example questions:

Provide a general summary of your department and the business area that will be housing institution data, utilizing the third-party software/service, and/or requesting integration with an institution’s enterprise system(s).
Have you consulted with the institution’s procurement professionals regarding this request for assessment?
Describe the institution’s IT responsibilities in support of this third-party software/service, department application, or integration with an enterprise system.

2. HECVAT — Full

Designed to assess the most critical data-sharing engagements, the Full tool asks vendors for answers to over 250 questions about their practices across 20-plus categories, such as HIPAA, vulnerability scanning, documentation, and disaster recovery.

Here are a few example questions for the Full tool:

Do your workforce members receive regular training related to the HIPAA Privacy and Security Rules and the HITECH Act?
Have your systems and applications had a third-party security assessment completed in the last year?
Have you undergone a SSAE 18/SOC 2 audit?
Does your organization have a disaster recovery site or a contracted disaster recovery provider?

3. HECVAT — Lite

This condensed version of the Full tool is used to expedite the vendor assessment process while still addressing key security concerns. Vendors complete the Lite tool, which includes about 100 questions across 12 categories, such as IT accessibility, systems management, data center, and incident handling. Categories such as HIPAA and vulnerability scanning, which are included in the Full tool, are not part of this tool.

Here are a few example questions from the Lite tool:

Has a third-party expert conducted an accessibility audit of the most recent version of your product?
Will the institution be notified of major changes to your environment that could impact the institution’s security posture?
Does your company manage the physical data center where the institution’s data will reside?
Do you have the capability to respond to incidents on a 24 x 7 x 365 basis?

4. HECVAT — On-Premise

Like the Full and Lite tools, vendors complete the On-Premise tool, which assesses their risk. The questionnaire is shorter than those in the other tools, however, and is tailored to on-premise solutions. The tool includes 70 questions across 10 categories, such as database, policies, and firewalls.

Here are a few example questions from the On-Premise tool:

Does the database support encryption of specified data elements in storage?
Are information security principles designed into the product life cycle?
Do you employ host-based intrusion detection?

Additional HECVAT resources

HECVAT offers two other resources for higher ed institutions in addition to the questionnaires:

Community Broker Index (CBI). The CBI provides a consistently updated list of vendors willing to share their completed HECVAT assessments. Higher ed institutions can refer to this list to save time in determining risk-suitable vendor solutions.
Users Community Group. This group provides higher ed institutions with a forum to share information, best practices, and strategies for using the HECVAT.

How you can use a HECVAT-friendly data-collection tool on your campus?

Jotform Enterprise is a powerful, easy-to-use data-collection tool for educators and administrators at major universities and grade schools alike. It’s also listed in HECVAT’s Community Broker Index, which means you can access its already-completed HECVAT assessments and save time in assessing risk.

How can Jotform work for you?

Teachers can use Jotform to manage their classrooms by designing online tests, collecting homework assignments, or asking parents to sign permission slips.
Administrators can use Jotform to handle operational tasks such as building surveys to measure student or teacher satisfaction or accepting online payments for fees and alumni donations.

Jotform offers nearly 2,000 education form templates ranging from teacher evaluations and academic performance questionnaires to scholarship applications. You can build forms in just a few minutes.

Higher education institutions can take advantage of several other key features in addition to forms:

Accessibility. Jotform’s forms are Level A and Level AA compliant with WCAG 2.1 standards, so you can create Section 508-friendly forms.
Signability. Collect e-signatures from students, parents, staff, and other key stakeholders using Jotform Sign. Automate the signing process to ensure all relevant parties see and sign your document in the right order.
Security. Your data is stored in a local data residency center with added SOC 2 compliance. You can also opt into HIPAA features if your campus collects sensitive health information from students or faculty.

Ensure your campus is on track for success with a HECVAT-friendly, affordable solution — education institutions are eligible for a significant discount! Get started with an education data-collection form today.