How to Use the Higher Education Community Vendor Assessment Toolkit

Overview
How to Use the HECVAT
FAQs for Higher Ed
FAQs for Corporations
Volunteer Information

Fantastic! Your college, university, or company is using the Higher Education Community Vendor Assessment Toolkit (HECVAT). Need help?

Below, you will find details and steps for effectively completing and evaluating a HECVAT.

If you have questions, contact us at [email protected] or join your peers in the HECVAT Users Community Group on EDUCAUSE Connect. We're happy to help!

Getting Started for Institutions

So, you've received a vendor's completed HECVAT. Now what? It's time to review and evaluate their submission. Watch the following video or follow the written instructions below for an overview of how to effectively evaluate a HECVAT.

  • View the yellow tabs labeled “Evaluation.” They include institutional evaluation, high risk evaluation, and privacy analyst evaluation.
  • In each of the evaluation tabs, information will pull from other locations in the worksheet and allow you to evaluate their answers based on your own policies and appetite for risk. At the top, you’ll find the information for the company and the name of the solution the HECVAT has been completed for. Below their information you’ll find a score report, broken down by category.
  • In column C of the score report, you will find a checkbox that allows you to include or exclude any category from the score. As an example, if a product you are evaluating has the ability to process credit cards, the solution provider will have filled out the PCI DSS questions. If you won’t be using that feature in their product, you can uncheck the box for PCI DSS so their answers don’t impact their overall score.
  • Below the score report, you can see all of their answers in one place and change if or how those questions impact their score. There are also a number of qualitative questions that must be evaluated to factor into the score.
  • Starting with the “company information” section, you can see what the compliant response, decided by the volunteers who created the questions, is. If the solution provider answer matches the compliant response, the question positively impacts their score. If they do not match, their score is negatively impacted. If you disagree with the compliant response, you can use Column G to mark the score as compliant or non-compliant.
  • Each question has also been assigned a default importance level. Critical importance questions have the biggest impact on score, while those assigned minor importance have the smallest impact on score. You can change the importance of any question using the dropdown in column I. Any question labeled “critical importance” will automatically show in the “High Risk Evaluation” sheet.
  • Lastly, column J is labeled “Non-negotiable.” All questions with the Non-Negotiable box checked will show in the “High Risk Evaluation” sheet. If you would like to do an initial review of the solution, you can check the box in Column J for questions that might be a deal-breaker for the solution and see only those preliminary questions aggregated in the High Risk Evaluation.

Consider the steps below when evaluating a solution provider's HECVAT.

  • Start with a cursory review of the solution provider’s answers. Do their answers give you a sense that they have an understanding of, and commitment to, cybersecurity, privacy, and accessibility?
  • Next, look at the scores in the score report. Are there any categories where the score is lower than you’re comfortable with? Many institutions use a score similar to that of an academic grading scale.
  • For any categories whose scores are concerning, use the “Jump To” link to see the associated questions.
  • If a question’s response does not match the compliant response, review the “Additional Information” column for more context. If the necessary information is missing, you may need to go back to the solution provider and ask them to provide more complete information.
  • Use the “Compliant Override” and “Importance Override” where necessary, including on any qualitative questions.
  • Add to the “Analyst Notes” column where necessary. These cells will populate back to the appropriate solution provider tab. If you choose to send the HECVAT back to the solution provider for more information, they can easily see your notes and add more information to satisfy your request.

The “High-Risk” evaluation tab shows an aggregate of two categories of questions.

  1. Any question marked as “Critical importance” in its default importance, or where the “Importance Override” column has been changed to “Critical Importance.”
  2. Any question where the “Non-negotiable” box has been checked by an institution.

Each of these categories is given a score in the score report. To do a lightweight evaluation of a solution (similar to the HECVAT Lite in previous versions), you can review the score of only those questions marked as “Critical.”

In the question list, “Critical” questions are also noted with an asterisk. If evaluating a solution that is of a low risk to the institution or has access to minimal data, evaluating only those questions marked as critical may be a comprehensive enough review to make an informed decision about the solution.

To do this, start by evaluating only the questions marked with an asterisk in the “Institution Evaluation” tab, adjusting the Compliance and Importance overrides where necessary and adding notes. You can then see a score for those questions and their notes aggregated in the High Risk Evaluation tab.

Solution providers should always complete all applicable questions, allowing institutions to decide which review is the best option.

With the inclusion of privacy questions in HECVAT 4, we have also included a separate evaluation tab for privacy analysts to ensure the proper stakeholders can provide input.

In the “Privacy Analyst Evaluation” worksheet, you will find questions that are unique to a privacy review. In the top half of the sheet, you can follow the same instructions outlined above in “Evaluating a HECVAT.”

Below the privacy-specific questions, you can find questions from other sections of the HECVAT that are also applicable to privacy. In this section, you cannot change the Compliant or Importance overrides, or add notes, but you can see what overrides and notes have been made in the Institution Evaluation sheet. If you would like to change the override or notes for those questions, you must do so on the Institution Evaluation.

Getting Started for Corporations

So, you've discovered the HECVAT. Now what? It's time to complete this comprehensive questionnaire. Watch the following video or follow the written instructions below for an overview of how to effectively complete a HECVAT.

  • Begin with the START HERE tab of the HECVAT file. Your answers to the Required questions (REQU-01 - REQU-08) will provide guidance on which part of the remaining worksheets apply to your product or service. You must complete all questions that apply to your solution.
  • Once you have completed the “START HERE” tab, you must also complete the “Organization” tab and any other questions that apply to your solution.
  • It’s that easy! Because the HECVAT applies to your solution instead of any specific college or university, you can share it with as many potential customers as needed without the need to make changes.
  • You DO NOT need to complete any of the tabs with an “evaluation” title. The institution will use those tabs to compare your answers to their own policies and appetite for risk.
  • If necessary, the institution can make notes and ask questions that will appear in the “Analyst Notes” column during their review, allowing you to easily add more information when requested.