HECVAT toolkit helps higher education institutions assess cloud adoption risks

Higher education institutions are increasingly adopting cloud-based solutions in order to lower costs, improve performance and productivity, and increase flexibility and scalability.


Before settling on a solution, though, they must assess it for security and privacy needs, including some that are unique to higher education.

To help them do that more expeditiously, EDUCAUSE – a US nonprofit association that aims to advance higher education through the use of information technology – has created HECVAT: the Higher Education Community Vendor Assessment Toolkit.


“The HECVAT provides a suite of questionnaires about information security and privacy controls to help higher education institutions appropriately assess third party and cloud services,” Brian Kelly, Director of the Cybersecurity Program at EDUCAUSE, told Help Net Security.

The intended audiences for the HECVAT are colleges and universities and the third-party service providers they contract with. Its benefits for the former are obvious, and for the latter, it reduces the burden that service providers face in responding to requests for unique security risk assessments from higher education institutions.

“The main benefit of the HECVAT is a consistent and shared framework for risk assessments that is being widely adopted across higher education,” Kelly pointed out. “Once completed, the HECVAT can be used by multiple institutions.”

The tool comes in various versions:

  • Full: A robust questionnaire used to assess the most critical data sharing engagements
  • Lite: A lightweight questionnaire used to expedite process
  • On-Premise: A unique questionnaire used to evaluate on-premise appliances and software

Before initiating a risk/security assessment if a product an/or service uses sensitive data, users should use the Triage tool to determine assessment requirements. All of those resources are available here.

A number of cloud providers have already completed the HECVAT questionnaire and those assessments can be accessed here.

Future plans

“The HECVAT was first released for use in October 2016. In 2019, the word ‘cloud’ was changed to ‘community’ to better reflect the spirit and intent of the toolkit and its expansion beyond the cloud,” Kelly explained.

“As adoption and use grow, the EDUCAUSE member-led Higher Education Information Security Council (HEISC), Internet 2, and the REN-ISAC will continue to collaborate and work on the HECVAT to meet the needs of the higher education community. While established amongst information security practitioners, we’ll be promoting the HECVAT’s use to university business officers, risk managers and procurement groups over the next year.”

Don't miss