Get Started
Establishing a VRM Program with the HECVAT: Complete Guide

SaltyCloud Research Team

Updated Jul 14, 2021 Read Time 12 min


The HECVAT is a cloud vendor security questionnaire that simplifies VRM for higher education institutions by streamlining the assessment of vendors’ security controls.

Vendor Risk Management (VRM) is becoming an essential part of any risk management program. However, getting a VRM program established is no easy feat. Fortunately for higher education institutions, the Higher Education Cloud Vendor Assessment Toolkit (HECVAT) is a cloud vendor security questionnaire that enables anyone to assess vendors against a slew of security controls. Since its inception, hundreds of higher education institutions have leverage the HECVAT to jumpstart their VRM program.

In this article, we’ll discuss the HECVAT, the steps to plan a VRM program, the steps to design a VRM process, and how to ensure success.

Why the HECVAT?


The HECVAT aims to protect sensitive data by assessing third-party vendors’ cybersecurity policies and streamlining compliance across the community.

The HECVAT is a free cloud vendor security questionnaire designed to measure third-party vendor risk for higher education institutions. It ensures that third-party vendors have the relevant information, data, and cybersecurity policies in place to protect sensitive institutional data and constituents’ personally identifiable information (PII).

The goal is to make the HECVAT an acceptable standard across the higher education community. This way, vendors complete a single HECVAT that helps them align with a set of information security standards that matter to their higher education customers and saves everyone valuable resources by sharing it across institutions.

Higher Education Example #1

The University of Texas at Austin leads the charge by providing access to over 200 completed HECVATs and counting on Isora Lite for EDU, a collaborative vendor risk assessment platform for the higher education community. It’s the most extensive HECVAT database anywhere. Learn more about their approach from their session at the 2021 EDUCAUSE Cybersecurity and Privacy Professionals Conference.

Planning your VRM program with the HECVAT

So, you’ve decided: it’s time to take VRM seriously, and you want to use the HECVAT. Great! You can check that first step off your list. Next, you’ll need to take some time to understand the HECVAT, align with your internal institutional requirements, and identify relevant individuals for cross-functional collaboration.

Understand the HECVAT


The HECVAT, featuring 22 categories and 265 questions, offers three versions–Full, Lite, and On-Premise–to align with various data criticality levels and multiple security frameworks.

In its entirety, the HECVAT comprises 22 different categories and 265 questions. The HECVAT crosswalks to a series of security frameworks, including CIS Critical Security Controls, HIPAA, ISO 27002, NIST Cybersecurity Framework, NIST 800-171, PCI DSS, and more. To provide options for different data criticality categories, the HECVAT comes in three different flavors:


The HECVAT Full covers all 22 categories, including HIPAA and PCI DSS questions. In total, the questionnaire consists of 265 possible questions. It helps assess vendors handling the most critical data.


The HECVAT Lite covers 14 of the 22 total categories. It forgoes the sections reserved for more critical data like HIPAA, PCI DSS, among others. In total, the questionnaire consists of 62 possible questions. It helps expedite vendor assessments for those that aren’t handling the most critical data.

HECVAT On-Premise

The HECVAT On-Premise covers 11 of the 22 total categories. It forgoes the sections reserved for cloud solutions. In total, the questionnaire consists of 55 possible questions. It helps assess on-premise appliances and software.

You can learn more about the HECVAT and download the latest versions over at EDUCAUSE.

Leverage your data classification guidelines


Determine the appropriate HECVAT by consulting your institution’s data classification guidelines, mapping them to HECVAT types, and using examples if no guidelines exist.

Which vendors should complete which HECVAT? To best answer this question, you will need to consult your institution’s preexisting data classification guidelines. Best put by Carnegie Mellon’s Information Security Office (ISO) about their own Guidelines for Data Classification, their purpose “is to establish a framework for classifying institutional data based on its level of sensitivity, value and criticality to the University as required by the University’s Information Security Policy.”

You will take your data classification guidelines and map them to a specific HECVAT. For example, you might require that vendors with access to HIPAA data provide a HECVAT Full. Conversely, you might require vendors with access to publicly available data not to complete a HECVAT at all.

If your institution doesn’t have data classification standards in place, we recommend using the NIST SP 800-60, Vol 1: Guide for Mapping Types of Information and Information Systems to Security Categories.

Higher education example #2

Brown University established the IT Contract and Security Review Process, which leverages their existing Data Risk Classification. It affirms what kind of assessment and documentation is required before a vendor can undergo the procurement process. After the vendor is appropriately classified, Brown University requires the vendor to either provide a FedRAMP certification, a HECVAT Full, or HECVAT Lite. For “Level 2,” they require a HECVAT Lite. For “Level 3,” they require a HECVAT Full.

Consider other documentation


Launching a VRM program with HECVAT is efficient, but mature programs also utilize multiple sources to assess vendor risks, such as vendor scorecards and third-party certifications.

The easiest way to launch your VRM program in higher education is to use the HECVAT. However, while the HECVAT is a powerful free self-assessment solution for assessing vendor risk, it shouldn’t be a means to an end. The most mature VRM programs use multiple sources of truth to assess vendor risks better. For example, they might use vendor scorecards (e.g., BitSight, Security Scorecard, etc.) and third-party certificates (e.g., SOC 2, ISO, CMMC, FedRAMP, etc.) in conjunction with self-assessments like the HECVAT.

Higher education example #3

Duke University provides a Service Provider Security Assessment to all vendors gaining access to any level of university data. The vendor can either complete a HECVAT Full or provide a SOC 2 Type II report plus a completed HECVAT Lite.

Establish acceptance criteria


Establish baseline security requirements for data by identifying non-negotiable and optional HECVAT sections, aligning with frameworks like NIST SP 800-53 or NIST SP 800-171, and creating an internal grading rubric to prioritize institutional needs.

You will need to establish some baseline security requirements for your data. Are there specific sections of the HECVAT that are non-negotiable? Are there sections of the HECVAT that are nice to have but not a priority? Suppose you’re aligning your institution with other frameworks like NIST SP 800-53 or NIST SP 800-171. In that case, certain sections of the HECVAT might already be non-negotiable. Either way, it is wise to create some internal grading rubric that will help everyone align on what’s most important for the institution and its most critical data.

Involve cross-functional teams


In the vendor procurement process, involve multiple stakeholders to ensure a comprehensive approach and effective collaboration.

A single party is seldom involved in the vendor procurement process. Who else has a stake in your VRM program? Usually, the process involves multiple teams like the requesting department, procurement team, information technology (IT) team, information security team, the leaders who sign off, and others depending on your institution. Seek to identify everyone, gain their input, and identify their role in the process.

Higher education example #4

Princeton University established the Architecture & Security Review (ASR) with a purpose to partner with campus departments, the Project & Technology Consulting Office (PATCO), and the Service Management Office (SMO), to serve as a consultative and advising body during the selection and negotiation of a proposed technology product or service. The ASR will work with the requester to create a joint mitigation strategy, consider risk and sustainability for the entire life-cycle of a service or product, and provide suggestions for successful implementation.

Leverage automation


Enhance VRM program efficiency by utilizing collaborative vendor risk assessment platforms and ticketing systems to streamline HECVAT management and communication.

Your VRM program will only be as effective as it is efficient. The reality is that most VRM programs will often rely on manual and resource-intensive processes that require complex spreadsheets and long, back-and-forth email threads. Instead, you can opt for a collaborative vendor risk assessment platform created for the higher education community like Isora Lite for EDU. It enables you to search for, conduct, and share HECVATs all on a single platform. Additionally, consider a ticketing system that can help you manage assessment requests.

Higher Education Example #5

The University of California, Berkeley Information Security Office (ISO) established the Vendor Security Assessment Service. Instead of relying on the spreadsheet version of the HECVAT, they launch a vendor assessment using the enterprise version of Isora Lite for EDU, Isora GRC, and send the vendor a survey link where they can fill out their HECVAT. Once the vendor has completed all questions in their HECVAT, the ISO Assessment team analysts automatically gain access to dashboards that provide an overall score and detailed breakdown of all questions answered.

Designing your VRM Process with the HECVAT


Design a VRM process that starts with an automated intake form and progresses through communication with the vendor, HECVAT analysis, reporting findings, and making recommendations, while continuously reassessing approved vendors to ensure data protection and compliance.

With a good understanding of the HECVAT and a list of things your VRM program will require, it’s time to design a process. The process will usually begin with a trigger and should end with a loop at the end. Here’s a step-by-step template to help guide you.

Intake the Vendor

First, you need a trigger for the process. The most efficient programs will use an automated intake form. The form’s goal is to notify the person who manages information security that they need to assess a new vendor; we’ll call them the “assessor.” The form might ask questions about the vendor, product, requester, and data classification, among other things, to give the assessor context. The form can also be connected to a ticketing system to help the assessor track it from start to finish.

Request documentation

Next, the assessor will communicate with the vendor and share the requirements based on their data classification. If a HECVAT is required, the assessor can either search for a completed HECVAT or launch a new HECVAT assessment on Isora Lite for EDU. Alternatively, the vendor can provide a completed HECVAT in its raw spreadsheet format.

Assess the vendor

Next, the assessor can analyze the completed HECVAT and other documentation. They are trying to identify any critical gaps in the vendor’s information security practices. If they’re using Isora Lite for EDU, they can also quickly compare the vendor to other vendors in the same vertical. At this point, the assessor can also use different sources of truth like security scorecards or third-party certifications to help them make the most informed decision.

Make recommendations

Then, the assessor can put together their findings into a report and internally distribute them to the relevant parties. The findings could be remarkable, barely okay, or too egregious to accept. Whichever the case, the assessor can provide recommendations on alternative vendors, or they could suggest price negotiations and conditional clauses in their contracts. In general, this stage is all about working with people to help them fulfill their mission while ensuring the institution’s critical data protection.


Finally, if and when the vendor was approved, it’s essential to keep a pin on the vendor and reassess them at a later point in time. If the vendor had findings during their initial review, the assessor could reassess them after six months. If the vendor has a successful security review but handles critical data, the assessor could reassess them every year.

Ensuring a successful VRM program


Continuous monitoring of vendors is essential for a successful VRM program, which should be established as an institutional policy, aligned with the program’s mission, and matured over time to defend against third-party supply chain attacks.

Your VRM program is here to stay. It will be your first line of defense against the growing risk of third-party supply chain attacks. If you want your program to succeed, you need to establish it as an institutional policy, keep tabs on vendors, and mature the program over time.

Keep tabs on your vendors

At the pace of today’s modern world, one-and-done assessments will not be enough. You need to ensure that there is a plan to monitor your vendors continuously. Self-assessments like the HECVAT give a great point-in-time view of the vendor but having a way to gain real-time insights will take your VRM program to the next level.

Make your VRM program institutional policy

After taking the time to put together your VRM program, your next major step will be to make it a policy at your institution. Bureaucracy can make this challenging, and that’s why you need to ensure everyone with a stake in the program aligns with the program’s mission.

Evolve your VRM program

Your VRM program, just like the rest of your information security initiatives, should be a living, breathing, and maturing entity across your institution. As your institution evolves, so should your VRM program.

How Isora GRC from SaltyCloud can help


Isora GRC from SaltyCloud is the powerfully simple HECVAT solution making regulatory compliance easier while helping organizations improve their cyber resilience.

The stakes have never been higher for organizations as they confront escalating cyberattacks and mounting regulations.

With business-critical data and privacy on the line, companies need a simple solution that helps them move beyond a ‘check-the-box’ mindset towards a risk-informed, data-driven, and proactive approach.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

  • Ace compliance audits with collaborative surveys, adaptable security frameworks, dynamic dashboards, and insightful reporting for key regulations.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect critical data with comprehensive inventory management, seamless integration, continuous assessments, and insightful reporting.
  • Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how Isora GRC from SaltyCloud can streamline your HECVAT assessments.

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content

Third-party vendor security questionnaires are essential tools in any third-party security risk management program, but which is best for your organization?

This Complete Guide explores the basics and infosec compliance checklist for the GLBA Safeguards Rule in higher education.

Analyzing changes in HECVAT v3.05 for higher education infosec teams evaluating vendors. Includes text tweaks, logic shifts, and errors.

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with
collaborative GRC tooling