July 14, 2021
Establishing a VRM Program with the HECVAT
Table of Contents
- Why the HECVAT?
- Planning your VRM Program with the HECVAT
- Designing your VRM Process with the HECVAT
- Ensuring a Successful VRM Program
- How SaltyCloud Helps
Vendor Risk Management (VRM) is becoming an essential part of any risk management program. However, establishing one is no easy feat, requiring a substantial amount of planning and effort. Fortunately for higher education institutions, the Higher Education Cloud Vendor Assessment Toolkit (HECVAT) is a questionnaire framework designed to make VRM a lot easier. In fact, since its inception, hundreds of higher education institutions have started to adopt the HECVAT as part of their VRM program. This article will discuss the HECVAT, planning a VRM program, designing a VRM process, and ensuring success.
The HECVAT is a free questionnaire framework designed for higher education institutions to measure third-party vendor risk. It ensures that third-party vendors have the relevant information, data, and cybersecurity policies in place to protect sensitive institutional data and constituents’ personally identifiable information (PII). The goal is to make the HECVAT an acceptable standard across the higher education community. This way, vendors complete a single HECVAT that helps them align with a set of information security standards that matter to their higher education customers and saves everyone valuable resources by sharing it across institutions.
Higher Education Example #1
The University of Texas at Austin leads the charge by providing access to over 200 completed HECVATs and counting on Isora Lite for EDU, a collaborative vendor risk assessment platform for the higher education community. It’s the most extensive HECVAT database anywhere. Learn more about their approach from their session at the 2021 EDUCAUSE Cybersecurity and Privacy Professionals Conference.
So, you’ve decided: it’s time to take VRM seriously, and you want to use the HECVAT. Great! You can check that first step off your list. Next, you’ll need to take some time to understand the HECVAT, align with your internal institutional requirements, and identify relevant individuals for cross-functional collaboration.
In its entirety, the HECVAT comprises 22 different categories and 265 questions. The HECVAT crosswalks to a series of security frameworks, including CIS Critical Security Controls, HIPAA, ISO 27002, NIST Cybersecurity Framework, NIST 800-171, PCI DSS, and more. To provide options for different data criticality categories, the HECVAT comes in three different flavors:
The HECVAT Full covers all 22 categories, including HIPAA and PCI DSS questions. In total, the questionnaire consists of 265 possible questions. It helps assess vendors handling the most critical data.
The HECVAT Lite covers 14 of the 22 total categories. It forgoes the sections reserved for more critical data like HIPAA, PCI DSS, among others. In total, the questionnaire consists of 62 possible questions. It helps expedite vendor assessments for those that aren’t handling the most critical data.
The HECVAT On-Premise covers 11 of the 22 total categories. It forgoes the sections reserved for cloud solutions. In total, the questionnaire consists of 55 possible questions. It helps assess on-premise appliances and software.
You can learn more about the HECVAT and download the latest versions over at EDUCAUSE.
Which vendors should complete which HECVAT? To best answer this question, you will need to consult your institution’s preexisting data classification guidelines. Best put by Carnegie Mellon’s Information Security Office (ISO) about their own Guidelines for Data Classification, their purpose “is to establish a framework for classifying institutional data based on its level of sensitivity, value and criticality to the University as required by the University’s Information Security Policy.” You will take your data classification guidelines and map them to a specific HECVAT. For example, you might require that vendors with access to HIPAA data provide a HECVAT Full. Conversely, you might require vendors with access to publicly available data not to complete a HECVAT at all.
Higher Education Example #2
Brown University established the IT Contract and Security Review Process, which leverages their existing Data Risk Classification. It affirms what kind of assessment and documentation is required before a vendor can undergo the procurement process. After the vendor is appropriately classified, Brown University requires the vendor to either provide a FedRAMP certification, a HECVAT Full, or HECVAT Lite. For “Level 2,” they require a HECVAT Lite. For “Level 3,” they require a HECVAT Full.
If your institution doesn’t have data classification standards in place, we recommend using the NIST SP 800-60, Vol 1: Guide for Mapping Types of Information and Information Systems to Security Categories.
The easiest way to launch your VRM program in higher education is to use the HECVAT. However, while the HECVAT is a powerful free self-assessment solution for assessing vendor risk, it shouldn’t be a means to an end. The most mature VRM programs use multiple sources of truth to assess vendor risks better. For example, they might use vendor scorecards (e.g., BitSight, Security Scorecard, etc.) and third-party certificates (e.g., SOC 2, ISO, CMMC, FedRAMP, etc.) in conjunction with self-assessments like the HECVAT.
Higher Education Example #3
Duke University provides a Service Provider Security Assessment to all vendors gaining access to any level of university data. The vendor can either complete a HECVAT Full or provide a SOC 2 Type II report plus a completed HECVAT Lite.
You will need to establish some baseline security requirements for your data. Are there specific sections of the HECVAT that are non-negotiable? Are there sections of the HECVAT that are nice to have but not a priority? Suppose you’re aligning your institution with other frameworks like NIST SP 800-53 or NIST SP 800-171. In that case, certain sections of the HECVAT might already be non-negotiable. Either way, it is wise to create some internal grading rubric that will help everyone align on what’s most important for the institution and its most critical data.
A single party is seldom involved in the vendor procurement process. Who else has a stake in your VRM program? Usually, the process involves multiple teams like the requesting department, procurement team, information technology (IT) team, information security team, the leaders who sign off, and others depending on your institution. Seek to identify everyone, gain their input, and identify their role in the process.
Higher Education Example #4
Princeton University established the Architecture & Security Review (ASR) with a purpose to partner with campus departments, the Project & Technology Consulting Office (PATCO), and the Service Management Office (SMO), to serve as a consultative and advising body during the selection and negotiation of a proposed technology product or service. The ASR will work with the requester to create a joint mitigation strategy, consider risk and sustainability for the entire life-cycle of a service or product, and provide suggestions for successful implementation.
Your VRM program will only be as effective as it is efficient. The reality is that most VRM programs will often rely on manual and resource-intensive processes that require complex spreadsheets and long, back-and-forth email threads. Instead, you can opt for a collaborative vendor risk assessment platform created for the higher education community like Isora Lite for EDU. It enables you to search for, conduct, and share HECVATs all on a single platform. Additionally, consider a ticketing system that can help you manage assessment requests.
Higher Education Example #4
The University of California, Berkeley Information Security Office (ISO) established the Vendor Security Assessment Service. Instead of relying on the spreadsheet version of the HECVAT, they launch a vendor assessment using the enterprise version of Isora Lite for EDU, Isora GRC, and send the vendor a survey link where they can fill out their HECVAT. Once the vendor has completed all questions in their HECVAT, the ISO Assessment team analysts automatically gain access to dashboards that provide an overall score and detailed breakdown of all questions answered.
With a good understanding of the HECVAT and a list of things your VRM program will require, it’s time to design a process. The process will usually begin with a trigger and should end with a loop at the end. Here’s a step-by-step template to help guide you.
First, you need a trigger for the process. The most efficient programs will use an automated intake form. The form’s goal is to notify the person who manages information security that they need to assess a new vendor; we’ll call them the “assessor.” The form might ask questions about the vendor, product, requester, and data classification, among other things, to give the assessor context. The form can also be connected to a ticketing system to help the assessor track it from start to finish.
Next, the assessor will communicate with the vendor and share the requirements based on their data classification. If a HECVAT is required, the assessor can either search for a completed HECVAT or launch a new HECVAT assessment on Isora Lite for EDU. Alternatively, the vendor can provide a completed HECVAT in its raw spreadsheet format.
Next, the assessor can analyze the completed HECVAT and other documentation. They are trying to identify any critical gaps in the vendor’s information security practices. If they’re using Isora Lite for EDU, they can also quickly compare the vendor to other vendors in the same vertical. At this point, the assessor can also use different sources of truth like security scorecards or third-party certifications to help them make the most informed decision.
Next, the assessor can put together their findings into a report and internally distribute them to the relevant parties. The findings could be remarkable, barely okay, or too egregious to accept. Whichever the case, the assessor can provide recommendations on alternative vendors, or they could suggest price negotiations and conditional clauses in their contracts. In general, this stage is all about working with people to help them fulfill their mission while ensuring the institution’s critical data protection.
Finally, if and when the vendor was approved, it’s essential to keep a pin on the vendor and reassess them at a later point in time. If the vendor had findings during their initial review, the assessor could reassess them after six months. If the vendor has a successful security review but handles critical data, the assessor could reassess them every year.
Your VRM program is here to stay. It will be your first line of defense against the growing risk of third-party supply chain attacks. If you want your program to succeed, you need to establish it as an institutional policy, keep tabs on vendors, and mature the program over time.
At the pace of today’s modern world, one-and-done assessments will not be enough. You need to ensure that there is a plan to monitor your vendors continuously. Self-assessments like the HECVAT give a great point-in-time view of the vendor but having a way to gain real-time insights will take your VRM program to the next level.
After taking the time to put together your VRM program, your next major step will be to make it a policy at your institution. Bureaucracy can make this challenging, and that’s why you need to ensure everyone with a stake in the program aligns with the program’s mission.
SaltyCloud provides Isora GRC, the platform that makes it easier to conduct governance, risk, and compliance (GRC) assessments. For the higher education community, SaltyCloud provides Isora Lite for EDU, a free vendor risk assessment platform that lets members search, conduct, and share HECVATs in a single place. Today the platform hosts 250+ institutions, 500+ members, and 250+ completed HECVATs.