HECVAT: Building a VRM Process in Higher Ed

Today, every higher education institution has to work with third-party vendors to achieve their business-objectives. Thus, an established Vendor Risk Management (VRM) process is becoming an increasingly important part of any risk management framework.

As a member of the security, risk, information technology, or procurement team, it is imperative that before a new third-party vendor solution is purchased and implemented you evaluate the risks they are introducing. Does the vendor have the information, data, and cyber security policies in place to protect your sensitive institutional information and personally identifiable information (PII) of your constituents?

In an effort to help higher education institutions establish their VRM process, the Higher Education Information Security Council (HEISC) Shared Assessments Working Group, in collaboration with Internet2 and REN-ISAC created The Higher Education Community Vendor Assessment Tool (HECVAT). The HECVAT is a questionnaire framework specifically designed for higher education and generalizes information security and data protection questions regarding cloud and on-premise services. In addition, they also provide a condensed version named HECVAT Lite, an on-premise version, and a triage tool to help you identify which assessment you should undertake.

In this article, we will discuss the steps you need to take to successfully establish a VRM process that leverages the HECVAT.

Establishing a VRM Process

Every higher education institution is different. Whether you’re a small college or a large research university, your process will take into consideration the distinct facets and policies of your organization.

Organize yourself.

Identify individuals across your organization who have a stake in the risk of a new vendor solution. Beyond your security and information technology teams, is there a procurement or compliance team? Optimally, individuals from across your organization will come together to work towards identifying risk and ensuring the security and integrity of the institution’s information. However, designating at least one individual, especially at smaller institutions, would be acceptable as well.

Institute guidelines.

As a team or individually, get acquainted with the HECVAT, its sections, and its questions. Depending on your institution’s data classification levels, does every new vendor need to be assessed the same way? You may realize that not every section of the HECVAT is appropriate for all engagements or that it’s even necessary in some cases.

CalPoly HECVAT Policy

At California Polytechnic State University (CalPoly), the Information Security team has done a great job of identifying what sections of the HECVAT are most important for their various data classification levels.

You must also identify when a HECVAT should be evaluated, and how often it should be reevaluated. Generally, a HECVAT should be evaluated during the RFP process to ensure the service or product aligns with your institution’s policies and a contract can hold your vendor accountable for any discrepancies. Subsequently, the HECVAT should be reevaluated on a yearly basis, during contract renewals, or when the scope of the partnership changes.

Princeton ASR

At Princeton University, the Information Security Team has instituted the Architecture & Security Review (ASR). Its purpose “is to partner with campus departments to discuss a proposed hosted or on-premise service or product.” They propose having a conversation early in the selection process to “optimize the service or product’s compatibility with the University’s information technology and security principles.”

The ASR Process evaluates a HECVAT after the RFP process and before a contract is actually signed. Then, through the course of their partnership, the ASR continues to review updated HECVATs as well as other vendor risk assessments such as the SOC2.

Streamline your workflow.

Once a team is designated and guidelines are in order, you can start requesting HECVAT spreadsheets from your vendors. Although initially this process is manageable, over time, keeping track of your vendor network and their specific HECVAT spreadsheets will become a tedious job. Instead, you can use a purpose-built VRM tool to efficiently manage vendors and HECVATs without spreadsheets.

Isora Lite

Isora GRC is a lightweight tool for conducting questionnaire-based risk assessments across federated environments. For higher education institutions, we offer Isora Lite, a free version that lets you conduct HECVAT vendor risk assessments while collaborating with a growing higher ed community (over 180 institutions across the US, Canada, Australia, and the UK). It leverages InCommon Federation SSO so institutions can authenticate directly without needing to sign up.


An established VRM process is becoming an increasingly important part of any risk management framework. The HECVAT, created specifically for the needs of higher education institutions, is a great standard for measuring vendor risk. Getting a VRM process going can be daunting but only takes a bit of planning and diligence. Then, using a tool like Isora Lite, you can easily standardize and streamline your VRM workflow.