Using the HECVAT to Measure Vendor Risk

2 min read
September 8, 2022 at 1:00 PM

Not a day goes by without a conversation about third-party risk management. Our clients are being bombarded in all directions; asked by regulators, auditors, their clients, and customers alike to complete third-party risk assessments (SIG, CAIQ, HECVAT). All third-party risk assessments attempt to quantify the risk associated with a third-party vendor that will be providing a product or service to your organization.

There are a few areas fueling the third-party risk assessment craze. Regulators are now requiring an organization to assess and acknowledge the additional risk of doing business with outsourced third parties. The FDIC FIL 44-2008 and OCC Bulletin 2013-29 resources can help you navigate the regulatory risk assessment process. A third-party risk assessment serves to mature your awareness and monitors risk more thoroughly. It is a best practice, helping you (your organization) identify potentially unwanted risks. There are several “standards” when we think about third-party risk assessments.

A simple Google search illustrates there are many third-party risk assessments, management platforms, and vendors in the space today. One that has graduated from its college and university roots is the Higher Education Community Vendor Assessment Toolkit (HECVAT). The HECVAT is a self-assessment questionnaire framework designed for institutions of higher education to measure vendor risk. Now in its sixth year, the HECVAT is a collaboration between EDUCAUSE, REN-ISAC, and Internet 2 and their member community. HECVAT has become the standard questionnaire for evaluating third-party risk in higher education. HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework. Over 150 colleges and universities now require it as part of their procurement process, with major ed-tech vendors and solution providers having already completed it. The HECVAT provides a standard questionnaire that solution providers can complete confirming that information, data, and cybersecurity policies are in place to protect sensitive institutional information. Once completed, assessments can be shared to the Community Broker Index (CBI) and used by multiple institutions to streamline procurement processes for both parties.

While the HECVAT is a self-assessment questionnaire framework, it can be a daunting task for higher education institutions and vendors who have not gone through this process in the past. Compass IT Compliance’s industry leading team of Cybersecurity Practitioners are available to assist organizations in the following HECVAT areas:

With over a decade of experience assisting higher education institutions and vendors in IT security and compliance initiatives, Compass IT Compliance has the resources and industry experts to help your organization identify and mitigate risks. Contact us today to discuss your unique HECVAT challenges and concerns!

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think