Higher education has increasingly been attracting the attention of cybercriminals. In March, the FBI released an advisory in response to a barrage of ransomware attacks on schools, and Inside Higher Education recently reported that colleges and universities are becoming favorite victims of bad actors.
It’s not just colleges themselves that are being targeted; their vendors and third parties are being attacked in the hopes of compromising an institution’s data. Just last year, several colleges and universities suffered a ransomware attack through a third-party cloud storage provider.
Because both the procurement process at colleges and universities can be inconsistent, and because many institutions don’t have a deep understanding of risk and cybersecurity, a group of higher education information security and privacy professionals developed a tool to help colleges and universities measure vendor risk: the HECVAT.
What is the HECVAT?
The HECVAT, or Higher Education Community Vendor Assessment Tool, is a questionnaire framework designed to help institutions of higher education measure their vendor risk. HECVAT was developed by EDUCAUSE’s Higher Education Information Security Council (HEISC), a team devoted to security, data governance, and compliance in higher education.
Several free tools within HECVAT are updated periodically by HEISC, including best practices, questionnaires, and required security controls.
Currently, available HECVAT tools include:
- HECVAT, Triage: A questionnaire that is used to initiate risk and security assessment requests
- HECVAT, Full: A 265-question framework, including questions for HIPAA and PCI-DSS op- in
- HECVAT, Lite: A lightweight questionnaire used to expedite the vendor onboarding process
- HECVAT, On-Premise: A unique questionnaire used to evaluate on-premise appliances and software
Currently, more than 100 colleges and universities use HECVAT to assess third-party risk, according to EDUCAUSE.
Why is HECVAT important?
While many industries embrace cybersecurity, institutions of higher education can have trouble with security and cyber hygiene. The reasons for this may be organizational — some departments or groups may purchase software on their own rather than through a central IT department, and often individual professors or instructors may even invest in their own solutions, unwilling to go through a lengthy purchasing and acquisition process.
On top of that, colleges and universities have less of a free hand when cracking down on shadow IT or unauthorized vendors. In many cases, colleges want to give their students and professors as much freedom as possible.
Financial concerns also mean that colleges are outsourcing many of their technology needs to third parties; cloud storage providers, learning management systems, and the host of other solutions that were rapidly deployed in the last year to facilitate online learning are all provided by vendors, many of whom may not have been properly vetted.
Unfortunately, higher education draws criminal attention because it is a treasure trove of valuable information. Colleges and universities store student PII, research conducted by scholars and scientists, financial information, and in the case of teaching hospitals, patient information. Without a proper framework for assessing risk, there’s a huge capacity for a data breach.
The HECVAT makes a vendor assessment framework available to any school that wants access, giving higher education the tools to assess risk.
Is HECVAT all a school needs to assess vendor risk?
The HECVAT is an amazing tool and works as a starting point, but it should not comprise a school’s entire vendor risk management program. Because the HECVAT is a questionnaire, it only captures a snapshot of a vendor’s security controls, and a school should know the moment a vendor becomes a risk.
That’s where security scores come in. Security ratings are an easy way to continuously monitor risk and compliance. SecurityScorecard’s security ratings platform ingests publicly available information from the internet across ten groups of risk factors, including IP reputation, DNS health, patching cadence, web application security, network security, endpoint security, leaked credential, hacker chatter, and social engineering.
Our easy-to-read A-F rating system will help security leaders make quick, informed decisions about vendor security, and because we update our scores in real-time, your institution can establish a culture of security and compliance. Colleges and university decision-makers can communicate better with IT and vendors using the shared SecurityScorecard ratings language to make better-informed decisions.

