What is HECVAT – and how does it matter to your business? If you’re working with higher education, or if the university market is part of your growth strategy, it could matter quite a bit. Here’s what you need to know:

What is HECVAT?

HECVAT started as the Higher Education Cloud Vendor Assessment Tool, and has evolved into the Higher Education Community Vendor Assessment Toolkit, as the university market has collaborated and established a standardized process for vendor assessment. Like a SOC report, it’s a way of performing vendor management.

It started out as a giant list of questions – mostly about security – and has grown into a full-fledged toolkit that also includes:

  • HECVAT “Lite” – a shorter list of questions
  • A triage tool – to help you determine what applies to your specific circumstance
  • An FAQ
  • HECVAT support website
  • List of HECVAT vendors shared among all organizations

What’s the role of EDUCAUSE?

EDUCAUSE is the creator and owner of the HECVAT framework. EDUCAUSE is an association of IT professionals that work at universities. They have their own training, annual conferences (including a cybersecurity conference) and then toolkits and tools on their website. Like any like-minded group of professionals, when they get together they get excited about what they are working on, but it makes a lot of sense for them to support each other and learn from other universities.

How does HECVAT overlap with SOC 2 reports?

HECVAT and SOC 2 reports are similar to many frameworks we work with, such as NIST and ISO and HITRUST. They cover many of the same questions about security, encryption, and backups, though it is mostly focused on the higher education community. It is self-aware enough to reference a SOC report and ask the vendor if they have completed it. And in the type 1 – type 2 fashion that we have in the SOC world, it has a light version and a full version.

How common are SOC 2-Plus reports?

SOC 2-Plus reports are growing in popularity. They make a lot of sense with the audit once, report many model. If more than SOC criteria is needed, such as the HITRUST or NIST or ISO standards, as long as an organization is already following those, they can get more points, credit, or efficiency from doing them at the same time; even if it is a HECVAT. It can be mapped to the SOC report criteria and included so that that way they get a credit for having a third-party audit it. There is a “double-dip” component of getting 2X the reports for a small increment in time and energy.

Contact Us

Have questions on any of the above? Need help working through the HECVAT or SOC 2? Or do you have other questions or issues? Contact us – we’re here to help!