A new Educause program is designed to help the group’s member institutions evaluate the cybersecurity risks of their IT vendors by providing accessible reviews of the vendors’ products.
The new vendor risk assessment program, which will be made available over the course of this month to the roughly 1,600 colleges and universities that belong to Educause, will include a centralized hub where member schools can access analyses of the questionnaires that the organization asks edtech providers to fill out. Educause has since 2015 asked education technology vendors to voluntarily complete Higher Education Community Vendor Assessment Toolkit — or HECVAT — forms to describe how they handle data, authenticate users and manage other risks.
But previously, those forms, typically composed of technical language, could only be analyzed by schools themselves. Brian Kelly, the director of Educause’s cybersecurity program and a former chief information security officer at Quinnipiac University, said the organization knew of only about 150 member colleges and universities where on-staff information security analysts are sifting through the HECVAT responses. (Though he said the actual number could be far higher, as those analyses are reported voluntarily.)
The new vendor assessment program, he told EdScoop, will be managed by GreyCastle Security, a risk management firm, that will provide written analyses of vendors’ HECVAT questionnaires and determine whether products pose low, medium or high risks to a colleges’ network security. A hypothetical vendor that aggregates financial records and personal data and makes it available to a large number of users, according to a presentation Educause made to its vendor community last week, might pose a “high” risk.
The program offers benefits to both the schools and tech companies, Kelly said.
“It’s a value proposition that’ll both help our vendors ease their access into higher ed,” he said. “It’s putting standardized questionnaires in one place and helping our member institutions look at these vendor risk assessments and have a quick way to digest them.”
Kelly said Educause’s vendor assessment program is in the same spirit as the Federal Risk and Authorization Management Program, or FedRAMP, the U.S. government’s assessment rubric for cloud services, and the recently launched StateRAMP, a consortium of tech officials and industry representatives attempting to do the same for state and local government tech acquisitions.
“Maybe we should’ve called it EdRAMP,” Kelly said. “The intent of the program is to add value to our Educause members to assess the risk of the vendors we’re all reliant on.”
Kelly said that “by and large,” edtech vendors have been doing a good job managing security risks, though he said that during the COVID-19 pandemic, many colleges and universities might have become more liberal in making tech purchases as they respond to the needs of online learning. But with standardized assessments that are available to all Educause members, Kelly said vendors can show higher education institutions that “they’ve done their homework.”