Effort to streamline and share IT security reviews gains traction in higher ed

HECVAT is less popular with vendors than it is with college and universities, but the vendors are coming around, Baylor CISO says.
EdScoop Feature Image

Jon Allen has just one regret about HECVAT, the tool he helped create to crowdsource IT security assessments.

“We should have had a marketing person involved,” he said, laughing, in an interview with EdScoop. “’HECVAT’ is not exactly catchy.”

Allen, the chief information security officer for Baylor University, said HECVAT — short for the Higher Education Cloud Vendor Assessment Tool — is beginning to get some recognition among colleges and universities as a useful way to streamline security assessments of cloud services.

“We’re finding a lot of schools are completing HECVAT,” he said. “There are a lot of schools using it — they just never circled back to tell us.”


But since it was published in October 2016, the HECVAT has encountered some resistance from the vendor community, though Allen thinks that may finally be fading a little.

As with most ideas, HECVAT was born out of Allen’s own work problems. He realized his team was spending 30 percent of its time just conducting IT security reviews of new or potential software for his school. His next revelation was that his experience at Baylor was pretty similar to that of his peers at other higher ed institutions. Given that colleges and universities already collaborate on many other topics, it seemed reasonable that this was another area where joining forces could be a big help. EDUCAUSE’s Higher Education Information Security Council created the Shared Assessments Working Group to make it real.

There are several possible explanations for vendor resistance, Allen said — the time commitment in completing the questionnaire, concerns about who will have access to it, and/or negotiating around the terms of standard nondisclosure agreements (NDAs), for instance. What he hears frequently is, “’All I’m trying to do is sell this cloud service with specialized functions for your university and you want me to fill out a 250-question questionnaire?’”

But these vendors spend a lot of time answering similar questions over and over from different institutions. Allen believes they will come to see the value in having a definitive set of answers about the security of their cloud solutions.

“Here’s an ability for you to be transparent in a very efficient way,” he said, giving them the time to concentrate on addressing their customers’ unique and customized requirements rather than continuing to review fundamentals.


Take your pick

EDUCAUSE is hosting both HECVAT and HECVAT Light, which Allen describes as a subset of the larger questionnaire that doesn’t require confidential data. “It actually maps to the same question set,” he said. “If you suddenly realize you need confidential data, you can incorporate the HECVAT Light answers into” the longer questionnaire.

The Research & Education Networking Information Sharing & Analysis Center (REN-ISAC) also hosts HECVAT and HECVAT Light, as well as its Cloud Broker Index (CBI), a list of vendors willing to share their surveys. To help address vendor concerns, REN-ISAC gives vendors the option to choose how the HECVAT survey is hosted — two public methods, one semi-public and one private.

“Vendors may have projects that change so quickly,” said Joanna Grama, director of cybersecurity and IT GRC programs at EDUCAUSE. “If they’re filling out HECVAT in January and the project changes in July, [they ask], ‘How am I, as a vendor, controlling what’s in HECVAT? And if it’s shared, how can I make sure it’s shared accurately?’”

The first company that is participating in HECVAT is Box, a cloud content management and file sharing service based in Redwood City, California.


Andrew Keating, managing director of education and health care for Box, told EdScoop in an email that higher education institutions are facing an explosion of data to manage, as well as new security threats and increased compliance requirements, even though their security and IT teams are more resource-limited than ever.

“We’re continually looking for ways to help the higher ed community engage constructively with security and compliance requirements, as well as optimize their deployment of enterprise cloud services, so participating in the HECVAT initiative was a no-brainer for Box,” Keating wrote.

He described HECVAT as “a powerful statement and summary of the community’s collective consensus on important needs and priorities when assessing an enterprise cloud service. [What] we learned most of all was that the community can come together and build a common assessment framework.”

Finding a home in RFPs?

Despite vendors’ initial reluctance, Grama, who serves on the working group with Allen, said EDUCAUSE is hearing from many of its college and university members that they’re adopting HECVAT and including it in their vendor contract requirements.


Allen has been noticing something similar. “I’m starting to hear there are conversations at state-level purchasing groups,” he said. “They’re starting to get interested in standardizing some of their questions, [perhaps] their RFPs will include HECVAT.”

“At Baylor, we have a standard services addendum” that includes HECVAT, he said. “It puts me on the offensive in the contract conversation … It doesn’t mean the vendor doesn’t mean well, [but] we want to make sure we have a very standard approach and expectations are known. I’ve talked to some vendors who say, ‘School XYZ is using our product and they never asked these questions. How dare you?’”

Box, on the other hand, has been trying to raise awareness in the higher ed community about HECVAT, “especially smaller colleges and universities that could really benefit from it,” Keating wrote. “Over time I think we’ll see more campuses proactively asking for it and expecting the enterprise cloud services they deploy to have a completed (and regularly updated) HECVAT, which will be a very positive development for the community.”

Beyond security

Now that HECVAT and its offspring HECVAT Light and the CBI are up and running, both Allen and Grama see broader applicability.


Grama said the working group has been asked to expand the questions about privacy policies and other topics. “If you had a stable of procurement tools, HECVAT for security, another for privacy, another for accessibility, another for infrastructure,” that would be very useful, she said. “It just requires a larger, much more coordinated approach.”

Keating, too, said the HECVAT initiative could open the door for “additional areas related to enterprise cloud services where they can deploy the same model and benefit from collective, coordinated, community-level activities.”

Which could be a challenge. “I think we underestimated the amount of effort it would take to maintain it, [or] the tremendous obstacles to sharing,” Grama said. She pointed to vendors’ existing NDAs as one example; another would be when a vendor sales representative completes the survey but doesn’t have the authority in the company to do so. And institutions may be governed by state open records laws that force them to share — or not share — particular kinds of data.

The HEVCAT initiative could have application to K-12 schools, said Allen, who will be speaking about these and other higher ed security and privacy issues during an EdScoop-moderated panel at SXSW EDU in Austin, Texas, March 6. (Click here for details.)

“The SXSW event will be one of the first [times] where a number of folks from K-12 will hear about HECVAT,” Allen said. “They don’t have the pull with the vendors … Waco [Independent School District] is probably not going to be able to convince a vendor to change its terms to comply with FERPA.” Using the standardized survey will help K-12 systems find vendors that are in compliance, he said, and help shift some of the power back to the customer side of the equation.


Reach the reporter at and follow her on Twitter @WaitPatience and @edscoop_news.

Latest Podcasts