It’s been four years since the creation of the Higher Education Community Vendor Assessment Toolkit. Now, as the resource enters its fifth phase, one of its cheerleaders is expecting 2020 to be all about raising awareness about the kit itself.
Created in 2016 by the Higher Education Information Security Council Shared Assessments Working Group, the HECVAT is used to evaluate the cybersecurity capabilities of technology products and provides each a letter grade based on factors such as application security, policies and systems management.
Brian Kelly, cybersecurity director at Educause, told EdScoop that as the working group pivots the toolkit into 2020, the main goal will be to gain greater awareness across the higher education community.
“ is going to be very focused on the business development part,” Kelly told EdScoop. “The tool doesn’t need a lot of development anymore — the questions are solid. We’re not refining how it works. This phase will really be more of an evangelism stage and marketing.”
Currently, the toolkit is in use at more than 80 higher education institutions, has input from more than 150 individuals and has certified more than 25 service providers, including big players like Google Cloud.
The main selling point of the toolkit, Kelly said, is its potential to streamline an institution’s procurement process, which can be lengthy and cumbersome in higher education.
Its creators are deeply familiar with it. The working group is chartered by Educause and operates based on input and governance from higher ed staff, the research and education advanced technology association Internet2 and the Research and Education Networks Information Sharing and Analysis Center, REN-ISAC.
“The HECVAT is really a shining example of providing value, instead of security being viewed as something that adds friction in an environment,” Kelly said. “Where Educause is focused on things like student success and sustainable funding [for higher education CIOs], positioning security to enable those is really important.”
When institutions want to engage with a vendor, a huge part of the evaluation process is complete if that vendor has already finished an assessment like the HECVAT, Kelly said.
“What it really does is that if your institution is going to engage with a corporate vendor, whether that third party is doing a cloud service or something on-prem in your data center, you are going to want to get assurances from that vendor that they’ve done these security controls,” Kelly said. “It increases the access of that vendor to higher ed institutions and it streamlines that procurement process.”
Phase four of the project wrapped up at Educause’s annual conference in October, adding two new tools, including one for on-premise appliances and software, as well as a “triage” version used to initiate risk and security assessments.
Between 2016 and 2018, the toolkit served solely as an assessment tool for cloud-based products, but the working group received feedback that some users wanted the opportunity to evaluate products that were running on-premises.
As the tool was first developed in 2016, Baylor University CISO Jon Allen — the chair of the working group and the tool’s original creator — told EdScoop his goal was to empower “higher ed to get the security requirements that we need as a coalition,” and to provide vendors “a better way of doing business than we’ve been doing these last few years.”
Kelly — who before Educause worked as CISO at Quinnipiac University in Connecticut — said he was thrilled with the adoption of the tool and was particularly proud of leaders like Allen who have worked on it since its inception.
“The adoption has been phenomenal,” Kelly said. “It’s a working group of people who have full-time jobs, but they put so much time into it because they recognize and hear the feedback. The collaboration is so valued. You tend to be more engaged and put that extra effort into things that you know are worthwhile and you provide something back to the community.”