The Higher Education Community Vendor Assessment team is launching HECVAT 4 in January 2025. The updated toolkit will include questions about privacy and artificial intelligence.
The Higher Education Community Vendor Assessment Toolkit (HECVAT) team is planning to launch HECVAT 4 in January 2025. The planned launch will coincide with Data Privacy Week. Spoiler alert: HECVAT 4 will include privacy and artificial intelligence (AI) questions!
After HECVAT 3 launched in 2021, members of the community told us that including privacy-related questions in the HECVAT will help streamline their engagement with service providers. It will also make it easier to combine cybersecurity, privacy, IT accessibility, and identity in one process!
HECVAT Updates
Here's a summary of our activities over the last three years.
The HECVAT core team has been busy working on minor updates to the tools and a sustainability plan. We surveyed multiple community groups, held a focus group, and provided incremental updates at community events. Results from the surveys and focus group underscored how important the HECVAT is for the community; the results also revealed that we need to improve HECVAT documentation. (More details on the survey results can be found in our Cybersecurity and Privacy Professionals Conference presentations from 2023 and 2024.) Between 2019 and 2023, there were over 41,000 downloads of the toolkit, including over 10,000 downloads of version 3.04 in July and August 2023! This has driven conversations on how to sustain HECVAT into the future.
We welcomed Claire Rosati from Niagara College in Canada to the HECVAT core team to help drive documentation improvements. Charlie Escue worked with Trusted CI on mapping the HECVAT to the Trusted CI Framework. More than 180 campuses are using the HECVAT. Let us know if you want us to add you to the list! As we continue to evolve the HECVAT, campuses are expanding from just security reviews to comprehensive third-party risk management (TPRM), with community groups getting spun up where we can work on the promising practices and improvements identified in the TPRM QuickPoll (EDUCAUSE, Internet2, and UMRIA [University Risk Management and Insurance Association] collaborated on the QuickPoll).Footnote1
What to Expect in HECVAT 4
The most exciting news is our plan to make major updates to the HECVAT to incorporate privacy and improve coverage of AI. We've even done some internal testing using generative AI (GenAI) to compare HECVATs from different years from the same service provider to help monitor changes in the service provider over time based on your campus review requirements. Using GenAI holds promise in reducing the effort needed for these reviews. The privacy questions were developed by a higher education privacy working group, and the HECVAT core team is working on how to incorporate them since some are subjective and may be difficult to score. So, we may have some significant "architectural changes" (if you can use that term for an Excel spreadsheet) coming to the HECVAT, where all three tools (HECVAT Lite, Full, and On-prem) are merged into one tool. We're also identifying potentially redundant or overlapping questions among the three tools, which could lead to some simplification. We'll publish an update and send an announcement to the HECVAT Users Community Group in early 2025 when the new release is published.
HECVAT 3.06 was published in April. This version included minor updates to version three. Details are included in the change log worksheet in each tool. We will continue to publish minor updates as needed until HECVAT 4 is released. When HECVAT 4 is published, we'll include a migration document as we have done with previous updates. Once HECVAT 4 is published, we'll focus all future efforts on that version. We'll need your help as we move to the new version, particularly with reaching out to service providers to get them to migrate to it.
Documentation Working Group
We heard loud and clear that we must improve our documentation. We have a working group of campuses and a service provider working on new documentation for HECVAT 4. The documentation is being developed for three personas: evaluator, service provider, and campus community member. The working group identified these three audiences as the main people completing or reviewing HECVATs; therefore, these groups have the highest priority for documentation. Some of the documentation requested by the community consists of more general TPRM-related questions, such as those highlighted in the TPRM QuickPoll results article. TPRM documentation may be developed in a separate NET+ TPRM campus workgroup.
More About the HECVAT
We are hosting a workshop at this year's EDUCAUSE Annual Conference. The workshop will be held October 21 at 8:00 a.m. We're also giving a presentation on October 22 at 3:00 p.m. to help train more people on the HECVAT, share updates, and get feedback. We hope to see you there! If you can't make it, we still want your feedback! Contact us at [email protected] or via the HECVAT Users Community Group, where you can also engage with your peers.
Acknowledgments
Many thanks to the HECVAT core team members who contribute so much time to maintaining and improving the HECVAT.
Jon Allen, Baylor University
Josh Callahan, California State University
Charlie Escue, Indiana University
Claire Rosati, Niagara College
Representatives from EDUCAUSE, Internet2, and the REN-ISAC
Nichole Arbino, EDUCAUSE
Nick Lewis, Internet2
Anthony Newman, REN-ISAC
Note
- EDUCAUSE, "7 Things You Should Know About Third-Party Risk Management," EDUCAUSE Review, March 21, 2024; Nicole Muscanell, "EDUCAUSE QuickPoll Results: Third-Party Risk Management Practices in Higher Education," EDUCAUSE Review, August 12, 2024. Jump back to footnote 1 in the text.
Nick Lewis is Program Manager, NET+ Cloud Services, Security and Identity, at Internet2.
© 2024 Nick Lewis. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.