HECVAT and the Crazy Brilliant Idea

Phase II of the Higher Education Cloud Vendor Assessment Toolkit (HECVAT) project came to a close in late 2017. Among many accomplishments in 2017, the Phase II project team completed the following

• A full review of the HECVAT (and HECVAT lite) that included revised questions and more mappings to the industry standards that we all know and love
• Eight presentations at higher ed conferences and other events to get the word out about the HECVAT
• The Advantiv [http://www.advantiv.com/hecvat/] adoption of the HECVAT

Our most thrilling accomplishment, however, was starting to think about how to share completed HECVATs among higher education institutions. While this sharing notion has been a goal of the HECVAT since its inception in 2016, it also remains the hardest part of the project to tackle. While the benefits of sharing are obvious for higher education institutions, creating a sharing infrastructure in which service providers want to participate and in which they maintain control of their HECVAT responses has been hard to navigate. Enter 2017's Crazy Brilliant Idea.

Known as the Cloud Broker Index (or CBI), this resource provides an up-to-date index of participating vendors, with links to their completed assessments. If a vendor is already listed in the CBI, security assessors at colleges and universities can use the posted assessment, saving time for both security assessors and service providers. Vendors participate in the CBI on a voluntary basis, and there are four modes of participation:

1. Public Option #1: The vendor's completed HECVAT is hosted in the CBI and is freely available via a URL shared in the CBI.
2. Public Option #2: The vendor's completed HECVAT is hosted on the vendor's website and is freely available via a URL shared in the CBI. (Box is the first vendor to share its completed HECVAT in this way.)
3. Semi-Public Option: The vendor's completed HECVAT is hosted on the vendor's website behind a paywall, and a URL to the resource is shared in the CBI. Institutions may have to provide the vendor with contact information for lead generation to access the HECVAT.
4. Private Option: The vendor is interested in sharing its HECVAT results privately; the vendor's name/product is listed in the CBI, and instructions on how to contact the vendor to request a completed HECVAT are included in the CBI.

Under all of the CBI modes of participation, the participating vendor is responsible for maintaining the accuracy of HECVAT responses to the best of its ability. CBI administrators will send periodic reminders to participating vendors, but it is the responsibility of the vendor to review the posted version for accuracy. In 2018, we will focus on increasing the number of vendors willing to list completed HECVATs in the Cloud Broker Index. We think that building the list of vendors listed in the CBI will help institutions streamline procurement processes. Vendors interested in participating in the CBI can email [email protected] to get started.

The CBI is our first step toward achieving the interinstitutional sharing that we initially envisioned with the HECVAT project. In addition to promoting the Cloud Broker Index and HECVAT in 2018, we also plan to showcase institutional and vendor HECVAT use cases, institute versioning control, and outline future HECVAT improvements. For example, we would like to enhance the tool so that a summary of responses is prepared upon the completion of the HECVAT. This summary would help institutions quickly identify potentially concerning vendor responses.

Finally, we are always looking for feedback pertaining to the HECVAT. Feel free to send us comments anytime at [email protected].

---

Jon Allen is Assistant Vice President and Chief Information Security Officer at Baylor University.

Joanna Lyn Grama is the Director of Cybersecurity and IT GRC Programs at EDUCAUSE.

Nick Lewis is the Program Manager of Security and Identity at Internet2.

Kim Milford is the Executive Director of REN-ISAC.