The Higher Education Community Vendor Assessment Toolkit (HECVAT) core group will be hosting a special online session to get feedback, explain how HECVAT can help address the higher education community's cloud security assessment needs, assist universities with measuring vendor risk, and help protect sensitive data.
It has been almost seven months (using the normal measurement of time) since the last blog post from the Higher Education Community Vendor Assessment Toolkit (HECVAT) core team. So much has changed since our last blog post. Usually, by this time of year, the HECVAT core team has sent out a call for volunteers to the community to work on the next major HECVAT update and has engaged with as many campuses as possible at the Security Professionals Conference for feedback and direction. This year, we're handing it a little differently because we know everyone is already stretched thin trying to keep their campuses running. With all that being said, campuses continue to contact the HECVAT core team about future developments, showing a level of engagement that gives me hope for the future!
Updates around HECVAT
Probably the most important update is that HECVAT is now an official EDUCAUSE Higher Education Information Security Council (HEISC) community group. Jon Allen, associate vice president CIO and CISO at Baylor University, and Charlie Escue, extended information security manager at Indiana University, are co-chairs of the community group. This adds the group to the HEISC Advisory Committee to participate in the overall governance of the HEISC and give the HEISC more visibility into HECVAT. As part of formalizing HECVAT, we have launched a new HECVAT users community group email list. Community members can subscribe to the list and use it to discuss HECVAT topics.
Since the last update, EDUCAUSE has made a major update to the HECVAT website, making it easier to use and find information. Based on feedback from the community that it was difficult to find information on HECVAT and how to use it, this website update is the first step toward making it easier to find information on HECVAT. If there's additional information or documentation that would be helpful for your institution to start or continue using HECVAT, please let us know. Josh Callahan from Humboldt State University, Charlie Escue from Indiana University, Daphne Ireland from Princeton University, and Shana Sumpter from the University of Richmond gave an on-demand presentation at the virtual 2020 Security Professionals Conference about how their campuses are using HECVAT.
The list of organizations using HECVAT continues to grow as more campuses and corporate partners learn about this resource developed by and for the higher education community. Currently, over one hundred colleges and universities in the United States and Canada are using HECVAT, forty-two service providers are publishing completed HECVATs in the Cloud Broker Index, and eight service providers are including HECVAT in their products!
Call for feedback
Join the HECVAT core team for a special I2 Online HECVAT 2020 and Beyond session on October 21, 2020, at 2 p.m. ET, where we will share the latest HECVAT updates. The updates address the higher education community's cloud security assessment needs and assist universities with measuring vendor risk. A facilitated discussion will follow, with opportunities to share feedback. As part of your registration, please submit questions that you would like to be addressed during the virtual event.
The HECVAT Core team usually issues a call for feedback and development topics every year, but this year will be a little different for obvious reasons. HECVAT has continued to mature over the last few years, and we want your feedback on how HECVAT is working and how it might better support your needs. Rather than issuing a major call for volunteers to assist with suggestions, this year, we're planning to create small focus groups to work on specific deliverables or topics.
Future Plans
Our future plans are less defined than normal. We're going to do minor maintenance releases for 2020, keeping with our previous development cycles, but there are no major updates planned for HECVAT. We continue to get questions from the community about how to handle IT accessibility and privacy with HECVAT, which we don't have a good answer for yet. We have focused HECVAT on security controls, and we understand that many in the security community are including cloud privacy and IT accessibility compliance in their job responsibilities. We're going to coordinate with the Cloud Scorecard Working Group and may need to develop some additional community resources that put all of these pieces together. The Cloud Scorecard Working Group discussed some ideas on a community call in August.
We may be getting a group together to discuss how HECVAT can work with existing privacy assessment questionnaires or Voluntary Product Accessibility Templates (VPATs) to see if additional guidance, documentation, or community resources would help the community or if something new needs to be developed. If you're interested in working on this, please reach out to us and let us know.
We will also take the feedback we receive during the October 21 community call/virtual event to help provide direction for the next steps for the working group.
Closing
While the last seven months have been less active for the HECVAT team, we thought we should provide the community with an update and ask for feedback. Please let us know if you have any feedback or thoughts on HECVAT.
Also, many thanks to the continued active engagement from the HECVAT core team: Jon Allen, Josh Callahan, Susan Coleman, Charlie Escue, Brian Kelly, Nick Lewis, and Kim Milford! We are so grateful to all of the other volunteers who have made it so great to work on the HECVAT over the last five years!
For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional security and privacy awareness resources through the Awareness Campaigns page.
Access the Higher Education Community Vendor Assessment Toolkit through the HECVAT page.
Nick Lewis is Program Manager for Security and Identity at Internet2.
© 2020 Nick Lewis. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.