HECVAT in DecisionDirector
According to the HEISC, the Higher Education Cloud Vendor Assessment Tool attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use. The HECVAT:
- Helps higher education institutions ensure that cloud services are appropriately assessed for security and privacy needs, including some that are unique to higher education
- Allows a consistent, easily-adopted methodology for campuses wishing to reduce costs through cloud services without increasing risks
- Reduces the burden that cloud service providers face in responding to requests for security assessments from higher education institutions
No-Cost DecisionDirector Support for the HECVAT
The HECVAT is made freely available under a Creative Commons license, which we fully respect. In fact, we are so supportive of the HECVAT idea and the higher education community that we have committed to do our part to foster rapid adoption by institutions and their vendors.
Therefore, we will provide any higher education institution with free use of DecisionDirector to record and maintain their evaluations of their vendors’ completed HECVAT forms. We will also provide vendors with free use of DecisionDirector to create and maintain HECVAT responses for up to five product lines.
Interested? Click the Learn More button to learn how to get started.
Information security teams can use DecisionDirector to centralize and standardize their secure, private evaluations of vendors who provide completed HECVAT forms (whether created via DecisionDirector or not).
- No limits on the number of vendors
- No limits on the number of users who would conduct the evaluations
- Update any evaluation at any time
- Real-time extracts of vendor evaluations for easy analysis
Vendor Response Collection
Vendors can easily create and maintain their HECVAT responses in DecisionDirector’s secure, private, multi-user RFP response environment.
Vendor responses to the HECVAT remain the exclusive property of the vendors, and the vendors control who gets to receive those responses.
Recommendation to Vendors
Whether you use DecisionDirector or not, we recommend that you register your completed HECVAT with REN-ISAC.
Public HECVAT Resources
Some useful and interesting HECVAT history and resources:
- EDUCAUSE HECVAT page
- A July 2017 article about the origins and intent of the HECVAT
- REN-ISAC HECVAT resource page
- Internet2 blog posting on Campus Cloud Security Shared Assessments Follow-up
- Internet2 2017 Global Summit on Exploring the Future of Cloud Vendor Security Assessments
Our Position, Policies, and Practices
We are 100% vendor neutral.
We have no stake in, or benefit in anyway from, a selection outcome.
We never reveal vendor response data without permission from the vendor.
We do not claim ownership of any client, consultant, or vendor data entered into DecisionDirector.
We never sell or otherwise distribute any of the data entered into DecisionDirector.
We have many consulting partners who have integrated DecisionDirector into their planning and selection methodologies, and their baseline requirements and other information into the DecisionDirector database.
Clients are free to use our baseline library or that of their chosen consultant, or a combination of both.
Vendors may establish baseline requirements of their own in DecisionDirector, for clients and prospects that wish to start with those.
We do whatever we can to help clients, consultants, and vendors be successful in using and benefiting from DecisionDirector, but we never provide unfair advantage or share inside information about the projects we support.
We hold all conversations in full confidence and do not discuss or share sensitive or competitive information.
We are committed to creating and supporting the best practices that lead to the best possible outcomes, and therefore are always open to constructive criticisms and suggestions.