Introduction

The Higher Education Community Vendor Assessment Toolkit [HECVAT] helps Colleges & Universities assess the Cybersecurity Readiness of their Third Party Vendors. While the HECVAT Questionnaire asks detailed Questions, Answers alone are not enough. A Well-prepared HECVAT supporting Evidence list strengthens the Review by offering proof behind every claim. This Article explains how to create & maintain this Critical List.

What is the HECVAT & Why does It Matter?

HECVAT is a standardised Questionnaire developed by the Higher Education Community. It helps Institutions evaluate whether a Vendor’s Cloud Services or Software meet Security & Privacy Standards.

The HECVAT supporting Evidence list is used alongside the Questionnaire to verify that the Vendor’s claims are backed by actual Policies, Reports or Certifications.

Purpose of the HECVAT Supporting Evidence List

Think of the HECVAT supporting Evidence List as the supporting Documents to a Resume. While the Questionnaire outlines a Vendor’s Security practices, the Evidence List proves them.

Institutions reviewing a Vendor’s Security Profile often request this list to save time, improve clarity & reduce Back-and-forth Communication.

Core Components in a HECVAT Supporting Evidence List

Common items in a HECVAT supporting Evidence list include:

• Information Security & Privacy Policies
• SOC 2 or ISO 27001 Audit Reports
• Penetration Test Summaries
• Access Control Procedures
• Incident Response Plans
• Data Encryption Documentation

These Documents are mapped to specific HECVAT questions for easy reference.

How to Compile a HECVAT Supporting Evidence List?

Start by completing the HECVAT Questionnaire. Then, link each key answer to a supporting file. Use consistent file names & organise them in a shared folder.

Vendors can find tools & guidance on the InCommon HECVAT portal to help compile the list effectively.

Common Challenges 

The most frequent issues with a HECVAT supporting Evidence List are:

• Outdated Documents
• Too much or too little Information
• Unclear formatting

Avoid these by setting a Review Schedule, limiting Documents to what’s essential & clearly labeling each file.

Best Practices for maintaining Evidence Accuracy

Keep your HECVAT supporting Evidence List current. Review it every six (6) to twelve (12) months. Include Version numbers, issue dates & expiration dates.

Assigning responsibility to a Compliance or Security lead helps ensure Accuracy & Consistency.

How the HECVAT Supporting Evidence List Aligns with Other Frameworks?

Many items in the HECVAT supporting Evidence List can also support:

• NIST Cybersecurity Framework
• FERPA Compliance
• GDPR-related Controls

This overlap allows Vendors to repurpose documents, saving time & effort.

Limitations of the HECVAT Supporting Evidence List

While helpful, the HECVAT supporting Evidence list is not a complete substitute for In-depth Assessments. It shows a snapshot in time, & interpretation can vary across Institutions. Always provide context where needed.

Takeaways

• A strong HECVAT supporting Evidence list improves Transparency & speeds up Vendor Reviews.
• Focus on relevance, clarity & document freshness.
• Map Evidence directly to HECVAT Questions.
• Update the list regularly to maintain credibility.

FAQ

Need help? 

Neumetric provides organisations the necessary help to achieve their Cybersecurity, Compliance, Governance, Privacy, Certifications & Pentesting goals. 

Organisations & Businesses, specifically those which provide SaaS & AI Solutions, usually need a Cybersecurity Partner for meeting & maintaining the ongoing Security & Privacy needs & requirements of their Clients & Customers. 

SOC 2, ISO 27001, ISO 42001, NIST, HIPAA, HECVAT, EU GDPR are some of the Frameworks that are served by Fusion – a centralised, automated, AI-enabled SaaS Solution created & managed by Neumetric. 

Reach out to us!