FileCloud is delighted to announce that it is officially confirmed as fully compliant with the Higher Education Community Vendor Assessment Toolkit (HECVAT). This means that FileCloud’s solution is now listed on the HECVAT Community Broker Index, a resource used extensively by assessors in the higher education sector to determine the security and privacy capabilities of […]
FileCloud is delighted to announce that it is officially confirmed as fully compliant with the Higher Education Community Vendor Assessment Toolkit (HECVAT). This means that FileCloud's solution is now listed on the HECVAT Community Broker Index, a resource used extensively by assessors in the higher education sector to determine the security and privacy capabilities of third-party and cloud service providers.
The HECVAT framework measures vendor risk and reduces the complexities involved in the procurement process. U.S. universities use the HECVAT widely, which also has the effect of standardizing the approach to procurement across this sector as a whole.
The HECVAT framework is a series of questionnaires in Excel format that are used to measure the level of risk that a vendor poses to a higher education institution, in terms of cybersecurity, compliance, and other areas. Its purpose is to allow higher education IT professionals to minimize the amount of time they spend on due diligence during software and cloud procurement processes. While the HECVAT is not a legally required framework, the university sector regards it highly and uses it widely.
The HECVAT originated in 2016 as a community project among IT professionals working in higher education, and has since evolved from one basic questionnaire into a more extensive set of questionnaires:
There is a HECVAT Community Users' Group, as well as the HECVAT Community Broker Index, to which FileCloud has recently been added.
Those involved in devising the HECVAT come from various universities, including Baylor University, Indiana University, and Humboldt State. Many more campus IT security and industry professionals have become drawn in to the project since its inception, and there are now various working groups dedicated to updating and maintaining the framework. These include:
Since its 2016 inception, the HECVAT has grown in scope, usage, and reputation. Vendors regard recognition for using the HECVAT as a clear advantage, and as a way to unequivocally signal their commitment to the higher education sector.
For more detailed information on the use cases below, see the webinar Campus Experiences using HECVAT.
Indiana University (IU) integrates the HECVAT into its IT procurement processes. Prior to this, it was doing many vendor risk assessments per year, which was a time-consuming process. Now IU uses the HECVAT for all third-party risk assessments, saving it time and money. Additionally, it uses the full HECVAT for enterprise systems and systems containing critical data, and the HECVAT Lite for small-scale operations. IU also uses the On-Prem HECVAT, allowing internal teams to consolidate standards for software purchases.
Princeton University operates with a centralized structure to serve its approximately 10,000 users. It integrates the HECVAT fully into its procurement processes and uses it for IT vendor risk assessment. The university Security Office is mainly preoccupied with vulnerability management, encryption, authentication, and data centers. However, it finds that the HECVAT is effective in highlighting less-obvious risks, such as potential vendors' financial viability. A cross-functional team also uses the HECVAT to facilitate conversations with vendors, which deal with areas such as architecture, security, and compliance.
Cyberattacks cost educational institutions millions each year. Between 2016 and 2022, there were over 1,600 attacks on K-12 schools. This resulted in losses of up to $1 million per breach for the school districts involved (Government Accountability Office statistics). Since this time period, the problem has only escalated. Additionally, these breaches often expose PII of students, families, staff, and vendors, enabling further attacks.
In 2023, for higher education, the MOVEit data breach was particularly widespread and costly. An estimated 3,500 U.S. higher education institutions were using MOVEit due to the requirements of the U.S. Department of Education for sharing information with the National Student Clearinghouse. The MOVEit supply chain attack was, therefore, widespread in its effects on higher education. However, this represents one of only many scenarios in which higher education has been targeted by threat actors in recent years. The volume of attacks highlights an urgent need for the sector to address IT infrastructure security gaps.
The team at FileCloud has long experience of providing secure software support for the higher education sector. Team FileCloud is well familiar with the significant challenges that can arise in these environments. There are a number of ways in which FileCloud offers advantages to higher education in North America, both in terms of security and cost-effectiveness:
FileCloud has helped the renowned California Institute of the Arts (CalArts) streamline storage and content collaboration securely. Read more about FileCloud and CalArts here.
To find out more about FileCloud's security and integration capabilities, as well as its benefits as a content collaboration platform, schedule a demo here.
Written by Deirdre Clancy, Technical Content and Communication Manager
