HECVAT

Toolkit Penilaian Vendor Cloud Pendidikan Tinggi

The Higher Education Community Vendor Assessment Toolkit, also known as HECVAT, is a self-assessment questionnaire framework used by higher education institutions to ensure that their cloud services and software vendors meet security and data standards. HECVAT was created by the Higher Education Information Security Council (HEISC), with help from EDUCAUSE, Internet2, and REN-ISAC. The tools in the assessment are standardized to make sure that the majority of higher education institutions follow the same security protocols and practices.

Hubungi Sales

As of 2023, Jotform is proud to announce that we have completed the HECVAT self-assessment for Jotform Enterprise. You can create your education forms and appsC with peace of mind using Jotform Enterprise.

Penilaian mandiri HECVAT Jotform tersedia di Cloud Broker Index REN-ISAC.

Pengantar

What is HECVAT? Though it may sound like one of those words you couldn't quite pronounce in your high-school German class, HECVAT is actually an American acronym related to information security in higher education.

Lebih dari 150 universitas swasta dan negeri di seluruh negeri — termasuk Carnegie Mellon, Princeton, dan Rice — menggunakan HECVAT sebagai cara untuk menilai risiko vendor.

But there's more to HECVAT than we can sum up in a single paragraph, which is why we created this detailed article. Keep reading to learn more about HECVAT and its assessment tools in the sections below.

Apa itu HECVAT?

HECVAT stands for the Higher Education Community Vendor Assessment Toolkit. The Higher Education Information Security Council (HEISC) created it in collaboration with the computer networking consortium Internet2 and cybersecurity alliance REN-ISAC.

The HECVAT is a suite of tools designed to help higher education institutions measure vendor risk with regard to information security. As part of the vendor evaluation process, colleges and universities may ask vendors to complete one of several HECVAT questionnaires to affirm that sufficient information and cybersecurity policies are in place to protect institutions' sensitive information and the personally identifiable information (PII) of students, staff, and other stakeholders.

Tentang kolaborator HECVAT

Kuesioner HECVAT adalah alat evaluasi yang terpercaya karena dikembangkan secara bersama oleh tiga tim ahli jaringan informasi dan keamanan:

HEISC. Didirikan pada tahun 2000. HEISC adalah tim profesional keamanan informasi dan privasi yang didedikasikan untuk membantu lembaga pendidikan tinggi meningkatkan tata kelola keamanan informasi, kepatuhan dan perlindungan data.
Internet2. Formally titled the University Corporation for Advanced Internet Development (UCAID), Internet2 is a nonprofit consortium that includes higher education and research institutions, government entities, corporations, and cultural organizations. Its purpose is to provide a "secure high-speed network, cloud solutions, research support, and services tailored for research and education."
REN-ISAC. Research and Education Networks Information Sharing and Analysis Center merupakan aliansi internasional yang menyediakan laporan berita, peringatan, dan nasihat keamanan siber, beserta analisis ancaman keamanan siber dan solusi mitigasi. Aliansi ini beranggotakan lebih dari 700 lembaga.

Kenapa HECVAT penting?

Menurut survei tahun 2022 oleh firma keamanan siber Sophos, 64 persen institusi pendidikan tinggi mengalami setidaknya satu serangan ransomware pada tahun 2021, naik dari 44 person pada tahun 2020. Sebanyak 74 persen serangan ini berhasil. Membandingkan ini dengan tingkat keberhasilan rata-rata global sebesar 65 persen.

Serangan ransomware memiliki dampak nyata pada organisasi, terutama yang bergerak di bidang pendidikan tinggi. Survei Sophos mencatat bahwa hampir semua (97 persen) responden pendidikan tinggi di sektor publik menyatakan bahwa serangan tersebut telah memengaruhi kemampuan mereka untuk beroperasi, sementara 96 persen responden pendidikan tinggi di sektor swasta mengatakan bahwa serangan menyebabkan lembaga mereka kehilangan bisnis atau pendapatan.

Mengapa lembaga-lembaga ini menjadikan target yang menarik bagi pelaku kejahatan? Pertimbangkan faktor-faktor ini:

Mereka memiliki banyak data. Perguruan tinggi menyimpan sejumlah besar data pribadi tentang mahasiswa dan fakultas, tak terkecuali data penelitian dari lembaga pemerintah dan mitra akademis.
Jaringan mereka lebih rentan terhadap serangan. Universitas yang lebih besar dan sudah mapan cenderung memelihara sistem-sistem warisan yang seringkali memiliki lebih banyak kerentanan dibandingkan dengan sistem-sistem modern. Selain itu, banyak perangkat dan perangkat lunak pribadi serta kampus yang terhubung ke sistem-sistem ini memberikan banyak peluang untuk serangan, terutama jika individu yang menggunakannya memberikan prioritas pada kenyamanan daripada keamanan.
They have limited budgets. Public and private institutions alike often have limited budgets; they also tend to allocate financial resources to more visible, marketable departments (like athletics) over IT and cybersecurity.

With such troubling cybersecurity trends and the target factors above, it's no wonder why a security method like HECVAT is needed in higher ed. This toolkit enables colleges to save time, standardize their risk assessment of vendors, and ensure those vendors are appropriately assessed in the areas of security and privacy.

4 alat HECVAT

Paket alat HECVAT mencakup empat kuesioner yang memungkinkan institusi pendidikan tinggi mengadopsi, menerapkan, dan menjaga program penilaian risiko dan keamanan yang konsisten. Setiap kuesioner mewakili tingkat ketat yang berbeda, dan satu di antaranya sebenarnya ditujukan untuk penggunaan internal.

Note: All current versions of these tools are available as downloadable Excel files on the EDUCAUSE HECVAT web page.

1. HECVAT - Triage

Unlike the Full, Lite, and On-Premise tools you'll learn about below, the Triage tool isn't meant for vendors to complete — this is a common misunderstanding of those not familiar with HECVAT. Instead, this tool is meant for internal "requesters," such as departments and individual faculty members who want to share institutional data with a third-party provider or software solution.

Through this tool, the requester documents and summarizes their data sharing intent, scope, elements, and technology requirements through about 35 questions across six categories such as use case, procurement, and institution technology. Completing the questionnaire is a prerequisite to IT initiating a risk and security assessment and using the other tools to assess vendors.

Here are a few example questions:

Provide a general summary of your department and the business area that will be housing institution data, utilizing the third-party software/service, and/or requesting integration with an institution's enterprise system(s).
Have you consulted with the institution's procurement professionals regarding this request for assessment?
Describe the institution's IT responsibilities in support of this third-party software/service, department application, or integration with an enterprise system.

2. HECVAT - Full

Designed to assess the most critical data-sharing engagements, the Full tool asks vendors for answers to over 250 questions about their practices across 20-plus categories, such as HIPAA, vulnerability scanning, documentation, and disaster recovery.

Here are a few example questions for the Full tool:

Do your workforce members receive regular training related to HIPAA Privacy and Security Rules and the HITECH Act?
a
Apakah organisasi Anda memiliki situs pemulihan bencana atau penyedia pemulihan bencana yang dikontrak?

3. HECVAT - Lite

This condensed version of the Full tool is used to expedite the vendor assessment process while still addressing key security concerns. Vendors complete the Lite tool, which includes about 100 questions across 12 categories, such as IT accessibility, systems management, data center, and incident handling.

Here are a few example questions from the Lite tool:

Apakah ahli pihak ketiga telah melakukan audit aksesibilitas pada versi produk terbaru Anda?
Will the institution be notified of major changes to your environment that could impact the institution's security posture?
Does your company manage the physical data center where the institution's data will reside?
Apakah Anda memiliki kemampuan untuk merespons insiden selama 24 x 7 x 365?

4. HECVAT - On-Premise

Like the Full and Lite tools, vendors complete the On-Premise tool, which assesses their risk. The questionnaire is shorter than those in the other tools and is tailored to on-premise solutions, with 70 questions across 10 categories.

Here are a few example questions from the On-Premise tool:

Apakah database mendukung enkripsi elemen data tertentu dalam penyimpanan?
Apakah prinsip keamanan informasi dirancang ke dalam siklus hidup produk?
Apakah Anda menggunakan deteksi intrusi berbasis host?

Sumber HECVAT tambahan

HECVAT menawarkan dua sumber daya lainnya bagi institusi pendidikan tinggi selain kuesioner:

Community Broker Index (CBI) CBI menyediakan daftar vendor yang diperbarui secara konsisten, yang bersedia membagikan penilaian HECVAT mereka yang telah diselesaikan. Institusi pendidikan tinggi dapat merujuk ke daftar ini untuk menghemat waktu dalam menentukan solusi vendor yang sesuai dengan resiko.
Users Community Group. This group provides higher ed institutions with a forum to share information, best practices, and strategies for using HECVAT.

Bagaimana Anda dapat menggunakan alat pengumpulan data yang ramah HECVAT di kampus Anda?

Jotform Enterprise is a powerful, easy-to-use data-collection tool for educators and administrators at major universities and grade schools alike. It's also listed in HECVAT's Community Broker Index, which means you can access its already-completed HECVAT assessments and save time in assessing risk.

Bagaimana Jotform dapat bekerja untuk Anda?

Guru dapat menggunakan Jotform untuk mengelola kelas mereka dengan merancang ujian online, mengumpulkan tugas dan pekerjaan rumah, atau meminta orang tua untuk menandatangani slip izin.
Administrator dapat menggunakan Jotform untuk menangani tugas operasional seperti membuat survei untuk mengukur kepuasan siswa atau guru, atau menerima pembayaran online untuk biaya dan sumbangan alumni.

Jotform offers nearly 2,000 education form templates ranging from teacher evaluations and academic performance questionnaires to scholarship applications. You can build forms in just a few minutes.

Perguruan tinggi dapat memanfaatkan beberapa fitur penting lainnya selain formulir:

Accessibility. Jotform's forms are Level A and Level AA compliant with WCAG 2.1 standards, so you can create Section 508-friendly forms.
Signability. Collect e-signatures from students, parents, staff, and other key stakeholders using Jotform Sign. Automate the signing process to ensure all relevant parties see and sign your document in the right order.
Security. Your data is stored in a local data residency center with added SOC 2 compliance. You can also opt into HIPAA features if your campus collects sensitive health information from students or faculty.

Ensure your campus is on track for success with a HECVAT-friendly, affordable solution - education institutions are eligible for a significant discount! Get started with an education data-collection form today.