HECVAT 4 Vendor Assessments at Scale
As institutions rely on an ever-expanding ecosystem of cloud and third-party vendors, security and privacy teams face mounting pressure to assess vendor risk accurately, consistently, and at scale. This panel discussion brings together security and risk leaders from three large universities—UT, UVA, and Duke—to share practical, real-world approaches to managing vendor assessments using the Higher Education Cloud Vendor Assessment Tool (HECVAT). Panelists will discuss how their programs have evolved with the transition from HECVAT v3 to the more comprehensive HECVAT v4, including what has changed, what has become more challenging, and what new insights can be derived from deeper vendor response data. The session will include a comparative analysis of vendor responses across versions and lessons learned from reviewing assessments at enterprise scale. The discussion will also highlight a statewide perspective through the TX-RSOC at UT, an initiative designed to centralize and share vendor risk assessments across more than 1,200 ISDs. Attendees will hear how shared services and collaboration can reduce duplication, improve consistency, and accelerate risk-informed decision-making. Moderated by SaltyCloud, this session will explore how higher ed institutions are operationalizing HECVAT through governance, workflow, and technology—offering concrete takeaways for institutions seeking to start, mature, or scale their vendor risk management programs.
Presenters
-
Cam Beasley
Chief Information Security Officer,
University of Texas at Austin
-
Jay Gallman
Risk Advisor,
Duke University
-
Drew Scheifele
Co-Founder and CEO,
SaltyCloud PBC
-
Brandy Smith
IT Policy and Compliance Analyst, Senior,
University of Virginia
Resources & Downloads
-
Presentation for session HECVAT 4 Vendor Assessments at Scale
Updated on 4/29/2026