An Analysis of 200 HECVAT Vendor Assessments across 20 EDUs

The HECVAT is a set of questionnaire-based vendor assessments created by the HEISC Shared Assessment Working Group and includes a Full, Lite and On-Premise version. During #SECURITY19 in Chicago, the University of Texas at Austin Information Security Office and Salty Cloud PBC launched Isora Lite, a free-to-EDU assessment platform for collecting, viewing and sharing HECVAT assessments across the higher education community. Since then over 500 users across 250 EDUs have accessed Isora Lite, with over 20 EDUs having at least one completed HECVAT in the system. These EDUs include private and public universities of various sizes as well as several community colleges. We have conducted an initial analysis of the first 185 HECVATs completed, spanning 37 unique industry verticals. To the best of our knowledge this is the largest collection of HECVATs in a single location and the first analysis of this kind. Overall the average HECVAT score was 81%, with a median score of 84% (range 31%-100%). The industry vertical with the most completed HECVATs was Financial and Procurement Systems with an average score of 88% (median 90%). During our talk, we will provide a full analysis of over 200 HECVATs, including score breakdown by industry vertical and HECVAT categories. We will also examine the most common missing controls and explore other qualitative analysis. Finally we will discuss the steps and lessons learned implementing a HECVAT-based vendor management program from scratch at UT Austin.