An Analysis of 350 HECVAT Vendor Assessments Across 40 EDUs

The HECVAT is a widely used vendor assessment questionnaire created by the HEISC Shared Assessment Working Group. It is currently in its third major version. Last year at #CybersecPrivacy21 we presented summary data from over 200 completed HECVAT assessments, including analysis by categories, vendor verticals, and across specific high/critical weighted controls. This year we will expand the dataset analysis to include over 350 completed HECVATs from 40 separate EDUs with a continued focus on benchmarking vendor response to guide EDUs in HECVAT review, analysis, and interpretation. We will also do a subset analysis on the initial set of HECVAT v3s to provide an early comparative dataset for EDUs to use as a benchmark for interpretation of this latest HECVAT version. HECVAT assessments were collected and shared by EDUs in IsoraLite, a free-to-EDU assessment platform that allows EDUs to collect, manage, and view HECVATs and supporting documentation, as well as to share HECVATs with other EDUs. Since the rollout of IsoraLite by the University of Texas at Austin Information Security Office and Salty Cloud PBC at #SECURITY19, over 750 EDU users across 350+ EDUs have accessed IsoraLite to collect, view or otherwise manage HECVAT vendor assessments. Finally, we will also discuss EDU-specific examples of using the HECVAT assessment as part of a broader vendor risk management program, including implementing and maturing a vendor risk management program based on HECVAT at UT Austin.