This article outlines the Higher Education Cloud Vendor Assessment Tool (HECVAT) which is used as a standard measurement of vendor risk throughout institutions of higher education to determine those safeguards that a supplier has in place to protect institutional data.
The purpose of this document is to outline the procedure Information Technology Services (ITS) Security performs to evaluate incoming HECVAT forms for Florida Gulf Coast University. This is done to determine compliancy and to maintain confidentiality, integrity and availability.
A HECVAT ‘Full’ or HECVAT ‘Lite’ form must be submitted to ITS Security via Zendesk ticket. Provided that all necessary documents are made available and are attached to the ticket, ITS Security conducts a preliminary review and risk impact assessment of the submitted, completed HECVAT questionnaire. As soon as practical, ITS Security then reports the third-party or third-party vendor as “approved/satisfactory” or “not satisfactory” to the CISO for final review and approval within the Zendesk ticket.