INFORMATION TECHNOLOGY

 HECVAT Triage  HECVAT Lite  HECVAT Full

Security Assessments


The IT Security Office performs security assessments for hardware, software, and services as part of the procurement process.

To request a security assessment, download and complete the HECVAT Triage form and attach it and any supporting documentation to an IT Help Desk ticket at ithelp.utoledo.edu.

Once the documentation has been reviewed, a request will be made of the vendor to complete a HECVAT Lite or HECVAT Full based on the project scope. Once all supporting documentation is received and reviewed the findings and recommendations will be shared with the requesting department and purchasing.


Frequently Asked Questions

When does a Security Assessment need to be completed?

  • A security assessment is required prior to purchasing for the following items:
  • Any computing hardware, software, or third-party services
  • Any device which requires network connectivity (wired or wireless)
  • Anything that involves Data Privacy and Data Compliance in regards to UToledo data (HIPAA, FERPA, PCI, PHI, PII, CDI or CUI, Financial data, Research data, etc.)
  • Any cloud-hosted or third party hosted systems
  • Major system upgrades may also trigger a security assessment

What is the HECVAT?

The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk. https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit

Why HECVAT?

The HECVAT is specifically designed to meet the needs of the higher education community. Utilizing the HECVAT benefits vendors by providing a common form that can be used across more than 100 participating institutions.

Last Updated: 11/17/21