Security Assessments

The IT Security Office performs security assessments for hardware, software, and services as part of the procurement process.

To request a security assessment, download and complete the HECVAT Triage form and attach it and any supporting documentation to an IT Help Desk ticket at

Once the documentation has been reviewed, a request will be made of the vendor to complete a HECVAT LiteFull, or On-Prem based on the project scope. Once all supporting documentation is received and reviewed the findings and recommendations will be shared with the requesting department and purchasing.

Frequently Asked Questions

When does a Security Assessment need to be completed?

  • A security assessment is required prior to purchasing for the following items:
  • Any computing hardware, software, or third-party services
  • Any device which requires network connectivity (wired or wireless)
  • Anything that involves Data Privacy and Data Compliance in regards to UToledo data (HIPAA, FERPA, PCI, PHI, PII, CDI or CUI, Financial data, Research data, etc.)
  • Any cloud-hosted or third party hosted systems
  • Major system upgrades may also trigger a security assessment

What is the HECVAT?

The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk.


The HECVAT is specifically designed to meet the needs of the higher education community. Utilizing the HECVAT benefits vendors by providing a common form that can be used across more than 100 participating institutions.

How long does a security assessment take?

Assessment time varies based on factors including the completeness of information provided by the business unit, the complexity of the item/project, and vendor/third-party cooperation with the process. This process often takes between 4-6 weeks to complete.

Last Updated: 3/7/23