Visit
Apply
Give

INFORMATION TECHNOLOGY

Security Assessments

The IT Security Office conducts security assessments for all hardware, software, and services as part of the technology procurement process. Any technology purchase that does not meet UToledo’s defined security standards cannot move forward in procurement.

Security assessments are integrated into the IT Project Request process and run in parallel with procurement. To initiate a security assessment, submit a project request to the Project Management Office (PMO) via IT PMO Project Central.

Security assessments are built into the IT Project Request process, and it works in parallel to the procurement processes.

Once submitted, the PMO will:

  1. Review your request for completeness.

  2. If completed, you’ll receive an email with a link to a triage form requesting details about the technology or service and vendor contact information.

  3. After the triage form is submitted, the PMO contacts the vendor and asks for pertinent documentation needed to scope and review the technology. 

  4. The vendor will be asked to complete the appropriate HECVAT version 4 document and provide any supporting technical documentation.Download the HECVAT via HECVAT v4.

  5. Once the vendor’s documentation is received, a designated IT member defines the project scope, documents the technical specifications, and prepares a scoping summary for IT Security to review.

  6. After all documentation and reviews are complete, the IT Security Office will assess the associated risk and share the results with the requesting department and Purchasing.


Frequently Asked Questions

When does a Security Assessment (and by definition, a project request) need to be completed?

A security assessment (and project request) is required before purchasing any of the following:

    • Computing hardware, software, or third-party services

    • Devices requiring network connectivity (wired or wireless)

    • Systems involving data privacy or compliance (e.g., HIPAA, FERPA, PCI, PHI, PII, CDI, CUI, financial or research data)

    • Cloud-hosted or third-party-hosted systems

    • Major upgrades to existing software

What is the HECVAT?

The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a standardized questionnaire framework developed for higher education institutions to assess vendor risk.Learn more at  Educause Library.

Why HECVAT?

The HECVAT provides a consistent, higher-education–specific framework that benefits both institutions and vendors. Over 100 colleges and universities use HECVAT, allowing vendors to provide one common assessment to meet multiple institutional requirements.

How long does a security assessment take?

Timelines vary depending on:

  • The completeness of submitted information

  • The complexity of the technology or service

  • The vendor’s responsiveness

On average, assessments take 4 to 12 weeks to complete.

Last Updated: 10/16/25