HECVAT Triage HECVAT Lite HECVAT Full HECVAT On-Prem
Security Assessments
The IT Security Office performs security assessments for hardware, software, and services as part of the
procurement process.
To request a security assessment, download and complete the HECVAT Triage form and attach it and any supporting documentation to an IT Help Desk ticket at ithelp.utoledo.edu.
Once the documentation has been reviewed, a request will be made of the vendor to complete a HECVAT Lite, Full, or On-Prem based on the project scope. Once all supporting documentation is received and reviewed the findings and recommendations will be shared with the requesting department and purchasing.
Frequently Asked Questions
When does a Security Assessment need to be completed?
- A security assessment is required prior to purchasing for the following items:
- Any computing hardware, software, or third-party services
- Any device which requires network connectivity (wired or wireless)
- Anything that involves Data Privacy and Data Compliance in regards to UToledo data (HIPAA, FERPA, PCI, PHI, PII, CDI or CUI, Financial data, Research data, etc.)
- Any cloud-hosted or third party hosted systems
- Major system upgrades may also trigger a security assessment
What is the HECVAT?
The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk. https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
Why HECVAT?
The HECVAT is specifically designed to meet the needs of the higher education community. Utilizing the HECVAT benefits vendors by providing a common form that can be used across more than 100 participating institutions.
How long does a security assessment take?
Assessment time varies based on factors including the completeness of information provided by the business unit, the complexity of the item/project, and vendor/third-party cooperation with the process. This process often takes between 4-6 weeks to complete.