Higher Education Cloud Vendor Assessment Tool


Campus IT environments are rapidly changing and the speed of cloud service adoption is increasing. As campuses deploy or identify cloud services, they must ensure the cloud services are appropriately assessed for managing the risks to the confidentiality, integrity and availability of sensitive institutional information and the PII of constituents. Both cloud providers and cloud consumers are wasting precious time creating, responding, and reviewing such assessments.

 The Higher Education Cloud Vendor Assessment Tool attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use.  The matrix:

  • Helps higher education institutions ensure that cloud services are appropriately assessed for security and privacy needs, including some that are unique to higher education

  • Allows a consistent, easily-adopted methodology for campuses wishing to reduce costs through cloud services without increasing risks

  • Reduces the burden that cloud service providers face in responding to requests for security assessments from higher education institutions

The Higher Education Cloud Vendor Assessment Tool, and the lightweight version (with a shorter set of questions for review in low-risk situations), was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group. Its purpose is to provide a starting point for the assessment of third-party provided cloud services and resources. Over time, the Shared Assessments Working Group hopes to create a framework that will establish a community resource where institutions and cloud services providers will share completed assessments.

For general information about the HECVAT, please contact us at security-council@educause.edu.

Download Resources