Overview
Security assessments are a crucial part of managing and understanding risks associated with third-party systems. Vendors must be able to show that they have the proper administrative, physical, and technological safeguards in place to ensure the confidentiality, integrity, and availability of institutional data and related systems.
To assure HCC data and systems are handled in compliance with HCC policy and IT standards, the Office of Information Technology (OIT) has the responsibility to conduct Information Security Risk Assessments of any computing system before it can be purchased. Project owners shall be responsible for coordinating with OIT to complete the Higher Education Community Assessment Toolkit (HECVAT) assessment with the vendor. Although created for cloud applications, the HECVAT has been widely adopted by organizations to assess any service that interfaces with institutional data, information systems, and/ or infrastructure.
All use of institutional data is required to comply with Administrative Procedure 9.08 (Data Classification and Handling). Additionally, the Data Classification Guidelines documents must be considered when utilizing institutional data.
Procedure
The project owner will use the button to the right to submit a request to begin the Assessment process. This request uses a form to collect information about the solution, the data being used, as well as the vendor or product that is being considered. Please consider the following information when completing a request.
- What data will this vendor/solution be accessing?
- How is the vendor utilizing the data in the solution or product?
- Will the data be access, stored, and processed according to institutional policy?
- Does the vendor provide the necessary means to ensure that only authorized users can access the system or data?
If you would like to begin the Risk Assessment process, please click on the Begin Assessment button to the right.