Review Process for Cloud or Vendor Services - HECVAT Triage

Overview

Norwich University has a responsibility to protect data entrusted to it. Our customers (students, employees, etc.) ultimately own the data entrusted to Norwich University.

The Acceptable Use Policy, section 6.7 states that “Users must not enter into any agreement that obligates university resources where University systems or data will be used without the going through and approved by the governance process first.”

Third party vendors are one of the main causes of data breaches. We must trust that vendor is doing the right thing with connections to our systems and data. However, we must also show that we have done our due diligence to identify and limit risk and reduce liability. The Higher Education Community Vendor Assessment Tool (HECVAT) is one way for Norwich University to gather information about a vendor and determine the level of risk the vendor poses for Norwich University. It should be noted that just because a vendor has gone through this process does not mean they are approved. Vendors and other service providers that pose a significant risk to Norwich systems and data that cannot be mitigated will not be approved.

Turnaround time

This process is primarily driven by the vendor. The vendor’s willingness to provide information will determine the how quickly the process will go. On average, the CISO will need two weeks to review material. It is the requestor’s responsibility to ensure this time is built into the project plan. Please note, a vendor who is not timely will delay your project.

Process

1. The HECVAT Triage is to be completed by the NU requester.
   1. Incomplete information will cause the HECVAT to be rejected and delay processes
      • Note: Any products used need to be approved by employee’s department and/or manager
   2. The requester will be the liaison with the vendor.
   3. A review of the product DOES NOT constitute support from ITS.
   4. It is the responsibility of the requester to coordinate any service that will integrate in some way (including SSO) with Norwich systems with ITS.
2. HECVAT Triage information is reviewed.
   1. Ticket will be updated with additional information request and next steps.
   2. It is the responsibility of the requester to address the additional information request.
      • May need to reach out to the service provider for additional information.
3. If the product or service will be processing MODERATE or HIGH information, connecting to Norwich systems, using Norwich data, or is deemed a high risk, an additional HECVAT full or light version will be required as determined by the CISO. A link will be sent via the ticketing system for an online version of the assessment to be completed. The NU contact must notify the CISO via the ticketing system once the vendor completes the HECVAT.
   1. NOTE: This is the step that relies on the vendor and often takes the longest.
   2. The HECVAT must be completed by technical staff, not a sales person at the vendor’s organization.
   3. It is imperative that the vendor complete all questions and supply all requested documentation. Failure to do so will cause delays or denial of the request.
4. Once the HECVAT is complete, it will be reviewed along with the supporting documentation.
5. After reviewing all submitted documentation a decision will be made to approve or deny the request.