HECVAT Feedback 2017

Survey Questions

The Higher Education Cloud Vendor Assessment Tool (HECVAT) attempts to generalize higher education information security and data protection questions and issues regarding third party and/or cloud services for consistency and ease of use and to ensure that such services are appropriately assessed for security and privacy needs, including some that are unique to higher education.

The HECVAT was created by a working group composed of EDUCAUSE, Internet2, and REN-ISAC members for the benefit of all higher education institutions. We want to make sure that the HECVAT is useful to all higher education institutions that choose to use it. The goal of this feedback survey is to gather metrics on use of the HECVAT, perceived vendor reaction to the HECVAT, and suggestions for further improvement and refinement.

Unless you give us your name and contact information, your response to this survey is anonymous. We are not collecting IP addresses.

Thank you for taking the time to help us improve this tool.

Question Title

* 1. Have you used the HECVAT to assess a third party and/or cloud services product?

Yes

If you have chosen not to use the HECVAT, please tell us why:

Question Title

* 2. Think back to your first use of the HECVAT. What was the vendor reaction to your request that they complete the HECVAT?

Question Title

* 3. In your first use of the HECVAT, how did the vendor specifically answer question HESA-01 (sharing question #1)?

Yes

The vendor did not answer HESA-01

Question Title

* 4. In your first use of the HECVAT, how did the vendor specifically answer question HESA-02 (sharing question #2)?

Yes; OK to list (this is the default response for question HESA-02)

No; listing disallowed

The vendor did not answer HESA-02

Question Title

* 5. In your first use of the HECVAT, how did the vendor specifically answer question HESA-03 (sharing question #3)?

Yes: OK to Share

No; Sharing disallowed (this is the default response for question HESA-03)

The vendor did not answer HESA-03

Question Title

* 6. In your first use of the HECVAT, how did the vendor specifically answer question HESA-04 (sharing question #4)?

Yes: OK to Share

No; Sharing disallowed (this is the default response for question HESA-04)

The vendor did not answer HESA-04

Question Title

* 7. Was the HECVAT useful to your institution's third party and/or cloud services assessment process?

Very useful

Somewhat useful

Not very useful

Not at all useful

Please tell us some more about your answer:

Question Title

* 8. Will you use the HECVAT again to assess third party and/or cloud services products?

Definitely won’t

Probably won’t

Probably will

Definitely will

Please tell us some more about your answer:

Question Title

* 9. What specific feedback do you have about the HECVAT? What would you do to improve it? In what ways was it useful in meeting your needs?

Question Title

* 10. Is the HECVAT only being used by the security team or are you pushing its use to other campus units (i.e., purchasing departments, distributed IT) as well?

Question Title

* 11. How mature is your institution’s third party and/or cloud services risk assessment process?

Absent/ad hoc: We don’t currently do this, or we address it in an improvised, irregular way

Repeatable: We have an established capability, but our practices are mostly informal.

Defined: We have a standardized capability and have documented procedures and/or responsibilities related to it.

Managed: We manage this capability to achieve predictable results on the basis of reliably measured performance indicators.

Optimized: Besides measuring performance, we regularly reassess the way we deliver this capability, in order to improve practices and manage risks.

HECVAT Feedback 2017

Survey Questions

Question Title

* 1. Have you used the HECVAT to assess a third party and/or cloud services product?

Question Title

* 2. Think back to your first use of the HECVAT. What was the vendor reaction to your request that they complete the HECVAT?

Question Title

* 3. In your first use of the HECVAT, how did the vendor specifically answer question HESA-01 (sharing question #1)?

Question Title

* 4. In your first use of the HECVAT, how did the vendor specifically answer question HESA-02 (sharing question #2)?

Question Title

* 5. In your first use of the HECVAT, how did the vendor specifically answer question HESA-03 (sharing question #3)?

Question Title

* 6. In your first use of the HECVAT, how did the vendor specifically answer question HESA-04 (sharing question #4)?

Question Title

* 7. Was the HECVAT useful to your institution's third party and/or cloud services assessment process?

Question Title

* 8. Will you use the HECVAT again to assess third party and/or cloud services products?

Question Title

* 9. What specific feedback do you have about the HECVAT? What would you do to improve it? In what ways was it useful in meeting your needs?

Question Title

* 10. Is the HECVAT only being used by the security team or are you pushing its use to other campus units (i.e., purchasing departments, distributed IT) as well?

Question Title

* 11. How mature is your institution’s third party and/or cloud services risk assessment process?

Question Title

* 12. Please share your institution name; we are trying to gauge the reach of the HECVAT. (Optional)

Question Title

* 13. May we contact you for more information about your experiences with the HECVAT? If so, please leave your name/email below. (Optional)