Vendor Risk Management

The Vendor Risk Management program at Florida International University (FIU) involves assessing the operations, IT and security controls employed at the vendor. To assist in the process of measuring vendor risk, Educause's Higher Education Community Vendor Assessment Toolkit (HECVAT) is used. The process assists FIU in ensuring the security and privacy of data, especially where sensitive data and Personally Identifiable Information (PII) is involved.


The HECVAT questionnaire is to be completed by vendors as part of the procurement process. With the HECVAT questionnaire being used within the Higher Education Community, vendors may already have a completed version which can be used to submit for FIU's review. From the several HECVAT options that Educause has available, the HECVAT Full questionnaire is used by FIU.

The HECVAT Full questionnaire gathers responses supplied by the vendor about their practices across multiple security domains. The questionnaire submitted by the vendor will be reviewed by Information Security Analysts to ensure acceptance and compliance with FIU's policies and state and federal laws and regulations.

Completing HECVAT

The HECVAT questionnaire is organized into subsections. Responses to the Qualifier subsection dictates which of the subsections to follow are required and applicable to be completed by the vendor. If the subsection is not required, the heading of the subsection will be highlighted in yellow and indicate that it is optional based on the qualifier response. Under the Vendor Answers field, the vendor must select Yes or No from the dropdown options for each question that applies. Based on the answer provided, the Guidance field will state what additional details or documentation must be provided. A field for Additional Information is provided to allow the vendor to state any supplemental information or further explanation. Instructions are included on the questionnaire for guidance.

Download HECVAT Full Document