Cal Poly, along with the entire CSU system, has chosen to utilize EduCause's Higher Education Cloud Vendor Assessment Tool (HECVAT) when assessing risk to the campus and its data. The HECVAT will be used for on campus as well as off campus assessments for things such as cloud hosting providers, on campus IoT devices, and everything in between.
The HECVAT provides many benefits to both the Campus as well as to the vendor. Vendors can complete the HECVAT a single time and share it with any school that uses the HECVAT. As more and more schools utilize the HECVAT, the ease with which vendors navigate the security review processes will become more and more streamlined. Vendors can also use the HECVAT as an entry-level security framework if they don't already have one.
For the most sensitive data, Cal Poly requires the completion of the Full HECVAT. This includes Level 1 on campus and off as well as Level 2 off campus.
For lower risk data and engagements, Cal Poly requires the completion of the HECVAT Lite. This includes Level 2 on campus and Level 3 off campus.
For more information on the HECVAT, please see EduCause's website.
Cheat Sheet for Data Classification Level to appropriate HECVAT
|Level 1 Off Campus||Full HECVAT|
|Level 1 On Campus||Full HECVAT|
|Level 2 Off Campus||Full HECVAT|
|Level 2 On Campus||HECVAT Lite|
|Level 3 Off Campus||HECVAT Lite|
Certain sections of the HECVAT may not be appropriate for all engagements. The following chart tries to identify a few sample use cases. The GREY cells indicate sections that are most likely not applicable. There are a few cells where relevance is dependent on the specific situation, for example "if appliance" or "if controlled by" (i.e. mobile device).