Confidential Technology Client

Third-Party Risk Assessment Response

With help from Vantage, our technology client was able to improve their product’s higher education HECVAT score and deliver information security awareness and education training to its employees.


The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a higher education-specific tool designed to help colleges and universities measure vendor risk. A completed HECVAT allows colleges and universities to assess whether a third-party solution provider has the appropriate cybersecurity and privacy controls in place to protect institutional information. For colleges and universities, the HECVAT provides a streamlined assessment of the security and privacy offered by service providers and shortens the procurement process. For vendors, it reduces the burden faced in responding to requests for security assessments from higher education institutions. While the HECVAT is primarily a security assessment tool, vendors that can quickly share a completed HECVAT with a passing score for their products may have a competitive advantage in the higher education procurement process.

Vantage worked with our technology client to complete a HECVAT for its primary collegiate service offering, an application targeted toward students. Through a series of workshops, we shared our knowledge and understanding of the higher education technology environment to ensure that the client’s HECVAT responses are technically accurate and focus on the most relevant details for the campus information security analyst. Our knowledge of the higher education environment and guidance in answering HECVAT questions significantly improved the HECVAT score for the client’s collegiate service offering.

We also worked with our client to complete several information security improvement activities. Among those activities were recommendations to improve the client’s information security services and operations using already-purchased toolsets. We also prepared two client customized information security education and awareness training slide decks with presentation notes. One slide deck focused on the client’s information security policies to ensure that employees understood the most important policy requirements. The second slide deck focused on providing employees with general information security hygiene training.

Our deliverables included all workshop facilitation materials and notes, a completed HECVAT third-party assessment document ready for sharing with colleges and universities, and two information security education and awareness training slide decks.


  • Improved HECVAT score
  • Customized information security education and awareness training materials
  • Highlighted the opportunity to build upon existing tools to improve information security posture


  • HECVAT review and advice
  • Information security services and operations advisory services
  • Information security education and awareness advisory services


  • Higher education information security strategy and best practices
  • Information security education and awareness best practices
  • Information security certifications
  • Client: Confidential Technology Client
  • Location: United States
  • Market: Corporate
  • Project: Third-Party Risk Assessment Response