What is HECVAT?

This tab focuses on the vendor organization's governance, documentation, and operational maturity.

It covers business continuity planning, disaster recovery capabilities, and compliance with audit standards like SOC 2.

Questions examine security framework conformance, architecture documentation, privacy policies, and employee onboarding/offboarding procedures.

The tab also addresses third-party risk management, including security assessments and contractual protections.

This tab evaluates the security features and data handling capabilities built into the product itself.

It focuses on authentication methods including SSO support, password policies, and participation in trust federations like InCommon.

Questions address authorization controls, audit logging, and whether passwords are securely stored rather than hard-coded or in plaintext.

The tab examines how the product manages user accounts, enforces access controls, and maintains security audit trails.

This tab examines the technical security architecture and infrastructure controls of the solution.

It covers cloud-based offerings, network security components like web application firewalls and intrusion detection systems, and vulnerability management practices.

Questions address access controls, operating system currency, code security testing, and datacenter security measures.

The tab also explores incident handling procedures and separation of duties for security administration.

This tab evaluates the accessibility features and compliance of the solution's interface for users with disabilities.

It focuses on adherence to WCAG 2.1 AA standards and the availability of Voluntary Product Accessibility Templates (VPAT) or Accessibility Conformance Reports (ACR).

Questions address the vendor's commitment to maintaining accessibility standards through contractual agreements.

The tab also covers the vendor's processes for reporting, tracking, and resolving accessibility issues.

This tab addresses specialized compliance requirements and deployment scenarios specific to particular use cases.

It covers HIPAA compliance for protected health information, PCI DSS standards for payment card data, and consulting services arrangements.

Questions examine whether the solution requires on-premises appliances, consultant access to institutional networks, and data handling training for sensitive information.

This tab focuses on artificial intelligence features and capabilities within the solution, including machine learning and large language models.

It covers AI risk management, responsible AI training, and governance policies for AI implementation.

Questions address how AI features can be controlled, disabled, and monitored for security risks.

The tab also examines data protection measures to prevent sensitive information from being ingested by AI models.

This tab comprehensively addresses data privacy requirements across multiple regulatory frameworks including FERPA, GDPR, PIPL, CCPA, and HIPAA.

It examines how the solution processes personal and institutional data, including AI-related privacy considerations.

Questions cover employee work locations, data residency, privacy notices, and privacy-specific policies and procedures.

The tab also addresses privacy change management and the handling of sensitive data by third parties.