Specifications include, but are not limited to: Campus IT environments are rapidly changing and the speed of cloud service adoption is increasing. Institutions looking for ways to do more with less see cloud services as a good way to save resources. As campuses deploy or identify cloud services, they must ensure the cloud services are appropriately assessed for managing the risks to the confidentiality, integrity and availability of sensitive institutional information and the PII of constituents. Many campuses have established a cloud security assessment methodology and resources to review cloud services for privacy and security controls. Other campuses don’t have sufficient resources to assess their cloud services in this manner. On the vendor side, many cloud services providers spend significant time responding to the individualized security assessment requests made by campus customers, often answering similar questions repeatedly. Both the provider and consumer of cloud services are wasting precious time creating, responding, and reviewing such assessments. The Higher Education Cloud Vendor Assessment Tool (HECVAT) attempts to generalize higher education information security and data protection questions and issues for consistency and ease of use. Some institutions may have specific issues that must be addressed in addition to the general questions provided in this assessment. It is anticipated that this HECVAT will be revised over time to account for changes in cloud services provisioning and the information security and data protection needs of higher education institutions. The Higher Education Cloud Vendor Assessment Tool: ● Helps higher education institutions ensure that cloud services are appropriately assessed for security and privacy needs, including some that are unique to higher education ● Allows a consistent, easily-adopted methodology for campuses wishing to reduce costs through cloud services without increasing risks ● Reduces the burden that cloud service providers face in responding to requests for security assessments from higher education institutions The HECVAT was created by the Higher Education Information Security Council Shared Assessments Working Group. Its purpose is to provide a starting point for the assessment of third-party provided cloud services and resources. Over time, the Shared Assessments Working Group hopes to create a framework that will establish a community resource where institutions and cloud services providers will share completed Higher Education Cloud Vendor Assessment Tool assessments. https://www.educause.edu/hecvat https://www.ren-isac.net/hecvat (C) EDUCAUSE 2018 This work is licensed under a Creative Commons Attribution-Noncommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0). This Higher Education Cloud Vendor Assessment Tool is brought to you by the Higher Education Information Security Council, and members from EDUCAUSE, Internet2, and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC).