Kean University – Office of Information Technology / Information Security
Quick Start
- Contact the vendor and request their SOC 2 Type II report and/or HECVAT.
- Submit an Application Approval Request and upload all documents.
- Wait for OIT’s review before Procurement proceeds.
Important: OIT will not contact vendors. You must obtain all SOC 2 / HECVAT documentation directly.
Table of Contents
- Which Form Should I Use?
- Workflow Diagram
- How to Submit the Request
- SOC 2 vs. HECVAT
- Common Issues
- FAQs
- Glossary
- Related Resources
- Feedback
Which Form Should I Use?
Use Application Approval Request if:
- You are purchasing or renewing software
- The vendor will store, process, or transmit Kean data
- A security review is required
Use Application Installation Request if:
- The software is already approved
- You only need it installed on your device
Application Approval:
https://helpdesk.kean.edu/support/catalog/items/183
Application Installation:
https://helpdesk.kean.edu/support/catalog/items/109
Workflow Diagram
1. User contacts vendor → 2. Vendor provides SOC 2 / HECVAT → 3. User submits Freshservice request → 4. OIT reviews documents → 5. Approval result sent → 6. Procurement continues process
Vendor Request Email Template (Copy & Paste)
Use the following template to request security documentation from vendors:
Email Template
Hello, Kean University is conducting a standard security review as part of our procurement and vendor risk management process. To proceed, we require security documentation for your product/service. Please provide the following: 1. Your most recent SOC 2 Type II report (preferred), or 2. A completed HECVAT (Lite or Full), and 3. Any additional security documentation you typically provide (e.g., penetration test summaries, ISO certifications, data protection overviews, or security whitepapers). These documents can be shared directly via email or a secure download link. If you have any questions, please let us know. Thank you, [Your Name] Kean University
Required Documents
- SOC 2 Type II report
- HECVAT (Lite or Full)
- Additional security documentation
- Vendor contact information
- Intended use description
- Data classification (if known)
How to Submit the Request
- Collect SOC 2 / HECVAT from vendor.
- Open the Application Approval Request.
- Provide:
- Vendor Name
- Product / Service Name
- Business justification
- Data type involved
- Vendor contact information
- Upload all documents.
- Submit the request.
SOC 2 vs. HECVAT
| Document | Provided By | What It Covers | When Needed |
|---|---|---|---|
| SOC 2 Type II | Vendor | Audit of security and confidentiality controls | Preferred when vendor stores Kean data |
| HECVAT Lite | Vendor | Simplified security questionnaire | Low-risk vendors |
| HECVAT Full | Vendor | Detailed security assessment | High‑risk or sensitive data |
Common Issues
- No SOC 2 attached → OIT cannot begin review.
- Wrong form used → Must use Application Approval.
- Insufficient business justification → Add use‑case.
- Files too large → Upload via OneDrive and share link.
Frequently Asked Questions
Do I request SOC 2 / HECVAT or does OIT?
You must request all documents from the vendor.What if the vendor refuses?
Submit the ticket; OIT will determine alternatives.How long does review take?
5–10 business days, or 10–20 for complex vendors.Glossary
- SOC 2: External security audit report.
- HECVAT: Higher education vendor questionnaire.
- Vendor Security Review: OIT evaluation of vendor risk.
Related Resources
- Kean University Data Classification Standard
- IT Security Policies
- Procurement Guidelines
Was This Article Helpful?
Submit corrections or improvements via the Information Security category in Freshservice.