Technology Acquisition Review (TAR) Guide


About Technology Acquisition Reviews (TARs)

A Technology Acquisition Review (TAR) is completed before information technology is acquired. The TAR includes an Information Security and Accessibility review. The TAR procedure was developed in response to a 2016 Cloud Computing audit conducted by the Chancellor’s office that identified the need to assess risk whenever technology is acquired. To ensure appropriate safeguards SF State must determine if any CSU Supplemental IT Procurement Provisions are required.  To expedite the acquisition of software, services, or hardware needed by members of the campus community a preapproved list of technology not needing review is available. If the acquisition is not on the preapproved list a TAR request must be submitted. The request will define:

  • What technology is being reviewed
  • Who will use the technology
  • How the technology will be used
  • Whether the technology will access or store sensitive data

A TAR will automatically prompt the campus accessibility and security teams to review the technology for compliance.

Who can make a TAR Request

TAR requests can be made by current SF State faculty or staff. The requestor (contact) should be the individual who is most knowledgeable about the technology being reviewed.

When to make a TAR request

All technology acquisitions and renewals must be reviewed for accessibility and security compliance prior to acquisition. Monthly subscriptions require annual review. Note: Technologies listed on the preapproved list do not require review.

How to complete a TAR Request

  1. Review preapproved list shown at the top of the TAR form to check if review is required
  2. Complete the TAR form at: https://tech.sfsu.edu/content/technologyprocurementrequest.
  3. After submitting the form, the requestor will receive three separate e-mail messages, each one corresponds to a ticket as follows:
    • Master ticket. Link the Accessibility and Security review tickets. Used by Procurement and Accounts Payable to determine if reviews are complete.
    • Accessibility review ticket. Accessibility reviews are completed by the Accessible Technology Team.
    • Security review ticket. Security reviews are completed by the Information Security Team.
  4. During the review the Security and Accessibility teams may ask questions sent through the ticketing system. The requestor must respond to the questions for the review to proceed.
  5. The master ticket status will be updated to Resolved when security and accessibility reviews are complete. The Resolution code will indicate Resolved/Completed if the acquisition is approved. IT Supplemental procurement conditions will be listed if required. If the ticket status indicates Requires Customer Information the reviewer requires additional information from the requestor to complete the review.

The amount of time the review takes depends on the complexity of the acquisition. Requests will receive a response within one week.

Dropbox, iCloud, Google Drive and SurveyMonkey users

On February 3, 2017 a Cloud Computing Practice Directive went into effect to define campus cloud service standards along with procedures on how to request an exception to acquire a non-standard cloud service.

To assist departments transitioning to Box and Qualtrics existing Dropbox, iCloud, Google Drive and SurveyMonkey subscriptions can be renewed until February 3, 2018.

Campus IT support is available to help and assist migrate existing service and data to Box or Qualtrics

Are TAR reviews required for renewals?

TAR reviews do not need to be requested for maintenance, support, repairs, or renewals where the following conditions are met:

  • A TAR was submitted for the initial review
  • The scope of deployment has not changed
  • There are no changes to functionality
  • The manufacturer continues to provide security updates that have been applied
  • Replacement parts are the same or similar to the part being replaced

Please submit the original TAR to accounts payable and indicate there has been no change to the deployment of this technology since the last review.

Changes to scope or nature of deployment following review

If the scope or nature of deployment changes please submit another TAR. An example of scope change is the expansion of a pilot to a larger population. An example of the nature of deployment changing is expanding a workflow form to now include confidential data elements.

Acquisitions needing supplemental IT contractual terms

If a TAR identifies IT Supplemental procurement conditions are needed the requestor should contact procurement to determine how best to proceed with the acquisition. If a preapproved campus standard technology provides equivalent functionality it should be used.

Technology Acquisition Review Statuses and Resolution Codes

Each service request uses a status to track its progress. When a service request is completed a resolution code is used to indicate if a request was approved, not-approved, cancelled, or if the customer did not respond.

  • A status of Requires Customer Information means that the review requires additional information from the requestor to complete the review.
  • A status of Resolved indicates the review is complete and the resolution code should be reviewed to determine if it was approved.
    • Resolved with resolution code of Resolved/Completed on Master ticket means security and accessibility reviews are complete and the acquisition can proceed.
    • Resolved with resolution code of Other on Master ticket means either the security or accessibility review has not been approved for acquisition – the reason it could not be completed and why the acquisition cannot proceed will be shown in the description of the ticket.

Preapproved IT acquisitions

The preapproved list has moved to the TAR form.