Technology Acquisition Reviews (TAR) are required to ensure compliance with CSU policy and SF State practice directives for data and system protection, and to reduce the risk of data breaches resulting in: harm to CSU, individuals or intellectual property rights; and any associated legal/reputational penalties.
All technology must be deployed in a manner that meets the following requirements. IT Provider, Security, and Accessibility reviews identify additional requirements as applicable.
- Networked devices must meet CSU Common Network Infrastructure (CNI) standards.
- Use in-transit and at-rest encryption for all sensitive data.
- Authorization and access control must be managed for all sensitive data and in accordance with existing centralized identity and access management methods where possible (configured to use SF State’s Single Sign-On).
- The business reason for storing any confidential data must be documented, and a data retention schedule must be established and followed (e.g., how long the data will be kept, how it will be destroyed, etc.).
- Maintain university ownership by using SF State credentials to register and manage Cloud/Internet service accounts.
- Install security updates and patches provided by the manufacturer as soon as reasonable, based on severity (and after adequate testing).
- Meet requirements of Accessible Technology Initiative.
- Do not store or transmit protected University data using services hosted by third parties which do not have a contract in place with the campus or its Auxiliaries, such as personal cloud accounts.
- Do not sign up for or accept terms of service/use for a cloud service without first obtaining prior approval from Procurement, even if the service is no cost.
Exception Process – Risk Acceptance
In limited cases when information security compliance cannot be met during an acquisition or implementation, the Information Security Office will work with the requestor to put in place a risk acceptance form. The form lists any mitigating controls that are used to reduce the risk, and indicates when the risk will be remediated or next reviewed. An administrator capable of assuming the risk (an AVP level or above depending upon the issue) and the Information Security Officer must approve the risk acceptance. The Information Security team can assist with preparing the form.
Integrated California State University Administrative Manual (ICSUAM)
Section 8000 - Information Security
- 8040 Managing Third Parties
- 8055 Change Control
- 8060 Access Control
- 8065 Asset Management
- 8075 Information Security Incident Management
- 8085 Business Continuity and Disaster Recovery
- Section 5000 - Contracts and Procurement
CSU Accessible Technology Initiative (ATI)
SF State Practice Directives