Documentation - Technology Acquisition Review

Documentation is used to initially identify critical technology candidates  and demonstrates compliance with State requirements. The submitter will upload any attachments using the TAR form or via the ticketing system.
 

Additional Documents 

Voluntary Product Accessibility Template (VPAT)

A VPAT, or Voluntary Product Accessibility Template, is a self-assessment document completed by a vendor that provides relevant information on how their product or service claims to conform to Accessibility Standards.

Cloud computing acquisitions documents

The vendor will be asked to provide one of the following cloud security assessment documents:

 Based upon the type of data being stored in the cloud solution, only one of the following documents identified in the table below is necessary to meet the requirement.

Type of data by classification and type of documentation
Type Data Classification Type of Documentation Accepted

 

Soc2 Type2

ISO 270xx Certification

FEDRAMP Authorized

HECVAT Full

HECTVAT Lite 

Other CSA CAIQ, or TAR questionnaire

Level 1

x

x

x

x

 

x

Level 2 – high record count

x

x

x

x

 

x

Level 2 – small record count

x

x

x

 

x

x

Public

x

x

x

 

 

x

 

For more information see: ICSUAM 8065.S003 Information Security Asset Management – Cloud Storage & Services

To view PDF files, please download Adobe Reader

Risk acceptance form

A risk acceptance form is used to document non-compliance with CSU policy. The form lists any mitigating controls that are used to reduce the risk, and indicates when the risk will be remediated or next reviewed. An administrator capable of assuming the risk and the Information Security Officer must approve the risk acceptance. The Information Security team can assist with preparing the form.