Documentation is used to initially identify critical technology candidates and demonstrates compliance with State requirements. The submitter will upload any attachments using the TAR form or via the ticketing system.
Additional Documents
A VPAT, or Voluntary Product Accessibility Template, is a self-assessment document completed by a vendor that provides relevant information on how their product or service claims to conform to Accessibility Standards.
The vendor will be asked to provide one of the following cloud security assessment documents:
- A current SSAE-16 SOC 2 Type II (or equivalent third-party audited security standard).
- A current Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CSA CAIQ).
- An industry recognized current security certification or accreditation (e.g., FedRAMP authorized, ISO270xx, etc.).
- The Higher Education Cloud Vendor Assessment Tool (HECVAT).
Based upon the type of data being stored in the cloud solution, only one of the following documents identified in the table below is necessary to meet the requirement.
Type | Data Classification | Type of Documentation Accepted | ||||
---|---|---|---|---|---|---|
|
Soc2 Type2 |
ISO 270xx Certification |
FEDRAMP Authorized |
HECVAT Full |
HECTVAT Lite |
Other CSA CAIQ, or TAR questionnaire |
Level 1 |
x |
x |
x |
x |
|
x |
Level 2 – high record count |
x |
x |
x |
x |
|
x |
Level 2 – small record count |
x |
x |
x |
|
x |
x |
Public |
x |
x |
x |
|
|
x |
For more information see:
ICSUAM 8065.S003 Information Security Asset Management – Cloud Storage & Services
To view PDF files, please download Adobe Reader
A risk acceptance form is used to document non-compliance with CSU policy. The form lists any mitigating controls that are used to reduce the risk, and indicates when the risk will be remediated or next reviewed. An administrator capable of assuming the risk and the Information Security Officer must approve the risk acceptance. The Information Security team can assist with preparing the form.