Technology Acquisition Review

×

Warning message

Submissions for this form are closed.

Overview

SF State technology acquisitions, purchased or obtained at no cost - including free software, are reviewed for accessibility and information security/privacy compliance prior to acquisition. In cases where the technology is new and may require some level of support from a campus IT Operations team, the reviews will also include analysis to determine:

  • support and service models;
  • potential integrations that may be needed with other systems or data;
  • if there is existing similar technology already in use on campus to prevent redundant costs;
  • IT process alignment;
  • and any timing or scheduling constraints.

Technology acquisition reviews (TARs) are used to:

  • reduce IT costs;
  • meet compliance requirements with CSU policies and SF State practice directives for data and system protection and accessibility; and
  • reduce the risk of data breaches resulting in: harm to CSU; individuals or intellectual property rights; and any associated legal/reputational penalties.

Pre-approved technology does not require a TAR and should be used whenever possible as Information Security and Accessible Technology Team reviews have been completed for those items.

Technology requests which have not been pre-approved must use the Review request form. Work with your IT provider prior to submission when possible to ensure the form is as detailed as possible to avoid requests for additional information. Requested technology can move forward for purchase once all reviews have been approved (general IT, security, and accessibility).

If you have any questions or need assistance, open a Service Request.

TAR Process

NOTE: Extra reviews/approvals that are required before submitting a TAR - prior to submitting a TAR, if your proposed solution or service involves any of the following components, please reach out to the respective business areas and obtain written approval from them, which should then be submitted with the TAR request. This will help us process your request faster.

  1. Any TAR that collects money needs Fiscal Affairs / Bursar approval.
  2. Any TAR that involves marketing, branding, advertising, and social media needs approval from Strategic Marketing and Communications. Please contact AVP Mary Kenny and cc: Barbara Stein.

NOTE: Any TAR that involves purchasing drone technology needs approval from the University Uncrewed Aircraft Vehicle Review Board (UARB) after purchase. It is up to the requestor to contact the UARB for permission to use the drone.

Prior to acquisition all technology products and associated technology and/or services purchased or obtained at no cost, including free software, must be reviewed for IT Operations support, accessibility, and information security/privacy compliance.

  1. Check the pre-approved list and use pre-approved technology where possible.
  2. The SF State faculty or staff member who is most knowledgeable about the technology completes and submits the form with assistance from IT support staff if necessary. The more detailed information received, the quicker the review can be completed.
  3. Security and Accessibility review requests are tracked using service request tickets.
    • Requestor provides requested documentation and responds to additional questions.
    • Campus IT Operations teams review to determine support and service level models needed, integrations, and IT process alignment, and to reduce potential redundant technology and any timing constraints. This will be the first level of review and approval is needed before the request is submitted for security/privacy or accessibility reviews.
    • Information Security team members determine if supplemental IT contractual terms are needed.
    • Accessible Technology team members determine compliance with ATI policy.
    • Security and Accessibility tickets are updated to indicate if approved or not approved.
  4. Requesting department provides review information to Procurement or Accounts Payable as applicable.

Compliance

TARs are required to ensure compliance with CSU policy and SF State practice directives for data and system protection, and to reduce the risk of data breaches resulting in: harm to CSU, individuals or intellectual property rights; and any associated legal/reputational penalties.

Deployment Requirements

All technology must be deployed in a manner that meets the following requirements. Security and accessibility reviews identify additional requirements as applicable.

  1. Networked devices must meet CSU Common Network Infrastructure (CNI) standards.
  2. Use in-transit and at-rest encryption for all sensitive data.
  3. Authorization and access control must be managed for all sensitive data and in accordance with existing centralized identity and access management methods where possible (configured to use SF State's single sign-on).
  4. The business reason for storing any confidential data must be documented, and a data retention schedule must be established and followed (e.g., how long the data will be kept, how it will be destroyed, etc.).
  5. Maintain university ownership by using SF State credentials to register and manage Cloud/Internet service accounts.
  6. Install security updates and patches provided by the manufacturer as soon as reasonable, based on severity (and after adequate testing).
  7. Meet requirements of Accessible Technology Initiative.
  8. Do not store or transmit protected University data using services hosted by third parties which do not have a contract in place with the campus or its Auxiliaries, such as personal cloud accounts.
  9. Do not sign up for or accept terms of service/use for a cloud service without first obtaining prior approval from Procurement, even if the service is no cost.

Pre-approved technology

Pre-approved technology does not require a TAR. Pre-approved technologies are low risk or have already completed Information Security and Accessible Technology Team reviews. The list is reviewed and updated frequently. To request an addition to the pre-approved list, please open a Service Request. Last update 5/1/2019.

Web applications and cloud services

Pre-approved campus standard cloud technology should be used where it provides equivalent functionality. Exception requests to use a non-standard cloud technology require a documented business reason why the campus provided standard technology cannot be used, and should be documented in the TAR. The cloud computing services listed below have been pre-approved:

Digital content

Copyrighted information assets purchased for SF State use, such as:

  • Fonts
  • Images
  • Music
  • Photographs
  • Text-based information/data
  • Video-based information/data

Each purchaser is responsible for retaining proof of sale and/or licensing agreement information associated with the purchase of copyrighted materials for as long as the digital content is used/stored.

What is copyright?

Copyright Policy

Software

Contact campus IT support to obtain the following software at low or no cost:

  • Adobe (Acrobat DC Pro, Photoshop, and other tools)
  • Dragon Dictate and Naturally Speaking
  • Mathematica
  • Matlab
  • McAfee Anti-virus software
  • Microsoft Office 365 (full client) -  (Access, Excel, Outlook, PowerPoint, Publisher, Word, Defender)
  • Microsoft Project
  • Microsoft Visio
  • Microsoft Windows Operating System / MacOS
  • Minitab
  • Qualtrics
  • SAS
  • SPSS

Hardware, equipment, and supplies

For tablets, laptops, and desktop computers - see Apple, Android, Dell, and Microsoft. Acquisition of 20 or more computers or tablets requires a TAR unless ordered as a part of the annual campus refresh.

  • Adapters
  • Batteries
  • Cables
  • Cameras and video cameras (does not include security, monitoring, or surveillance cameras) (refer to Confidential Data Policies/Practices and Guidelines)
  • Compact Disks and tapes (refer to Confidential Data Policies/Practices and Guidelines)
  • Digital voice recorders (refer to Confidential Data Policies/Practices and Guidelines)
  • Displays
  • Docking Stations
  • DVD players/Blu-Ray players
  • Hard drives (refer to Confidential Data Policies/Practices and Guidelines)
  • Headphones and headsets
  • Input devices (e.g. mice, trackballs, track pads, Apple Pencils, Microsoft Pens and keyboards)
  • Label maker/ label printer - Brother
  • Memory (RAM)
  • Monitors – aligned with campus standards, current model is: Dell Ultrasharp 24
  • Network equipment peripherals, such as: cables, port adapters, stand-alone power supplies (not network connected)
  • Port replicators
  • HP Printer models: M402dne, M477fnw, M452dn, M608dn, M652dn
  • Scanners
  • Smart TVs - Samsung brand. These may not be connected to the SF State network. Installation of equipment purchased must be managed as part of a pre-approved project.
  • Sound cards
  • Speakers
  • Televisions without Wi-Fi, Internet, or network connections
  • Uninterruptible Power Supplies (UPS)
  • USB drives (Note: these are not approved for storing Level 1 and Level 2 data. Special encrypted flash drives are required, along with approved procedures for proper management. Reach out to security@sfsu.edu for more guidance.)
  • USB hubs
  • Video cards
  • Xerox WorkCenter devices (Managed Print Program) – Printers used to print Level 1 or Level 2 data would still require a TAR

Tablets, laptops, and desktop computers – the below items are not pre-approved for storing Level 1 data without additional security controls. If in doubt whether or not Level 1 data may be involved, please submit a TAR.

  • Apple iPad and iPod
  • Apple MacBook, MacBook Pro, MacBook Air, iMac
  • Android tablets
  • Dell Latitude 7000, Precision 5000, Optiplex 7000
  • Microsoft Surface tablets

Maintenance and renewals

TAR reviews are not needed for maintenance or renewals where:

  1. The scope of deployment and the technology and/or technology services have not changed.
  2. There are no changes to functionality or capabilities, regardless of whether they are turned on or not.
  3. Replacement parts are the same or similar to the part being replaced.

It is necessary to provide Procurement or Accounts Payable with the original approved TAR service request number. If you need help locating a previously-approved TAR, please open a Service Request.

Mandatory Technology Reviews

TAR reviews are always required for the following items:

1.    Drones

2.    Domain Registration Services (initial requests and renewals) – this is for tracking and compliance reasons.

Frequently Asked Questions

Is a review needed?

Is a review needed if another campus unit has an approved TAR?

Yes, a review is needed even if another department has an approved TAR, unless the product or service is on the pre-approved list. Adding more users may change the support model, accessibility impact, and/or security risk. Prior reviews can expedite new TAR reviews. Please reference the previously approved TAR in the notes section of the form. Technology acquired by more than one unit is considered for campus-wide acquisition and pre-approval.

Is a review needed if the technology is already used at another CSU campus?

Yes, a review is needed even if another CSU campus has already acquired the technology. Information Security and Accessibility reviews copies of contracts from other campuses to help expedite TAR reviews. Submit the TAR form with any supporting documentation you have, such as: emails, another campus' Higher Education Cloud Vendor Assessment Tool (HECVAT), etc.

Is a review needed if the technology has an existing system-wide agreement?

Yes, a review is needed even if there is an existing agreement with the Chancellor’s Office. Information Security and Accessibility reviews, links to CSYou Contract Store documents, and copies of contracts help expedite TAR reviews. Submit the TAR form with any supporting documentation you have, such as: emails, another campus’ Higher Education Cloud Vendor Assessment Tool (HECVAT), a contract, etc.

Is a review needed if I am the only user of the technology?

Yes, a review is needed even if used by one employee, unless it’s for online instruction of 20 or fewer employees. Technology that stores or processes sensitive data or connects to the campus network may impact other software on laptops/desktop computers or could have a security risk. Technology used to create or manage information can introduce accessibility barriers for other individuals. In addition, the TAR process helps centrally collect and manage the campus IT software and services inventory to demonstrate compliance with software licensing requirements. Technology acquired by more than one unit is considered for campus-wide acquisition and pre-approval.

Is a review needed for Amazon Mechanical Turk Credits or Qualtrics Panels?

No, a TAR is not needed for Amazon Mechanical Turk or Qualtrics Panels. Acquisition of these services should be coordinated with Procurement and Support Services.

How often is a review needed for a monthly subscription?

Monthly subscriptions require annual review, unless otherwise noted, but may not require a full TAR submission. Check with security@sfsu.edu if you are not sure.

What if there are changes to scope or nature of deployment following review?

If the scope or nature of deployment changes, please submit another TAR. An example of scope change is expanding the technology to more users. An example of the nature of deployment changing is changing a workflow to collect confidential data elements that weren’t being collected previously.

Completing the form

Who should complete the form?

The requestor (contact) should be the SF State faculty or staff member who is most knowledgeable about the technology being reviewed. Some of the questions are technical and may require consulting the vendor or Campus IT support.

How can I get help completing the form?

Contact Campus IT Support or your Campus IT Operations Team to request assistance completing the TAR form.

What do I do if I don’t know the answer to a question on the form?

All questions must be answered accurately before a review can be completed. If a question is not answered, the highest possible risk will be assumed. Contact the vendor or Campus IT support to obtain assistance completing the TAR form.

How do I see my tickets?

Visit https://sfsu.service-now.com/ and log in using your SF State ID and password. After logging in, your requests will be listed and can be selected to review details.

Who do I contact with questions?

If you have questions contact the ITS Service Desk or open a Service Request.

Review process

How can I find out the status of a review?

There are three ways to find out the status of a review:

  1. The requestor, Procurement, or Campus IT Support staff can log in to the Service Request System (https://sfsu.service-now.com/) and look up the status.
  2. The requestor can review previously received ticket email messages.
  3. Contact the ITS Service Desk or open a Service Request.

How far ahead should I request a TAR review?

TAR reviews should be requested at least two weeks before the acquisition needs to occur. If contractual terms are required additional time may be needed for vendor negotiation. TAR reviews can be requested in advance to minimize acquisition delays.

I am planning an IT project. Can I get an early review?

Yes, IT Operations, Information Security, and Accessible Technology team members are available to assist during the project planning phase. Assistance is available to ensure Requests for Proposals (RFPs) include necessary technology, operational, and integration requirements, information security and privacy requirements, accessibility requirements, and associated contract terms.

If you have questions contact the ITS Service Desk or open a Service Request.

How long does a TAR review take?

The amount of time the review takes depends on the complexity of the acquisition. Simple acquisitions are often approved within two days. Complex requests are usually completed within two weeks. Requests that take more than one week will receive a weekly update.

Why can’t I use Dropbox, iCloud, Google Drive, and SurveyMonkey?

In response to a CSU audit, a Cloud Computing Practice Directive went into effect to define campus cloud service standards as well as procedures on how to request an exception to acquire a non-standard cloud service. Campus IT support is available to help and assist migrating to campus standard solutions.

Documentation

How can I add supporting documentation?

Navigate to your TAR in the Ticketing System and upload any attachments.

What is a VPAT?

A VPAT, or Voluntary Product Accessibility Template, is a self-assessment document completed by a vendor that provides relevant information on how their product or service claims to conform to Accessibility Standards.

What vendor documents are needed for cloud computing acquisitions that store data?

The vendor will be asked to provide one of the following cloud security assessment documents:

 

What are the criteria for deciding which form can be used for a Cloud security assessment?

Based upon the type of data being stored in the cloud solution, only one of the following documents identified in the table below is necessary to meet the requirement.

DATA CLASSIFICATION                                          TYPE OF DOCUMENTATION ACCEPTED

 

Soc2 Type2

ISO 270xx Certification

FEDRAMP Authorized

HECVAT Full

HECTVAT Lite 

Other CSA CAIQ, or TAR questionnaire

Level 1

x

x

x

x

 

x

Level 2 – high record count

x

x

x

x

 

x

Level 2 – small record count

x

x

x

 

x

x

Public

x

x

x

 

 

x

 

For more information see: ICSUAM 8065.S003 Information Security Asset Management – Cloud Storage & Services

What is a risk acceptance form?

A risk acceptance form is used to document non-compliance with CSU policy. The form lists any mitigating controls that are used to reduce the risk, and indicates when the risk will be remediated or next reviewed. An administrator capable of assuming the risk and the Information Security Officer must approve the risk acceptance. The Information Security team can assist with preparing the form.

Contracts

What are supplemental IT contract terms?

Supplemental IT contractual terms are CSU boilerplate contractual language that is edited as applicable to the technology deployment scope. The Information Security team determines if the acquisition requires a contract to protect the CSU liability. The applicable terms should be forwarded to Procurement and Support Services to determine the best way to proceed.

How do I proceed if supplemental IT contractual terms are required?

If you have already submitted a requisition, forward the Master ticket to Procurement. If you were planning to use a P-card, contact Procurement and Support Services to determine the best way to proceed.

How are contracts prepared and negotiated?

Contact Procurement and Support Services for assistance preparing and negotiating contracts.

What if the vendor does not agree with SF State contractual terms?

The vendor can edit the draft contract with tracking enabled and identify the areas of disagreement or concern. The edited draft contract should be returned to Procurement and Support Services, who coordinates vendor contract negotiations.

 

Submit TAR Request