- TAR Process
- Web applications and cloud services
- Digital content
- Hardware, equipment, and supplies
- Maintenance and renewals
Frequently Asked Questions
- Is a review needed?
- Completing the form
- Review process
Review Request Form
SF State technology acquisitions, purchased or obtained at no cost - including free software, are reviewed for accessibility and information security/privacy compliance prior to acquisition. In cases where the technology is new and may require some level of support from a campus IT Operations team, the reviews will also include analysis to determine:
- support and service models;
- potential integrations that may be needed with other systems or data;
- if there is existing similar technology already in use on campus to prevent redundant costs;
- IT process alignment;
- and any timing or scheduling constraints.
Technology acquisition reviews (TARs) are used to:
- reduce IT costs;
- meet compliance requirements with CSU policies and SF State practice directives for data and system protection and accessibility; and
- reduce the risk of data breaches resulting in: harm to CSU; individuals or intellectual property rights; and any associated legal/reputational penalties.
Pre-approved technology does not require a TAR and should be used whenever possible as Information Security and Accessible Technology Team reviews have been completed for those items.
Technology requests which have not been pre-approved must use the Review request form. Work with your IT provider prior to submission when possible to ensure the form is as detailed as possible to avoid requests for additional information. Requested technology can move forward for purchase once all reviews have been approved (general IT, security, and accessibility).
If you have any questions or need assistance, open a Service Request.
NOTE: Extra reviews/approvals that are required before submitting a TAR - prior to submitting a TAR, if your proposed solution or service involves any of the following components, please reach out to the respective business areas and obtain written approval from them, which should then be submitted with the TAR request. This will help us process your request faster.
- Any TAR that collects money needs Fiscal Affairs / Bursar approval.
- Any TAR that involves marketing, branding, advertising, and social media needs approval from Strategic Marketing and Communications. Please contact AVP Monique Beeler and cc: Barbara Stein.
NOTE: Any TAR that involves purchasing drone technology needs approval from the University Uncrewed Aircraft Vehicle Review Board (UARB) after purchase. It is up to the requestor to contact the UARB for permission to use the drone.
Prior to acquisition all technology products and associated technology and/or services purchased or obtained at no cost, including free software, must be reviewed for IT Operations support, accessibility, and information security/privacy compliance.
- Check the pre-approved list and use pre-approved technology where possible.
- The SF State faculty or staff member who is most knowledgeable about the technology completes and submits the form with assistance from IT support staff if necessary. The more detailed information received, the quicker the review can be completed.
Security and Accessibility review requests are tracked using service request tickets.
- Requestor provides requested documentation and responds to additional questions.
- Campus IT Operations teams review to determine support and service level models needed, integrations, and IT process alignment, and to reduce potential redundant technology and any timing constraints. This will be the first level of review and approval is needed before the request is submitted for security/privacy or accessibility reviews.
- Information Security team members determine if supplemental IT contractual terms are needed.
- Accessible Technology team members determine compliance with ATI policy.
- Security and Accessibility tickets are updated to indicate if approved or not approved.
- Requesting department provides review information to Procurement or Accounts Payable as applicable.
TARs are required to ensure compliance with CSU policy and SF State practice directives for data and system protection, and to reduce the risk of data breaches resulting in: harm to CSU, individuals or intellectual property rights; and any associated legal/reputational penalties.
All technology must be deployed in a manner that meets the following requirements. Security and accessibility reviews identify additional requirements as applicable.
- Networked devices must meet CSU Common Network Infrastructure (CNI) standards.
- Use in-transit and at-rest encryption for all sensitive data.
- Authorization and access control must be managed for all sensitive data and in accordance with existing centralized identity and access management methods where possible (configured to use SF State's single sign-on).
- The business reason for storing any confidential data must be documented, and a data retention schedule must be established and followed (e.g., how long the data will be kept, how it will be destroyed, etc.).
- Maintain university ownership by using SF State credentials to register and manage Cloud/Internet service accounts.
- Install security updates and patches provided by the manufacturer as soon as reasonable, based on severity (and after adequate testing).
- Meet requirements of Accessible Technology Initiative.
- Do not store or transmit protected University data using services hosted by third parties which do not have a contract in place with the campus or its Auxiliaries, such as personal cloud accounts.
- Do not sign up for or accept terms of service/use for a cloud service without first obtaining prior approval from Procurement, even if the service is no cost.
Integrated California State University Administrative Manual (ICSUAM)
Section 8000 - Information Security
- 8040 Managing Third Parties
- 8055 Change Control
- 8060 Access Control
- 8065 Asset Management
- 8075 Information Security Incident Management
- 8085 Business Continuity and Disaster Recovery
- Section 5000 - Contracts and Procurement
- Section 8000 - Information Security
CSU Accessible Technology Initiative (ATI)
- SF State ATI
SF State Practice Directives
- Confidential Data
- Cloud Computing
- Credit Card Payment Processing and PCI Security
- Logging and Threat Management
- Procurement Card & University Liability Cards
- Information Technology
Pre-approved technology does not require a TAR. Pre-approved technologies are low risk or have already completed Information Security and Accessible Technology Team reviews. The list is reviewed and updated frequently. To request an addition to the pre-approved list, please open a Service Request. Last update 1/30/2020.
Web applications and cloud services
Pre-approved campus standard cloud technology should be used where it provides equivalent functionality. Exception requests to use a non-standard cloud technology require a documented business reason why the campus provided standard technology cannot be used, and should be documented in the TAR. The cloud computing services listed below have been pre-approved:
- Box cloud storage - https://sfsu.box.com (replaces DropBox, iCloud, Amazon, Google drive)
- Qualtrics survey platform - https://sfsu.qualtrics.com (replaces SurveyMonkey and WuFoo)
- Zoom videoconferencing - https://sfsu.zoom.us (replaces GoToMeeting)
- Online instruction used by fewer than 20 employees
Microsoft Office 365 Online (browser based) – Word, Excel, PowerPoint, Teams
- Available on request only: Forms, Planner, Project, Power BI, and Flow
- Twitter https://twitter.com
- LinkedIn https://linkedin.com
- Indeed https://indeed.com
- ServiceNow https://sfsu.service-now.com
Copyrighted information assets purchased for SF State use, such as:
- Text-based information/data
- Video-based information/data
Each purchaser is responsible for retaining proof of sale and/or licensing agreement information associated with the purchase of copyrighted materials for as long as the digital content is used/stored.
Contact campus IT support to obtain the following software at low or no cost:
- Adobe (Acrobat DC Pro, Photoshop, and other tools)
- Dragon Dictate and Naturally Speaking
- McAfee Anti-virus software
- Microsoft Office 365 (full client) - (Access, Excel, Outlook, PowerPoint, Publisher, Word, Defender)
- Microsoft Project
- Microsoft Visio
- Microsoft Windows Operating System / MacOS
Hardware, equipment, and supplies
- Cameras and video cameras (does not include security, monitoring, or surveillance cameras) (refer to Confidential Data Policies/Practices and Guidelines)
- Digital voice recorders (refer to Confidential Data Policies/Practices and Guidelines)
- DVD players/Blu-Ray players
- Hard drives (refer to Confidential Data Policies/Practices and Guidelines)
- Label maker/ label printer – Brother
- Monitors – aligned with campus standards, current model is: Dell Ultrasharp 24
- HP Printer models: M402dne, M477fnw, M454dn, M608dn, M652dn, M479, M404
- Scanners – check with your IT provider for a list of supported scanners. Scanners used to scan Level 1 or Level 2 data would still require a TAR
- Smart TVs - Samsung brand. These may not be connected to the SF State network. Installation of equipment purchased must be managed as part of a pre-approved project.
- Specialized scientific equipment that does not connect to or have the ability to connect to the campus network or wireless network
- Televisions without Wi-Fi, Internet, or network connections
- Xerox WorkCenter devices (Managed Print Program) – Printers used to print Level 1 or Level 2 data would still require a TAR
- Docking Stations
- Headphones and headsets
- Input devices (e.g. mice, trackballs, track pads, Apple Pencils, Microsoft Pens and keyboards)
- Memory (RAM); Memory Cards
- Network equipment peripherals, such as: cables, port adapters, stand-alone power supplies (not network connected)
- Port replicators
- Sound cards
- Uninterruptible Power Supplies (UPS)
- USB drives (Note: these are not approved for storing Level 1 and Level 2 data. Special encrypted flash drives are required, along with approved procedures for proper management. Reach out to email@example.com for more guidance.)
- USB hubs
- Video cards
- Compact Disks and tapes (refer to Confidential Data Policies/Practices and Guidelines)
Tablets, laptops, and desktop computers – the below items are not pre-approved for storing Level 1 data without additional security controls. If in doubt whether or not Level 1 data may be involved, please submit a TAR.
- Apple iPad and iPod
- Apple MacBook, MacBook Pro, MacBook Air, iMac
- Android tablets
- Dell Latitude E7200 2-in-1 (w/local IT aproval), E7300, E7400, Precision 5530/5540, OptiPlex 7070, OptiPlex 7470 AIO
- Microsoft Surface tablets
TAR reviews are not needed for maintenance or renewals where:
- The scope of deployment and the technology and/or technology services have not changed.
- There are no changes to functionality or capabilities, regardless of whether they are turned on or not.
- Replacement parts are the same or similar to the part being replaced.
Mandatory Technology Reviews
TAR reviews are always required for the following items:
2. Domain Registration Services (initial requests and renewals) – this is for tracking and compliance reasons.
Is a review needed?
Is a review needed if another campus unit has an approved TAR?
Yes, a review is needed even if another department has an approved TAR, unless the product or service is on the pre-approved list. Adding more users may change the support model, accessibility impact, and/or security risk. Prior reviews can expedite new TAR reviews. Please reference the previously approved TAR in the notes section of the form. Technology acquired by more than one unit is considered for campus-wide acquisition and pre-approval.
Is a review needed if the technology is already used at another CSU campus?
Yes, a review is needed even if another CSU campus has already acquired the technology. Information Security and Accessibility reviews copies of contracts from other campuses to help expedite TAR reviews. Submit the TAR form with any supporting documentation you have, such as: emails, another campus' Higher Education Cloud Vendor Assessment Tool (HECVAT), etc.
Is a review needed if the technology has an existing system-wide agreement?
Yes, a review is needed even if there is an existing agreement with the Chancellor’s Office. Information Security and Accessibility reviews, links to CSYou Contract Store documents, and copies of contracts help expedite TAR reviews. Submit the TAR form with any supporting documentation you have, such as: emails, another campus’ Higher Education Cloud Vendor Assessment Tool (HECVAT), a contract, etc.
Is a review needed if I am the only user of the technology?
Yes, a review is needed even if used by one employee, unless it’s for online instruction of 20 or fewer employees. Technology that stores or processes sensitive data or connects to the campus network may impact other software on laptops/desktop computers or could have a security risk. Technology used to create or manage information can introduce accessibility barriers for other individuals. In addition, the TAR process helps centrally collect and manage the campus IT software and services inventory to demonstrate compliance with software licensing requirements. Technology acquired by more than one unit is considered for campus-wide acquisition and pre-approval.
Is a review needed for Amazon Mechanical Turk Credits or Qualtrics Panels?
No, a TAR is not needed for Amazon Mechanical Turk or Qualtrics Panels. Acquisition of these services should be coordinated with Procurement and Support Services.
How often is a review needed for a monthly subscription?
Monthly subscriptions require annual review, unless otherwise noted, but may not require a full TAR submission. Check with firstname.lastname@example.org if you are not sure.
What if there are changes to scope or nature of deployment following review?
If the scope or nature of deployment changes, please submit another TAR. An example of scope change is expanding the technology to more users. An example of the nature of deployment changing is changing a workflow to collect confidential data elements that weren’t being collected previously.
Completing the form
Who should complete the form?
The requestor (contact) should be the SF State faculty or staff member who is most knowledgeable about the technology being reviewed. Some of the questions are technical and may require consulting the vendor or Campus IT support.
How can I get help completing the form?
Contact Campus IT Support or your Campus IT Operations Team to request assistance completing the TAR form.
What do I do if I don’t know the answer to a question on the form?
All questions must be answered accurately before a review can be completed. If a question is not answered, the highest possible risk will be assumed. Contact the vendor or Campus IT support to obtain assistance completing the TAR form.
How do I see my tickets?
Visit https://sfsu.service-now.com/ and log in using your SF State ID and password. After logging in, your requests will be listed and can be selected to review details.
Who do I contact with questions?
If you have questions contact the ITS Service Desk or open a Service Request.
How can I find out the status of a review?
There are three ways to find out the status of a review:
- The requestor, Procurement, or Campus IT Support staff can log in to the Service Request System (https://sfsu.service-now.com/) and look up the status.
- The requestor can review previously received ticket email messages.
- Contact the ITS Service Desk or open a Service Request.
How far ahead should I request a TAR review?
TAR reviews should be requested at least two weeks before the acquisition needs to occur. If contractual terms are required additional time may be needed for vendor negotiation. TAR reviews can be requested in advance to minimize acquisition delays.
I am planning an IT project. Can I get an early review?
Yes, IT Operations, Information Security, and Accessible Technology team members are available to assist during the project planning phase. Assistance is available to ensure Requests for Proposals (RFPs) include necessary technology, operational, and integration requirements, information security and privacy requirements, accessibility requirements, and associated contract terms.
If you have questions contact the ITS Service Desk or open a Service Request.
How long does a TAR review take?
The amount of time the review takes depends on the complexity of the acquisition. Simple acquisitions are often approved within two days. Complex requests are usually completed within two weeks. Requests that take more than one week will receive a weekly update.
Why can’t I use Dropbox, iCloud, Google Drive, and SurveyMonkey?
In response to a CSU audit, a Cloud Computing Practice Directive went into effect to define campus cloud service standards as well as procedures on how to request an exception to acquire a non-standard cloud service. Campus IT support is available to help and assist migrating to campus standard solutions.
How can I add supporting documentation?
Navigate to your TAR in the Ticketing System and upload any attachments.
What is a VPAT?
A VPAT, or Voluntary Product Accessibility Template, is a self-assessment document completed by a vendor that provides relevant information on how their product or service claims to conform to Accessibility Standards.
What vendor documents are needed for cloud computing acquisitions that store data?
The vendor will be asked to provide one of the following cloud security assessment documents:
A current SSAE-16 SOC 2 Type II (or equivalent third-party audited security standard).
A current Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CSA CAIQ).
The Higher Education Cloud Vendor Assessment Tool (HECVAT).
What are the criteria for deciding which form can be used for a Cloud security assessment?
Based upon the type of data being stored in the cloud solution, only one of the following documents identified in the table below is necessary to meet the requirement.
DATA CLASSIFICATION TYPE OF DOCUMENTATION ACCEPTED
ISO 270xx Certification
Other CSA CAIQ, or TAR questionnaire
Level 2 – high record count
Level 2 – small record count
For more information see: ICSUAM 8065.S003 Information Security Asset Management – Cloud Storage & Services
To view PDF files, please download Adobe Reader
What is a risk acceptance form?
A risk acceptance form is used to document non-compliance with CSU policy. The form lists any mitigating controls that are used to reduce the risk, and indicates when the risk will be remediated or next reviewed. An administrator capable of assuming the risk and the Information Security Officer must approve the risk acceptance. The Information Security team can assist with preparing the form.
What are supplemental IT contract terms?
Supplemental IT contractual terms are CSU boilerplate contractual language that is edited as applicable to the technology deployment scope. The Information Security team determines if the acquisition requires a contract to protect the CSU liability. The applicable terms should be forwarded to Procurement and Support Services to determine the best way to proceed.
How do I proceed if supplemental IT contractual terms are required?
If you have already submitted a requisition, forward the Master ticket to Procurement. If you were planning to use a P-card, contact Procurement and Support Services to determine the best way to proceed.
How are contracts prepared and negotiated?
Contact Procurement and Support Services for assistance preparing and negotiating contracts.
What if the vendor does not agree with SF State contractual terms?
The vendor can edit the draft contract with tracking enabled and identify the areas of disagreement or concern. The edited draft contract should be returned to Procurement and Support Services, who coordinates vendor contract negotiations.