Technology Acquisition Review

Overview

SF State technology acquisitions, purchased or obtained at no cost, are reviewed for accessibility and information security compliance prior to acquisition. Technology acquisition reviews (TARs) are used to ensure compliance with CSU policies and SF State practice directives. Compliance helps ensure the university’s data is appropriately managed and protects the university’s liability in the event of data breach or litigation.

Pre-approved technology does not require a TAR and should be used whenever possible. Pre-approved technologies are low risk or have already completed Information Security and Accessible Technology Team reviews.

If the technology is not pre-approved, the employee that will be deploying the technology should complete the review request form. Information Security and Accessible Technology team members will review the planned acquisition and may request additional information. When both the security and accessibility reviews are approved, the technology can be acquired.

If you have any questions or need assistance, open a Service Request.

TAR Process

Prior to acquisition all technology acquisitions, purchased or obtained at no cost, must be reviewed for accessibility and information security compliance.

  1. Check the pre-approved list and use pre-approved technology where possible
  2. The SF State faculty or staff member who is most knowledgeable about the technology completes and submits form with assistance from IT support staff if necessary
  3. Security and Accessibility review requests are tracked using service request tickets
    • Requestor provides requested documentation and responds to additional questions
    • Information Security team members determine if supplemental IT contractual terms are needed
    • Accessible Technology team members determine compliance with ATI policy
    • Security and Accessibility tickets are updated to indicate if approved or not approved
  4. ITS Service Desk updates master ticket status when Security and Accessibility tickets are Resolved
  5. Requesting department provides review information to Procurement or Accounts Payable as applicable

Compliance

TARs are required to ensure compliance with CSU policy and SF State practice directives. Compliance helps ensure the university’s data is appropriately managed and protects the university’s liability in the event of data breach or litigation.

Deployment Requirements

All technology must be deployed in a manner that meets the following requirements. Security and accessibility reviews identify additional requirements as applicable.

  1. Networked devices must meet CSU Common Network Infrastructure (CNI) standards
  2. Use in transit and at rest encryption for all sensitive data
  3. Authorization and access control must be managed for all sensitive data
  4. The business reason for storing any confidential data
  5. Maintain university ownership by using SF State credentials to register and manage Cloud/Internet service accounts
  6. Install security updates and patches provided by the manufacturer
  7. Meet requirements of Accessible Technology Initiative
  8. Do not store or transmit protected University data using services hosted by third parties which do not have a contract in place with the campus or its Auxiliaries, such as personal cloud accounts

Pre-approved technology

Pre-approved technology does not require a TAR. Pre-approved technologies are low risk or have already completed Information Security and Accessible Technology Team reviews. The list is updated frequently. To request an addition to the pre-approved list, please open a Service Request. Last update 5/21/18.

Web applications and cloud services

Pre-approved campus standard cloud technology should be used where it provides equivalent functionality. Exception requests to use a non-standard cloud technology require a documented business reason why the campus provided standard technology cannot be used.  The cloud computing services listed below have been pre-approved:

Digital content

Information purchased for SF State use:

  • Fonts
  • Images
  • Music
  • Photographs
  • Text based information/data
  • Video based information/data

Software

Contact campus IT support to obtain the following software at low or no cost:

Hardware, equipment, and supplies

For tablets, laptops, and desktop computers - see Apple, Android, Dell, & Microsoft. Acquisition of 20 or more computers or tablets requires a TAR unless ordered as a part of the annual campus refresh.

  • Adapters
  • Apple iMac
  • Apple iPad and iPod
  • Apple MacBook, MacBook Pro, MacBook Air, iMac
  • Android tablets
  • Batteries
  • Cables
  • Cameras and video cameras
  • Dell Latitude 7000, Precision 5000, Optiplex 7000, XPS series
  • Disks and tapes
  • Digital voice recorders
  • Displays
  • Docking Stations
  • DVD players
  • Fusers
  • Hard drives
  • Headphones and headsets
  • Ink
  • Keyboards
  • Memory (RAM)
  • Mice
  • Microsoft Surface tablets
  • Monitors
  • Port replicators
  • HP Printer models: M402dne, M477fnw, M452dn, M608dn, M652dn
  • Scanners
  • Sound cards
  • Speakers
  • Televisions
  • Toner
  • Track balls and track pads
  • Uninterruptible Power Supplies (UPS)
  • USB drives
  • USB hubs
  • Video cards
  • VCRs
  • Xerox WorkCenter devices (Managed Print Program)

Maintenance and renewals

TAR reviews are not needed for maintenance or renewals where:

  1. The scope of deployment has not changed
  2. There are no changes to functionality
  3. Replacement parts are the same or similar to the part being replaced
  4. A TAR was previously approved without conditions

Provide Procurement or Accounts Payable with the original approved TAR. If you need help locating a TAR, please open a Service Request.

Frequently Asked Questions

Is a review needed?

Is a review needed if another campus unit has an approved TAR?

Yes, a review is needed even if another department has an approved TAR. Adding more users may change the accessibility impact and/or security risk. Prior reviews can expedite TAR reviews. Please reference the previously approved TAR in the notes section of the form. Technology acquired by more than one unit is considered for campus-wide acquisition and pre-approval.

Is a review needed if the technology is already used at another CSU campus?

Yes, a review is needed even if another CSU campus has already acquired the technology. Information Security and Accessibility reviews and copies of contracts from other campuses help expedite TAR reviews. After submitting the TAR form reply to the service request confirmation email and attach any reviews or contracts from other campuses.

Is a review needed if the technology has an existing system-wide agreement?

Yes, a review is needed even if there is an existing agreement with the Chancellor’s Office. Information Security and Accessibility reviews, links to CSYou Contract Store documents, and copies of contracts help expedite TAR reviews. After submitting the TAR form reply to the service request confirmation email and attach any reviews or contracts from the Chancellor’s Office.

Is a review needed if I am the only user of the technology?

Yes, a review is needed even if used by one individual. Technology that stores or processes sensitive data or connects to the campus network has a security risk. Technology used to create or manage content can introduce accessibility barriers for other individuals. Technology acquired by more than one unit is considered for campus-wide acquisition and pre-approval.

Is a review needed for Amazon Mechanical Turk Credits or Qualtrics Panels?

No, a TAR is not needed for Amazon Mechanical Turk or Qualtrics Panels. Acquisition of these services should be coordinated with Procurement and Support Services.

How often is a review needed for a monthly subscription?

Monthly subscriptions require annual review. At the annual review if the subscription meets the conditions for maintenance and renewals a TAR will not be required.

What if there are changes to scope or nature of deployment following review?

If the scope or nature of deployment changes, please submit another TAR. An example of scope change is the expansion of a pilot to a larger population. An example of the nature of deployment changing is expanding a workflow form to now include confidential data elements.

Completing the form

Who should complete the form?

The requestor (contact) should be the SF State faculty or staff member who is most knowledgeable about the technology being reviewed. Some of the questions are technical and may require consulting the vendor or Campus IT support.

How can I get help completing the form?

Contact Campus IT support to request assistance completing the TAR form.

What do I do if I don’t know the answer to a question on the form?

All questions must be answered accurately before a review can be completed. If a question is not answered, the highest possible risk will be assumed. Contact the vendor or Campus IT support to obtain assistance completing the TAR form.

Tickets

What is a ticket?

A ticket is used to record and track service requests. Tickets identify who requested service, the details of the acquisition, and the team providing assistance. Each ticket has a current status that shows if it is in progress, waiting for the customer to respond, or resolved. Resolved tickets have a resolution status that indicates if the acquisition is approved, closed due to no response from requestor, or if it was not approved. If it is not approved the reason will be indicated in the description.

Why are there three different ticket numbers?

There are three linked tickets created for each TAR request:

  1. Master ticket. Links the Accessibility and Security review tickets. Used by Procurement and Accounts Payable to determine if reviews are complete and the acquisition is approved. The Master ticket is managed by the ITS Service Desk.

  2. Accessibility review ticket. Tracks accessibility reviews completed by the Accessible Technology Team.

  3. Security review ticket. Tracks Security reviews completed by the Information Security Team.

What is a master ticket?

The master ticket links the Accessibility and Security review tickets. The master ticket will be updated by the ITS Service Desk when the Security and Accessibility reviews are complete. The master ticket is used by Procurement and Accounts Payable to determine if the acquisition is approved.

What is an accessibility review ticket?

Accessibility reviews completed by the Accessible Technology Team to ensure compliance with the CSU Accessible Technology Initiative are tracked using an accessibility review ticket.

What is a security review ticket?

Security reviews completed by the Information Security Team to ensure compliance with CSU Information Security policy are tracked using a security review ticket.

How do I see my tickets?

Visit service.sfsu.edu and log in using your SF State ID and password. After logging in, your requests will be listed and can be selected to review details.

How do I interpret statuses and resolution codes?

Each service request uses a status to track its progress. When a service request is complete a resolution code is used to indicate if a request was approved, not-approved, cancelled, or if the customer did not respond.

  • A status of Requires Customer Information means that the review requires additional information from the requestor to complete the review.

  • A status of In Progress or Assigned indicates the review is in progress.

  • A status of Resolved indicates the review is complete and the resolution code should be reviewed to determine if it was approved.

    • Resolved with resolution code of Resolved/Completed on Master ticket means security and accessibility reviews are complete and the acquisition can proceed.

    • Resolved with resolution code of Other on Master ticket means either the security or accessibility review has not been approved for acquisition. The reason it could not be completed and why the acquisition cannot proceed will be shown in the description of the ticket.

Who do I contact with questions?

If you have questions contact the ITS Service Desk or open a Service Request.

Review process

How can I find out the status of a review?

There are three ways to find out the status of a review:

  1. The requestor, Procurement, or Campus IT support staff can log in to the Service Request System (https://service.sfsu.edu)

  2. The requestor can review previously received ticket email messages

  3. Contact the ITS Service Desk or open a Service Request.

How far ahead should I request a TAR review?

TAR reviews should be requested at least two weeks before the acquisition needs to occur. If contractual terms are required additional time may be needed for vendor negotiation. TAR reviews can be requested in advance to minimize acquisition delays.

I am planning an IT project. Can I get an early review?

Yes, Information Security and Accessible Technology team members are available to assist during the project planning phase. Assistance is available to ensure Requests for Proposals (RFPs) include necessary contract terms.

How long does a TAR review take?

The amount of time the review takes depends on the complexity of the acquisition. Simple acquisitions are often approved within two days. Complex requests are usually completed within two weeks. Requests that take more than one week will receive a weekly update.

How do I know if my TAR was approved?

The master ticket status will be updated to Resolved when security and accessibility reviews are complete. The Resolution code will indicate Resolved/Completed if the acquisition is approved. IT Supplemental procurement conditions will be listed if required.

Why can’t I use Dropbox, iCloud, Google Drive, and SurveyMonkey?

In response to a CSU audit a Cloud Computing Practice Directive went into effect to define campus cloud service standards as well as procedures on how to request an exception to acquire a non-standard cloud service. Campus IT support is available to help and assist migrating to campus standard solutions.

Documentation

How can I add supporting documentation?

Open an email message received from the ticketing system for the Security or Accessibility review of the technology. Reply to the appropriate message and attach documents. The maximum attachment size is 20MB per message. For larger attachments, use Box at SF State to share files.

What is a VPAT?

A VPAT, or Voluntary Product Accessibility Template, is a self-assessment document completed by a vendor that provides relevant information on how their product or service claims to conform to Accessibility Standards.

What vendor documents are needed for cloud computing acquisitions that store data?

The vendor should be asked to provide one of the following documents:

For more information see: ICSUAM 8065.S003 Information Security Asset Management – Cloud Storage & Services

 What is a risk acceptance form?

A risk acceptance form is used to document non-compliance with CSU policy. The form lists any mitigating controls that are used to reduce the risk, and indicates when the risk will be remediated or next reviewed. An administrator capable of assuming the risk and the Information Security Officer must approve the risk acceptance. The Information Security team can assist with preparing the form.

Contracts

What are supplemental IT contract terms?

Supplemental IT contractual terms are CSU boilerplate contractual language that is edited as applicable to the technology deployment scope. The Information Security team determines if the acquisition requires a contract to protect the CSU liability. The applicable terms should be forwarded to Procurement and Support Services to determine the best way to proceed.

How do I proceed if supplemental IT contractual terms are required?

If you have already submitted a requisition, forward the Master ticket to Procurement. If you were planning to use a P-card contact  Procurement and Support Services to determine the best way to proceed.

How are contracts prepared and negotiated?

Contact Procurement and Support Services for assistance preparing and negotiating contracts.

What if the vendor does not agree with SF State contractual terms?

The vendor can edit the draft contract with tracking enabled and identify the areas of disagreement or concern. The edited draft contract should be returned to Procurement and Support Services, who coordinates vendor contract negotiations.

 

Review Request Form

To expedite the accessibility and security reviews:

  • Check the pre-approved list to confirm a review is needed (use pre-approved technology where possible)
  • The individual that will be deploying the technology should complete the form with assistance from Campus IT support and the vendor if needed:
    • Provide descriptive responses that explain the maximum planned deployment of the technology
    • Provide all the information requested
    • Respond to requests for additional information
  • If you have any questions or need assistance, open a Service Request

Contact


Product

 

 


Technology users

Please respond indicating the maximum planned deployment of the technology.

 


Authentication and authorization

 

 

 


Sensitive Data

SF State must protect all sensitive information stored or transferred.  Sensitive information is classified as confidential level 1 and internal use level 2 data.

  • Confidential level 1 data requires the highest level of security. Examples: passwords, credit cards, social security numbers, drivers license, health records
  • Internal use level 2 data must be protected for proprietary, ethical, or privacy reasons. Examples: birthday, address, phone number, student and employee records

The examples shown are not a complete list of sensitive data elements. For more information see: What is Confidential Data?