Technology Acquisition Review (TAR) Tips

Do not assume

Do not assume that the security review person is familiar with the technology stack in question. Please clarify all acronyms and proactively supply background context to save time. 

Do not submit just a diagram

Diagrams help, but they are not sufficient. Please supplement diagrams with a written summary that spells out the details suggested above. 

Know the Product

The requestor submitting a TAR request should be the most knowledgeable person regarding the technology in question to facilitate direct communication and avoid having to engage multiple 3rd parties 

There is no guarantee a submission for renewal will be approved.

Be prepared to provide documentation and background material if the previous security review ticket number cannot be located. You will want to refer to the first tip.

Our security analysts are responsible for ensuring a properly documented procedure is in place when assisting with TARs. If they ask for more information, remember that it is their goal to ensure that all data pertaining to our staff, faculty, and students are kept safe. So, while it might seem frustrating, the process is designed with our customers' safety in mind. 

The TAR process can be one that is rather involved, especially for technology that interacts with sensitive data. Focus on providing as much useful information as possible to ensure the TAR is easier. While this may seem frustrating, the clearer the information, the quicker the overall process. 

When submitting a TAR, please provide specific details about how the technology requested will be implemented on campus. What sort of hardware and software will be involved? Will data flows to or from other endpoints/platforms on campus or in the cloud be used? Will this involve any SF State data elements?

If you are unsure about any of these questions, please get in touch with us. Provide these answers to avoid any delay to your request. Let us know if you are looking into an issue and need more time. Otherwise, we will assume that unresponsive submitters are no longer interested in pursuing an acquisition. 

If there is any doubt about whether a TAR is necessary or not, please submit a TAR.

For questions regarding TARs, please do not contact individual analysts who may be out of the office. Please contact the security team at security@sfsu.edu.

Keep your eyes on your inbox. After the request for a TAR security review has been assigned, the ITS Security Team usually responds within 24 hours with approval or questions.

• Most subsequent delays are the result of customers not responding to our questions.

Maintain Open Channels of Communication

• Even if you don't have the answers to all our questions, kindly let us know that you're investigating and provide a timeline for getting back to us. In other words, please let the ITS Security team know if there will be any delays in communication when submitting a TAR.

Before making a TAR submission that involves sensitive SF State data (e.g. Level 1 or Level 2) in a cloud service, please acquire the necessary documentation around such a request before launching the TAR process.

• A list of cloud computing acquisition documents can be found here: https://its.sfsu.edu/content/documentationtechnologyacquisitionreview

Don’t submit a TAR if you’re going to be out of the office following the submission.

• Open and responsive communication channels go a long way toward expedient processing.

Ensure the best person to answer the required questions submits the TAR.

• It would be helpful if the person with the deepest understanding of technology conducts the submission. This will minimize impact and help to move the TAR through faster.

Providing Incomplete Information/Description of the Technology Requested

• Please ensure all information regarding the requested technology is provided so that subsequent data requests are not required. This will minimize impact and help to move the TAR through faster.