Versions Compared

Version Old Version 53 New Version 54
Changes made by

Daniel LaGrow

Daniel LaGrow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Utilizing the data risk category definitions and examples provided in the Data Risk Classification Policy found here: Data Risk Classification Policy, please confirm the risk category for the University data that you are requesting to be used with this solution. 
  2. In accordance with SUNY Procurement Policy, a Higher Education Community Vendor Assessment Tool (HECVAT) is required. In the event of engaging with any cloud vendor, the HECVAT Lite or Full version must be completed by the vendor. In cases where Category II Private (e.g. Title IV or FERPA) or Category III Restricted data (e.g. PHI, Social Security Numbers, Credit Card Information, etc) are being stored, transmitted, or processed via the vendor, the full HECVAT must be provided by the vendor. If the vendor is supplying software that is designed to run on SUNY Fredonia’s local computing infrastructure (network, database, desktops/laptops, etc…) or is running a purpose-built application (often referred to as an agent) in conjunction with a piece of hardware then a HECVAT On-Premise is required. 
  3. In accordance with SUNY Procurement Policy, a 3rd Party attestation of security practices is required. Currently, the preferred response is that the vendor provides an SSAE16/18 SOC 2 Type 2 report. If a SOC2 Type 2 report is not available a suitable substitute may be provided at the discretion of the SUNY Fredonia Chief Information Officer and Chief Information Security Officer (CISO). At this time, it has been determined that both an ISO 27001 or a FedRAMP certification along with the detailed certificate review findings related to security controls are suitable substitutes for a SOC2 Type 2 report. The primary goal is for the vendor to provide an audit of their security practices from a 3rd party that attests to their overall security practices. 

...

  • All technology requests or renewals must follow this process regardless of the type of funding (State vs. Non-state, AER, etc.). 
  • All Research Foundation-funded technology purchasing needs to utilize the Technology Request Form and the above applicable steps will need to be completed.
  • Software or Software as a Service (SaaS) cannot be purchased via a state-issued procurement card and must be purchased via a state-issued Purchase Order.
  • This Technology Request Process can take from 3 to 6 months to complete.

Additional Resources:

Fredonia ITS Procurement Standards
How do I request a VPAT and what do I do if a vendor doesn't have a VPAT?


...

Live Search
sizelarge
additionalpage excerpt
placeholderSearch Answers
typepage

...