Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

The purpose of the Technology Procurement Process (TPP) is to gather information from purchase requestors prior to purchasing electronic and information technologies (EIT) to be compliant with the SUNY's security, accessibility, and procurement policies. This applies to all information technology and any equipment or interconnected system or subsystem of equipment that is used in the creation, conversion, or duplication of data or information. 

EIT includes, but is not limited to, information resources such as the internet and intranet websites, content delivered in digital form, search engines, and databases, learning management systems, classroom technologies; web, computer, and mobile-based applications allowing for interaction between software and users; and services employing information technology and telecommunications equipment.

NOTE: This process is required for all free software that uses University-owned systems or data. The University must complete a support, security, accessibility, and terms/conditions review of all free software before it is used on University-owned systems or before it uses University-owned data.

ALL new AND existing software, licensing, multi-year contracts/agreements, and hardware (technology) procurements MUST follow the Technology Procurement Process below:

Step 1: Submit a Technology Procurement Request Request - Customer completes the Technology Procurement Request Form and FREDMart Requisition. Upon submitting the TPP form, a Tracker ticket is created to initiate the review of the request. All other contracts and licenses should be sent directly to www.fredonia.edu/contractreview

Step 2: Technology Compatibility and Support Review - The ITS Service Center (ITS SC) performs a technical, compatibility, and solutions analysis to ensure the software is compatible and can be supported within the existing Fredonia computing environment, or recommends/determines if similar software already exists. The ITSSC also identifies what ITS resources are required to provide ongoing support.

Step 3: Service or Project Review - The ITS Chief Information Officer (CIO) performs a review to determine if the request is a standard request or if it is a project. If it is a project, an ITS project manager will be assigned and a project charter will be developed with the requestor.

Step 4: Information Security Review - The Information Security Office (“ISO) performs an Information Security risk assessment using SUNY standards to ensure that the software is secure and meets regulatory requirements. If the procurement is funded by the Research Foundation, the ISO will add the Interim Director, Grants & Sponsored Programs to the ticket as a participant. All software that uses University regulated data must be approved by the Information Security Officer or designee. All software requestors need to provide the following:

  1. Utilizing the data risk category definitions and examples provided in the Data Risk Classification Policy, please confirm the risk category for the University data that you are requesting to be used with this solution. 
  2. In accordance with SUNY Procurement Policy, a HECVAT (HECVAT (Higher Education Community Vendor Assessment Tool) report is required. In the event of engaging with any cloud vendor, the HECVAT Lite or Full version must be completed by the vendor. In cases where Category II Private (e.g. Title IV or FERPA) or Category III Restricted data (e.g. PHI, Social Security Numbers, Credit Card Information, etc) are being stored, transmitted, or processed via the vendor, the full HECVAT must be provided by the vendor. If the vendor is supplying software that is designed to run on SUNY Fredonia’s local computing infrastructure (network, database, desktops/laptops, etc…) or is running a purpose-built application (often referred to as an agent) in conjunction with a piece of hardware then a HECVAT On-Premise is required. 
  3. In accordance with SUNY Procurement Policy, a 3rd Party attestation of security practices is required. Currently, the preferred response is that the vendor provides an SSAE16/18 SOC 2 Type 2 report. If a SOC2 Type 2 report is not available a suitable substitute may be provided at the discretion of the SUNY Fredonia Chief Information Officer and Chief Information Security Officer (CISO). At this time, it has been determined that both an ISO 27001 or a FedRAMP certification along with the detailed certificate review findings related to security controls are suitable substitutes for a SOC2 Type 2 report. The primary goal is for the vendor to provide an audit of their security practices from a 3rd party that attests to their overall security practices. 

If you have questions regarding this documentation, please contact the Information Security Office at security@fredonia.edu.

Step 5: Electronic Accessibility Technology Review -  In accordance with SUNY EIT Accessibility Policy, the Academic and Collaborative Technology (ACT) Office performs a review for EIT accessibility. This includes the review of documentation verifying EIT accessibility conformance (VPAT - Voluntary Product Accessibility Template), reviewing accessibility roadmaps, and evaluating high-impact EIT products., documentation verifying EIT accessibility conformance is required. If you have questions regarding this documentation, please contact the Academic and Collaborative Technology (ACT) Office at ACT@fredonia.edu. After the EIT Accessibility review has been completed, the Tracker ticket will be reviewed by the CIO or designee before being forwarded on to the Contract Services department. 

Step 6: Software Terms and Conditions Review: The Contract Services department will conduct a review of the terms and conditions of all contracts to ensure that standard NYS contract terms are applied (e.g. Appendix A: Standard Clauses for New York State Contracts). The Contract Services will need a copy of the software contract, multi-year agreement, Memorandum of Understanding (MoUs), or EULA (End User License Agreement) for this step of the TPP review.  NOTE: Please contact the vendor directly to obtain either a .PDF or WORD version of their contract, master service agreement, or End User License Agreement (EULA) to be uploaded with the Technology Procurement Request Form. 

Step 7: Procurement Processing: Contract Services will update the Tracker ticket and include documentation illustrating the TofC / TofU was successfully negotiated (e.g. signed contract). Using FREDmart, the Purchasing Department creates the Purchase Order (PO) from approvals found within Tracker and sends it to the vendor.

Step 8: Software Installation and License Registration: The ITS SC or designated ITS department (defined within the project charter and/or Tracker Ticket) receives and installs, configures, or integrates software and then notifies the customer. NOTE: All Software licenses need to be registered using the ITS.ServiceCenter@fredonia.edu email account.

Additional Information

  • All technology procurements or renewals must follow this process regardless of the type of funding (State vs. Non-state, AER etc.). NOTE: All other non-technology contracts and licenses should be sent directly to www.fredonia.edu/contractreview
  • All Research Foundation-funded technology procurements need to utilize the Technology Procurement Form and the above applicable steps will need to be completed.
  • Software or Software as a Service (SaaS) cannot be purchased via a state-issued procurement card and must be purchased via a state-issued Purchase Order.
  • This Technology Procurement Process can take up to 6 months to complete.

Additional Resources:

Fredonia ITS Procurement Standards



Filter by label

There are no items with the selected labels at this time.

  • No labels