About ICT Purchases
ICT Purchase Process: High-Level Overview
- Request is submitted via
- Request is routed simultaneously to Section 508 Compliance (VPAT) reviewers and Information Security Office for consideration.
- Request is assigned impact level and may be subject to individual assessments for Section 508 compliance and Information Security.
- Upon completion of required assessments, request is recommended and authorization number is issued. At this time, the authorization number to be used is the "RITM" number generated in step 1.
- Requester enters the RITM number into the Requisition Form, and submits the form to Purchasing.
Please note: the RITM number is only a tracking number for the request, and not a guarantee that the acquisition will ultimately be filled.
Thank you for your patience and support in certifying the products and services AVÀÇ procures are accessible and secure.
For general questions, to report an issue with the electronic form, or to provide the team with feedback, please send an email to: vpat@csueastbay.edu and iso-review@csueastbay.edu.
ICT Category
|
Category Examples |
---|---|
Software Includes, but is not limited to: applications, non-Web software, and platform software. Includes license purchase, renewals or upgrades. |
|
Hardware A tangible device, equipment or physical component of ICT |
|
Web Anything on the web (including but not limited to examples) |
|
Electronic Content |
|
IT Services |
|
**This is not an exhaustive list of products/services considered ICT.
Requests received through the are automatically received for Section 508 compliance (VPAT) review. Impact analysis is completed on the request and determines whether further action (e.g., partial or full VPAT review) is required.
What is a VPAT?
A Voluntary Product Accessibility Template (VPAT) is a supplier-generated statement that provides information on how a product or service conforms to the Section 508 Accessibility Standards for Information & Communication Technology (ICT). In general, suppliers should generate a VPAT whenever they develop products or services that are determined to be ICT and are to be used in the AVÀÇ marketplace. In each VPAT, suppliers are expected to make specific statements in simple understandable language about how their product or service meets the requirements of the Section 508 Standards (section by section, and paragraph by paragraph).
If an ICT product or service will be used in an academic setting, by more than one user, or by the general public, a VPAT is required to ensure the product/service is fully accessible, regardless of disability.
How to Obtain a VPAT
-
Contact the Supplier/Vendor
Many suppliers who work with Higher Ed and other government agencies already have VPATs or other Section 508 documentation available for download from their website. If you cannot locate a VPAT on their site, contact them directly to inquire. If they do not have a VPAT on file, see #3.
-
Check to see if a system wide contract is in place with the vendor or if a VPAT is on file through the Chancellor’s Office.
-
Ask the Supplier to complete a VPAT
Suppliers that do not have a VPAT should complete the . The website has information specifically for suppliers regarding the CSU’s ICT requirement and how to provide documentation about their product’s conformance with applicable accessibility standards.
VPAT Review Workflows
Resources
Requests received through the are automatically reviewed for impact on campus information security. Impact analysis is completed on the request and determines whether further action (e.g. partial or full contract and/or product review) is required.
Why is an information security review required for campus ICT purchases?
The Campus IT environment is rapidly changing and the speed of cloud and non-IT department centric services adoption is increasing. As our campus deploys or identifies IT services we may want to use, we must ensure that those acquired services are appropriately assessed for managing the risks to the confidentiality, integrity and availability of sensitive institutional information and the PII of campus participants. Our campus has established a security assessment methodology and resources to review these services for privacy and security controls.
What is involved in the information security review?
As a campus member requesting to purchase an ICT-related product, you have been identified as a potential host or handler of AVÀÇ protected level one or level two data (). If the product you are requesting will be hosting or handling our data, per the CSU Information Security Policy, you, the requestor, must "ensure that when critical or protected information is shared with third parties, it is either specifically permitted or required by law and that a written agreement is executed between the parties that addresses the applicable laws, regulations, and CSU/campus policies, standards, procedures, and security controls that must be implemented and followed to adequately protect the information asset".
The information security review performed by the campus information security office will assist you in performing a review of a vendor to ensure that they can provide the appropriate level of assurances and protections for data we share with them. This process may involve multiple question and answer sessions with a potential vendor, during which additional documentation and contract modifications may be requested. The expectation of the requestor is that they will remain an active participant in the communication process between the vendor and the campus information security office.
Once the information security review process is completed, we will provide a recommendation to proceed (with or without contract modifications) or a recommendation not to proceed (with a risk evaluation stating how this decision was reached). For reviews that are not recommended, where the requestor wishes to proceed with the purchase, the request must be escalated to the campus CIO (Chief Information Officer), in the ITS Department.
ISO Review
High-level step by step review ending in either (A) recommended or (B) not recommended.