IT Solution and Service Contract Review

• Information and Documentation Gathering Phase

• Documentation and Contract Review Phase

• OIT Recommendations and CAPS Next Steps Phase

Information and Documentation Gathering

After submitting the Contracting and Procurement Services (CAPS) Cover Sheet and IT Solution and Service Contract Review, procuring parties may be asked to:

• Share an IT Risk and Accessibility Review (ITRAR) with the vendor and upload a completed version to the ticket. The ITRAR should be completed by any vendor providing IT solutions or services to Portland State University (PSU). The ITRAR enables the Office of Information Technology (OIT) to quickly evaluate the technical, security, privacy, and accessibility properties of candidate products, and in turn, provide an understanding to procuring parties of the associated risk profile.

• Share all contract documents provided by the vendor. Commonly, the vendor will provide a contract, agreement, statement of work, terms and conditions, and/or privacy policy. OIT will at least need a copy of the contract or agreement to review.

Documentation and Contract Review

Information Security and Privacy Review

In keeping with PSU’s Information Security Policy and Notice about Digital Privacy, OIT’s Information Security Team will review security- and privacy-related responses to the ITRAR and the final text of the contract. This review is intended to evaluate and manage risks related to data sensitivity, application management, identity and access management, privacy, and information security.

Accessibility Review

In keeping with PSU’s Digital Accessibility Policy and associated Standard for Accessible Digital Procurement, OIT’s Digital Accessibility and Content team will review accessibility-related responses to the ITRAR and any provided WCAG-specific Voluntary Product Accessibility Template (VPAT). This review is intended to evaluate and manage risks related to digital accessibility.

Integrations Review

OIT will work with you and your department to identify any needed data integrations or Single Sign-on (SSO) integrations for the product or service you are purchasing. This review is an initial assessment of the scope and level of effort required for an integration as well as availability of OIT personnel to deliver an integration.

OIT Recommendations and CAPS Next Steps

Once OIT has reviewed all responses to the ITRAR and any associated documentation, they will respond to CAPS and the procuring party with any follow-up questions or recommendations and a summary of security, privacy, or accessibility risks. Procuring parties may be asked to:

• Answer follow-up questions related to documentation.

• Work with OIT to facilitate meaningful dialogue with the vendor or other campus stakeholders.

• Document ongoing security, privacy, and accessibility and support as necessary

• Submit an Equally Effective Alternate Access Plan (EEAAP) If an IT solution or service is found to have significant accessibility barriers, for example, procuring parties may be asked to fill out an Equally Effective Alternate Access Plan (EEAAP). Should accessibility issues arise for users with disabilities, procuring parties would then be better prepared to work with the Digital Accessibility Resource Center (DRC) and Human Resources (HR) as necessary.