Process
In collaboration with Contracts and Procurement Services, the Office of Information Technology (OIT) provides IT solution and service contract reviews which serve to assess the technical, security, privacy, and accessibility properties of a product or service prior to purchase.
OIT seeks to manage risk and facilitate effective implementation of IT products and services. These reviews serve to provide an understanding of the risk profile of a solution or service and its integrations with existing IT services at the University. Departments will receive an assessment, recommendations, and/or requirements for moving forward with their contract.
Department Request for Contract Review
Complete the IT Solution and Service Contract Review with as much detail as possible. Please attach documentation relating to the product or service. This may include the contract, statement of work, security information (such as a privacy policy, HECVAT, or SOC2), and/or accessibility reports (such as a VPAT or ACR). After submitting the request, you may be asked to:
Provide a contract, agreement, statement of work, terms and conditions, and/or privacy policy, if not attached to the request form.
Collect technical, security, privacy, and accessibility documentation from the vendor. OIT may ask you to work with the vendor to complete an IT Risk and Accessibility Review (ITRAR) questionnaire.
OIT Documentation Review
Information Security and Privacy Review
In keeping with PSU’s Information Security Policy and Notice about Digital Privacy, OIT’s Information Security Team will review security- and privacy-related responses to the ITRAR and the final text of the contract. This review is intended to evaluate and manage risks related to data sensitivity, application management, identity and access management, privacy, and information security.
Accessibility Review
In keeping with PSU’s Digital Accessibility Policy and associated Standard for Accessible Digital Procurement, OIT’s Digital Accessibility and Content team will review accessibility-related responses to the ITRAR and any provided WCAG-specific Voluntary Product Accessibility Template (VPAT) or ACR. This review is intended to evaluate and manage risks related to digital accessibility.
Integrations Review
OIT will work with you and your department to identify any needed data integrations or Single Sign-on (SSO) integrations for the product or service you are purchasing. This review is an initial assessment of the scope and level of effort required for an integration as well as availability of OIT personnel to deliver an integration.
OIT Assessment and Recommendation
Once OIT has reviewed all responses to the ITRAR and any associated documentation, they will respond to CAPS and the procuring party with any follow-up questions or recommendations and a summary of security, privacy, or accessibility risks. Procuring parties may be asked to:
Answer follow-up questions related to documentation.
Work with OIT to facilitate meaningful dialogue with the vendor or other campus stakeholders.
Document ongoing security, privacy, and accessibility and support as necessary
Submit an Equally Effective Alternate Access Plan (EEAAP) If an IT solution or service is found to have significant accessibility barriers, for example, procuring parties may be asked to fill out an Equally Effective Alternate Access Plan (EEAAP). Should accessibility issues arise for users with disabilities, procuring parties would then be better prepared to work with the Digital Accessibility Resource Center (DRC) and Human Resources (HR) as necessary.