Platform: Enterprise Systems, Enterprise Support Systems, Unit Support Systems, Infrastructure
Per the IT acquisition policy, technology products are reviewed before acquiring to ensure compliance and compatibility with WMU information systems, infrastructure, accessibility, and security policies as well as other rules and guidelines for successful implementation.
A Technology Compliance Review is Required if any of the following apply
- The technology is purchased using University resources and/or University funds (i.e. general fund, designated funds, grant and/or donor funds, etc).
- The technology requires a contractual agreement with a vendor and/or supplier, including freeware and shareware agreements.
- The technology stores or transmits University data.
- The technology manages University business functions.
- The technology may require integration with an IT enterprise system or infrastructure.
The Review Process
Step 1 - Review Policies, Complete the Review Form, and Submit your Request
- Review the IT acquisition policy to determine the product/system type.
- Review the University data classification policy to determine the type of data that the product may transmit or store.
- Complete the technology compliance review request form.
- Review Step 3 below to determine if you may need to start the process to obtain and submit additional HECVAT or VPAT documentation.
Note: Once you submit your Compliance Review Request, OIT it likely to advise that both HECVAT and VPAT be obtained, so starting the process now is highly encouraged.
- Submit Technology Compliance Review Request
If the product requires a contractual agreement, begin the contract review process.
Entire that you begin the Contracts for Goods and Services Review Checklist process with General Counsel.
Step 2 - Wait for IT to Review Your Request
You will receive an email from Service Hub confirming the submission of your work order. Shortly after you will receive a confirmation from an IT personnel from the Strategic Project and Service Management team to confirm the receipt of your request form. After reviewing your submission you may be asked to work with your unit's IT director or support provider to complete one or more of the documents in Step 5.
Step 3 (CONDITIONAL) - Obtain and Submit Additional Documentation
HECVAT - Required if the product is hosted by a vendor in the cloud (Software as a Service)
- Review the University's cloud computing policy regarding that use and the importance of maintaining the security of University data.
- Request that the vendor complete the Higher Education Cloud Vendor Assessment Tool (HECVAT).
- Respond to the Service Hub email that you received with the HECVAT attached.
VPAT - If the product is browser/web-based, obtain a VPAT or conduct a WMU Accessibility Compliance Review
If the product is used through a web browser it should be validated to comply with web content accessibility guidelines, no matter how many people use it and if it is available to the public or only internally to WMU users. Accessibility compliance should be reviewed as the University cannot assume that there are no users with accessibility requirements now or in the future.
- Review the University's web accessibility policy to ensure compliance with the Web Content Accessibility Guidelines 2.0, level AA.
- Request that the vendor complete the Voluntary Product Accessibility Template - VPAT - report, which demonstrates that the product meets WCAG 2.0 (AA).
- Respond to the Service Hub email that you received with the VPAT attached.
WMU Accessibility Review - If the vendor cannot produce a VPAT
- Submit a WMU Accessibility Review Request.
- You will receive an acknowledgment of your request from Service Hub and a WMUx accessibility team member will reach out to you to complete the review.
- Once the WMU Accessibility Review is completed, Respond to the Technology Compliance Review email from Service Hub that you received with the results attached.
Step 4 - Respond with your acknowledgment of mandatory and recommended next steps
Upon completing the compliance review, IT will provide an approval document that outlines any mandatory and recommended next steps as well as approval, conditional approval, or a decline of your request. Respond with your acknowledgment of the conditions of the response to complete the process.