Platform: All university technology and data resources
The Purpose of the Process
Per the IT acquisition policy, the purpose of the Technology Compliance Review process is to:
- Ensure the product and its implementation are in compliance with information technology, accessibility, data, security, and other relevant policies, rules, and guidelines.
- The product is compatible with university information technology systems, data integrations, and security technology.
- Reduce the acquisition of redundant technologies and seek opportunities for cost savings through shared contracts, master services agreements, and contract negotiations.
- Ensure the implementation of the product and its clients receive adequate implementation and long-term support from the Office of Information Technology and relevant enterprise data stewards.
When a Review is Required
A Technology Compliance Review is required if the product/service meets any of ANY the following apply:
- Provides web-based content.
- Users change regularly and are not static.
- Requires usernames and passwords (authentication) for more than 10 individuals.
- Stores and/or transmits university confidential or restricted data per the University Data Classification Policy. Including, but not limited to HIPAA, PHI, private PII, FERPA, human subjects for research data, payment card information, financial information, etc.
- Requires data integrations with other university systems.
- Sends and/or receives emails, text messages, or other communications.
Additionally, University employees must submit all technology contractual agreements, including click-through, freeware, and shareware agreements through the university contract review processes.
Submit a Technology Compliance Review Request
Step 1 - Review Policies, Complete the Review Worksheet and Submit your Request
- Review the University data classification policy to determine the type of data that the product may transmit or store.
- Complete the technology compliance review worksheet. (updated 3/9/21)
- Submit the Technology Compliance Review Work Order with the request form attached.
If the product requires a contractual agreement, begin the contract review process.
Entire that you begin the Contracts for Goods and Services Review Checklist process with General Counsel.
Step 2 - Wait for IT to Review Your Request
You will receive an email from Service Hub confirming the submission of your work order. Shortly after you will receive a confirmation from an IT personnel from the Strategic Project and Service Management team to confirm the receipt of your request form. After reviewing your submission you may be asked to work with your unit's IT director or support provider to complete one or more of the documents in Step 3.
Step 3 (CONDITIONAL) - Obtain and Submit Additional Documentation
HECVAT (Higher Education Cloud Vendor Assessment Tool)
Required under the following conditions:
- Product is hosted by a vendor in the cloud (Software as a Service) AND
- Product stores restricted, confidential, PHI/HIPAA, or Payment data per the University's cloud computing policy
How to obtain and submit the HECVAT
- Review the University's cloud computing policy regarding that use and the importance of maintaining the security of University data.
- You will be asked to request either the HECVAT Full or Lite edition from the vendor depending on the type of data being stored in the product. See Higher Education Cloud Vendor Assessment Tool (HECVAT).
- Respond to the Service Hub email that you received with the HECVAT attached.
VPAT (Voluntary Product Accessibility Template) and Accessibility Review
A VPAT is required if a product is used by more than a small team or group of individuals. If the product is used through a web browser it should be validated to comply with web content accessibility guidelines. Accessibility compliance should be reviewed as the University cannot assume that there are no users with accessibility requirements now or in the future.
- Review the University's web accessibility policy to ensure compliance with the Web Content Accessibility Guidelines 2.0, level AA.
- Request that the vendor complete the Voluntary Product Accessibility Template - VPAT - report, which demonstrates that the product meets WCAG 2.0 (AA) and section 508 guidelines.
- Respond to the Service Hub email that you received with the VPAT attached.
The IT analyst assigned to your request will work with the WMU accessibility compliance specialist to conduct a review of the VPAT. If a VPAT is not available, the accessibility compliance specialist will contact you to obtain access to the product to perform a review to test for WCAG 2.0 AA compliance.
Step 4 - Respond with your acknowledgment of mandatory and recommended next steps
Upon completing the compliance review, IT will provide an approval document that outlines any mandatory and recommended next steps as well as approval, conditional approval, or a decline of your request. Respond with your acknowledgment of the conditions of the response to complete the process.