Pre-Purchase Product Review
"Defining Technology" FlowchartProcurement Glossary
Please use the process below to determine whether your product should be reviewed by the security and digital accessibility team.
We are here to help you, the business unit or purchaser, understand what risks a digital solution poses to the university and what is necessary to ensure compliance with our policy. In order to reduce frustration, we hope that you will loop us in EARLY in your purchasing process so that our review does not inconvenience the product implementation timeline. Please use the steps below to ensure a great purchasing partnership.
Few people realize that an Amazon locker system or a campus bike-sharing service has digital elements. But every mailroom worker uses a computer program to monitor package locations. Everyone riding a campus bike reserves and drops it off using a mobile application. Therefore, those products have elements that qualify as Ñý¼§Ö±²¥ State Technology. We're here to help you make sure these products are EQUALLY ACCESSIBLE by and SECURE for all users.
In order to protect Ñý¼§Ö±²¥ State University and its systems, vendors whose products/services will access/host university data must complete the Higher Education Cloud Vendor Assessment Tool (HECVAT). This process assists the university in preventing breaches of protected information and comply with university policy, state, and federal law. This is intended for use by vendors participating in the request for proposal (RFP) process with Ñý¼§Ö±²¥ State University and it should be completed by the vendor. There is a light and full version of the assessment tool. The vendor will need to fill out the version that corresponds with what type of university data they will access/host.
In order to be reviewed by the digital accessibility team, a current VPAT must be attached to the ticket. More information is below.
STEPS IN REVIEW PROCESS
Step 1: List the requirements for this digital solution and use the resulting information to inform your purchasing process.
Define the stakeholders (leadership in your team or others who are impacted by or will be using the product) and end users (those using the product but not involved in managing it)
What?
Is the product a digital platform or system? Is it cloud or desktop based software? Is it a physical product that includes auxiliary software or mobile applications, such as physical bikes reserved on a smart phone?
Where?
Will it be used on computers, tablets, smart phones, on a self-contained kiosk? Will it be used only on campus, or by student/staff off of campus? Does it require being logged into the Ñý¼§Ö±²¥ State network?
Why?
Define the business goal and/or purpose this product needs to achieve.
How?
Is it completely independent or will it interact with any Ñý¼§Ö±²¥ State protected data? Does it need to integrate with Canvas or Blackboard, reference student ID#, etc.?
Step 2: Ask the Information Technology employee in your area whether any digital solutions Ñý¼§Ö±²¥ State already owns would meet your requirements.
If a current enterprise product will not meet your needs, move on to step 3.
Step 3: Answer the questions below with a "Yes" or "No".
- Will current Ñý¼§Ö±²¥ State Students or staff be REQUIRED to use this product? (i.e. software or application necessary to complete course assignments, system employees use to document their sick days)
- Will more than 100 people be using this product (both administrators and end users)?
- Does the product cost more than $2500 per contract year?
- Will it interact with any Ñý¼§Ö±²¥ State protected data? (i.e. Does it need to integrate with Canvas or Blackboard, reference student ID#, etc.?)
If the answer to ANY of the above questions is "Yes", continue to step 4. If not, your digital product does not need to be reviewed at this time by the Digital Accessibility Team, but inform your of your purchase plans. (**Note that you should reference these questions again at contract renewal, as this method of determining which products to review is under revision by DoIT leadership and is subject to change.)
Step 4: If you answered "Yes" to any of the above questions and are pursuing a product outside of current enterprise licenses (even FREE digital solutions), gather the documents listed below and submit your product for review by the Information Security and Digital Accessibility team.
- Talk to a sales representative for the product to request a recent VPAT and HECVAT. Not all companies have completed forms, but work to underscore the importance of these documents. Your sales representative may not know what these documents are, so suggest they speak with a technology/development team member. Share these websites with the sales rep and ask them to pass them on to the development team: ABOUT THE VPAT, ABOUT THE HECVAT
- Complete the Product Assessment Form, which helps the Information Security and Digital Accessibility teams understand basic information about the product in order to begin the review process. Each product requires a review by each of these two independent teams before contract and/or use. Please complete the above steps to be fully informed about the product and how your department plans to implement it BEFORE beginning the form.
Step 5: Please allow 10 business days for our teams to process both reviews upon receipt of the HECVAT and VPAT.
*Email equalaccess@kent.edu if this timeline or acquiring the HECVAT or VPAT is problematic.
Procurement Glossary
Buying Unit: The person within a department or office that is tasked with researching and purchasing digital solutions for use by students, staff or faculty. Works to add the appropriate time to the purchasing timeline to allow for IT review. Is the main contact for the Digital Accessibility Team and the Information Security Team as they conduct the review. Often communicates with the vendor to get more information for the review.
Digital Accessibility Team: Exists within the Systems Development and Innovation Team within the Division of Information Technology. Works to assess and improve the digital accessibility of Ñý¼§Ö±²¥ State University’s entire digital footprint: websites, course materials, applications, software, and archives. Provides education and guidance on compliance with the digital accessibility policy. Liaises with many departments on campus to strengthen efforts towards digital accessibility.
Digital Solution: Software, hardware and digital content used to solve a business or educational need; including web-based information and applications, audio and/or visual content, mobile applications, digital documents, educational materials, assistive classroom technology, purchasing and business processes, telecommunications, and self-contained products with a digital component.
HECVAT: The Higher Education Community Vendor Assessment Tool (HECVAT) is a questionnaire framework specifically designed for higher education to measure vendor risks. The information security team will have buying units ask the solution provider to complete a HECVAT to confirm that information, data, and Cybersecurity policies are in place to protect sensitive institutional information and constituents' Personal Identifiable Information (PII). There are two versions, based on the type of information accessed or used by the chosen digital product. The information security team asks buying units fill out the request to find out which version of HECVAT to submit and then ask the vendor for a copy that is less than 12 months old.
Information Security Team: The second of two DoIT teams which review digital products before purchase, it exists within the Division of Information Technology and is led by the Chief Information Security Officer (CISO). This team works to protect the university information systems, identities and data assets through the use of security and privacy controls to create and maintain a resilient and secure posture, while fostering a culture of security awareness and compliance throughout the university. Digital product review is a key component of ensuring this protection, as our digital safety can be compromised by introducing an insecure third-party product.
VPAT: The Voluntary Product Accessibility Template (VPAT) is a recommended reporting format used to assist government contracting officials and other buyers in identifying accessibility features and barriers of commercially available information and communication technology. Providing the digital accessibility team with a VPAT helps us to better understand the accessibility features of your product and quickly identify any areas where a user with disabilities may encounter difficulties. A good, thoroughly-detailed VPAT can help move a purchasing request through the process more quickly. Likewise, the lack of a VPAT or a poorly-detailed VPAT can delay the process significantly. Please see www.kent.edu/digital-accessibility/vpat for more information.