IT and Data Review Process

Objective:

• Ensures data security and compliance when working with external vendors.
• Applies to all software/hardware purchases, downloads, installations, or agreements involving data transmission or storage.
• Applies to all SERVICES provided by a vendor that will have access to ANY USG data. 

This process should be completed BEFORE submitting a requisition into Peoplesoft or procuring software/licenses/services.

Initiating a Request

1. Access the IT and Data Use Review located in AU’s service portal.
2. Select:

• • New for first-time requests. All requests are considered NEW if this is the first time going through this review process.
  • Renewal with/without changes for subsequent reviews.

3. Complete the questionnaire and upload:

• • Must have the Customer Consultation Questionnaire completed and attached to better understand the data usage 
  • Vendor Quote
  • Vendor's Privacy Policy URL
  • Data Security Addendum (this must be signed by vendor if vendor will have access to USG data)
  • Cybersecurity insurance (if applicable)
  • Supporting documents (e.g., SOC 2, HECVAT)

4. Submit request

Review Workflow and Timelines

Step	Description	Estimated Time
Step 1	IT Business Office Review	7 days
Step 2	Customer Consultation	14 days
Step 3	IT Review (Cybersecurity + Architecture)	14 days
Step 4	Privacy Review	14 days
Step 5	Architecture Review Board: Following the ARB review, the requester will receive an official form confirming the acceptance or rejection of the software's use. Please note that an ARB approval confirms architectural compatibility only and does not signify the completion of the full IT and Data Review process.	14 days
Step 6	Legal Review	7 days
Step 7	Approved Software Review	3 days
Step 8	Final Approval and Notification: Once the review is complete, the requester will receive a generated PDF summarizing approvals from all reviewers. This document serves as your official authorization. You must attach this PDF to your PeopleSoft requisition or provide a copy to the P-Card Administrator to finalize your purchase.	3 days

Detailed Review Criteria

IT Business Office/Customer Consultation

• Cost – if over $500K, will require USG Business Case (modified or full)
• Consult with customer on additional information needed to complete technical review. Consultation could involve Vendor, Project Management Office and Technical Directors.

IT Review

Cybersecurity (GRC) Review

• Data protection methods
• Network connectivity and SSO capability
• Data storage and access
• Data usage and recovery plans

Enterprise Architecture Review

• Duplication of existing software
• Hosting type (cloud or on-premises)
• Infrastructure and integration needs
• Security and compliance with AU standards

Architecture Review Board (ARB)

Purpose: Governing body that ensures the ecosystem architecture aligns with AU’s technology strategy and standards.

Process:

• Weekly meetings
• Presentation of findings and recommendations
• Discussion of exceptions and unresolved issues

Legal & Compliance Considerations

USG Business Procedures Manual Highlights:

• Technology procurements must follow BPM and USG IT Handbook.
• Contracts must ensure data protection aligned with risk levels (None, Low, Moderate, High).
• Cyber insurance and compliance documentation may be required.
• Annual contract compliance reviews are mandatory.

Final Steps

Once approved:

• Software is added to the approved list.
• Documentation is provided for purchase requisition or PCARD use.
• Attach pdf received from ServiceNow along with any other purchasing documents to requisition created in PeopleSoft Financials. 

What's Next?

Once your initial request is approved, your information will be securely stored and ready for next year’s renewal. At that time, you’ll simply confirm that your details remain accurate, or update any changes. Either way, a faster review process awaits.