IT and Data Review Process

This review process includes a risk assessment which satisfies requirements that The University System of Georgia (USG) has outlined in the USG Business Procedure Manual for technology procurement.Section 3.4.4 of the University System of Georgia's Business Procedures Manual (BPM)and well asSection 3.1.2.3 of USGs BPM - Technology Procurements.

NOTE:This process, currently, does not replace the purchasing Checklist for all Services nor the Financial Accounting Addendum, but streamlines the Data Security Review process.

Need Help?

Online Service Portal
One Stop Help
University:706-721-4000
Health System:706-721-7500

Introduction

Objective:

Ensures data security and compliance when working with external vendors.
Applies to all software/hardware purchases, downloads, installations, or agreements involving data transmission or storage.

Initiating a Request

Access theIT and Data Use Reviewlocated in AU’s service portal.
Select:

- Newfor first-time requests. All requests are considered NEW if this is the first time going through this review process.
- Renewal with/without changesfor subsequent reviews.

Complete the questionnaire and upload:

- Vendor quote
- Privacy policy URL
- Data Security Addendum (if applicable)
- Cybersecurity insurance (if applicable)
- Supporting documents (e.g., SOC 2, HECVAT, RAAR-e Triage)

Submit request

Review Workflow and Timelines

Step	Description	Estimated Time
Step 1	IT Business Office Review	7 days
Step 2	Customer Consultation	14 days
Step 3	IT Review (Cybersecurity + Architecture)	14 days
Step 4	Privacy Review	14 days
Step 5	Architecture Review Board	14 days
Step 6	Legal Review	7 days
Step 7	Approved Software Review	3 days
Step 8	Final Approval and Notification	3 days

Detailed Review Criteria

IT Business Office/Customer Consultation

Cost – if over $500K, will require USG Business Case (modified or full)
Consult with customer on additional information needed to complete technical review. Consultation could involve Vendor, Project Management Office and Technical Directors.

IT Review

Cybersecurity (GRC) Review

Data protection methods
Network connectivity and SSO capability
Data storage and access
Data usage and recovery plans

Enterprise Architecture Review

Duplication of existing software
Hosting type (cloud or on-premises)
Infrastructure and integration needs
Security and compliance with AU standards

Architecture Review Board (ARB)

Purpose: Governing body that ensures the ecosystem architecture aligns with AU’s technology strategy and standards.

Process:

Weekly meetings
Presentation of findings and recommendations
Discussion of exceptions and unresolved issues

Legal & Compliance Considerations

USG Business Procedures Manual Highlights:

Technology procurements must follow BPM and USG IT Handbook.
Contracts must ensure data protection aligned with risk levels (None, Low, Moderate, High).
Cyber insurance and compliance documentation may be required.
Annual contract compliance reviews are mandatory.

Final Steps

Once approved:

Software is added to the approved list.
Documentation is provided for purchase requisition or PCARD use.
Attach pdf received from ServiceNow along with any other purchasing documents to requisition created in PeopleSoft Financials.

Information for:

Resources