New Technology Review

What is it?

This service will initiate the process to review and ultimately approve the implementation and use of new technology on campus. 

Process

The process begins with the requester clicking the green button to the right and completing an initial “Technology Adoption” form providing details about the services provided by the vendor.  This form must be completed for any engagement with a new vendor that will:

  1. Have access to University data (processing, transmitting, and/or storage).

  2. Provide a tool that integrates with other University systems or hardware.

The Vendor Risk Management program, governed by the Office of Information Technology (OIT), is an initiative to reduce risk to University data and computing resources from outside parties and service providers. OIT collaborates with a diverse, multi-departmental Tech Adoption group created with the goal of protecting computing resources and digital intellectual property at the University, in addition to offering a wide range of software and services in the Software Catalog. Saint Joseph's University relies on outside third-party service providers and cloud-based vendors for providing various services where service providers process or hold University data. Though SJU is committed to protect its data resources, it must ensure that third party service providers have appropriate controls to minimize risk of data breach from unauthorized access or data loss.

In addition to new vendors, this form must also be completed once every 2 years for existing vendors if there is a renewal/change in an existing contract that involves change of services to be offered, or if gaps were identified in the prior contract.

In addition to the completion of the form, the Office of Information Technology requires a comprehensive security assessment involving the vendor completing a security questionnaire, known as the Higher Education Community Vendor Assessment Toolkit, or HECVAT. This is the standard questionnaire used by higher education institutions to measure vendor risk and understand what security controls are in place to protect University data. The HECVAT FULL and HECVAT LITE are OIT’s formal way to measure and assess our vendors’ preparedness when safeguarding our data. We accept HECVAT FULL for vendors processing University data (Confidential and/or Sensitive) and HECVAT LITE for vendors processing public data (Unrestricted).

To learn more about the HECVAT questionnaire, please visit the HECVAT page. To see if a solution provider has completed a HECVAT, please visit the HEVCAT Community Broker Index. To learn more about the University’s data classification sensitivity levels, please see the Data Classification Policy.

In the final step, the Office of Information Security highlights the level of risk from the vendor by providing a “risk rating” and summarizing risk findings with security recommendations in a formal risk assessment report.

Who can use it?

SJU Faculty and Staff.

Where can I access this service?

The HECVAT can be found attached to this service. Once the HECVAT has been completed, please click the green button to the right to submit the Technology Adoption form. You will attach the HECVAT which has been completed by your vendor. Failure to provide both this document may result in this request being delayed or rejected.

Once submitted, you can expect to hear from a member of the Project Management office.