New IT Solutions and Services Review

To protect Purdue University IT Resources and Information Assets, all new purchases of IT software, applications, or cloud services for use by the University must undergo a security review prior to purchase to identify any risks that software or service presents to these resources. If the product or service will store, process, or transmit data classified by Purdue as Sensitive or Restricted or will integrate with existing University systems, security controls must be in place to safeguard the data. The security review identifies security controls that have been implemented by the vendor software or services.  Implementation readiness includes the implementation of recommendations made in the review report, as well as, security services for vulnerability management, endpoint protection, authentication, and logging.  Requirements relative to security policy, standards, or data handling that are not met require the submission of a Security Policy/Procedures Exception request. Purchasers of cloud computing services should also be aware of the Cloud Computing Consumer Guidelineswhich provide guidance on operational and contractual requirements.

Procedure to Request a New IT Software or Services Security Review

For questions about this process, please email the Purdue System Security - Information Assurance team (PSS-IA) at itpolicyreq@purdue.edu.

If this is concerning a Brightspace integration review, please go here: https://www.purdue.edu/learning-management/Integrations.php

If this is concerning systems that will involve financial transactions or take credit/debit card purchases, please also contact MerchantService@purdue.edu

Service Level Expectation: Reviews will be completed within 30 days of receipt of all required information.

  1. Download the Vendor Security Questionnaire
  2. Follow the instructions on the Instructions tab of the Vendor Security Questionnaire.
  3. Submit the completed Vendor Security Questionnaire to itpolicyreq@purdue.edu. This will create a Footprints ticket for tracking.
  4. Purdue System Security will review the submitted information and will determine if a full security review is required.
  5. Purdue System Security will notify you if a full review is not required, and you may move forward with your request to purchase.
  6. For those requiring further review, Purdue System Security will consult with the requesting department and/or vendor if there are any follow-up questions to the Vendor Security Questionnaire.
  7. Purdue System Security will then do a risk review and provide you with a report of findings and recommendation.
  8. If you have questions regarding the status of your request please be sure to reply to the Footprints ticket for your request.