New IT Solutions and Services Review

To protect Purdue University IT Resources and Information Assets, all new purchases of IT software, applications, or cloud services for use by the University must undergo a security review prior to purchase to identify any risks that software or service presents to these resources. If the product or service will store, process, or transmit data classified by Purdue as Sensitive or Restricted or will integrate with existing University systems, security controls must be in place to safeguard the data. The security review identifies security controls that have been implemented by the vendor software or services.  Implementation readiness includes the implementation of recommendations made in the review report, as well as, security services for vulnerability management, endpoint protection, authentication, and logging.  Requirements relative to security policy, standards, or data handling that are not met require the submission of a Security Policy/Procedures Exception request. Purchasers of cloud computing services should also be aware of the Cloud Computing Consumer Guidelines, which provide guidance on operational and contractual requirements.

Procedure to Request a New IT Software or Services Security Review

For questions about this process, please submit a ticket to the Purdue Systems Security - Information Assurance team (PSS-IA) here.

If this is a new IT solution request for an Export Controlled Research Environment, please click here.

If this is concerning a Brightspace integration review, please go here: https://www.purdue.edu/brightspace/Integrations.php

If this is concerning systems that will involve financial transactions or take credit/debit card purchases, please also contact MerchantSupport@purdue.edu. 

Service Level Expectation: Reviews will be completed within 30 days of receipt of all required information. This includes completed Vendor Security Questionnaire and all additional requested documentation within the Questionnaire.

1. Download the Vendor Security Questionnaire. 
2. Follow the instructions on the Instructions tab of the Vendor Security Questionnaire.
3. Submit the Vendor Security Questionnaire with Tab 1 and Tab 2 completed here. This will create a ticket for tracking.
4. Purdue Systems Security will review the submitted information and will determine if a full security review is required.
5. Purdue Systems Security will notify you if a full review is not required, and you may move forward with your request to purchase.
6. For those requiring further review, Purdue Systems Security will close the original ticket and request that either Tab 3 or Tab 4 be completed.
7. Submit the fully completed Vendor Security Questionnaire, with supporting documents, here. This will create a ticket for tracking and start the 30 day count for competition by PSS-IA.
8. Purdue Systems Security will then do a risk review and provide you with a report of findings and recommendation.
9. If you have questions regarding the status of your request please be sure to reply to the ticket for your request.