New IT Solutions and Services Review
To protect Purdue University IT Resources and Information Assets, all new purchases of IT software, applications, or cloud services for use by the University must undergo a security review prior to purchase to identify any risks that software or service presents to these resources. If the product or service will store, process, or transmit data classified by Purdue as Sensitive or Restricted or will integrate with existing University systems, security controls must be in place to safeguard the data. The security review identifies security controls that have been implemented by the vendor software or services. Purchasers of cloud computing services should also be aware of the Cloud Computing Consumer Guidelines, which provide guidance on operational and contractual requirements.
Procedure to Request a New IT Software or Services Security Review
- Download the Vendor Security Questionnaire.
- The Purdue requesting party completes required information on Tab 1, Project Information, and Tab 2, Data Security.
- Submit the completed Vendor Security Questionnaire to email@example.com.
- IT Security and Policy will review the submitted information and will determine if a full security review is required.
- IT Security and Policy will notify you if a full review is not required, and you may move forward with your request to purchase.
- For those requiring further review, IT Security and Policy will forward the Vendor Security Questionnaire to be completed by the vendor.
- After receiving the vendor’s response, IT Security and Policy will do a risk review and provide you with a report of findings and recommendation.
- If you have questions regarding the status of your request or questions about this process, please email the ITSP-IA team at firstname.lastname@example.org.