Software Acquisition Checklists

What is this?

  • The Software Acquisition Checklists are tools used with Berea College’s Vendor Risk Management system and are part of the procurement process. This system ensures that proper due diligence was completed in assessing a vendor’s security controls and posture when evaluating the use of software/applications before purchasing.

What checklist do I need?

This is dependent upon the location of the application/data

What are the steps to this process?

  1. Send a completed checklist and all supporting documentation to #IT-Checklists@berea.edu.
  2. After the initial review, the signature process will begin. Due to the number of individuals involved in this process, we ask for one week’s lead time.
  3. Once all signatures are in place, the requestor will be notified the process is complete, and they may move toward the next steps in the procurement process.

What if I need to renew an already existing application?

FAQ

Who fills out the checklist?

  • Generally, the requestor or related individual within the College will. However, you may also have your vendor contact assist with or fill out the checklist for you.

What supporting documents do I need?

  • This greatly depends on the type of data that is being stored/processed by the application in question and the scope of its users. If there is sensitive/regulated data, the College requires up-to-date documentation detailing the organization’s security controls. Below is a brief list of common types of documentation and their requirements:

Service Contract – The contract between the vendor and the College

  • When do I need to include this? The contract should be included with every checklist

SLA Contract – Service Level Agreement document

  • When do I need to include this? An SLA document should be included with every checklist

VPAT – Voluntary Product Accessibility Template

  • When do I need to include this? If it is mandatory to use this product/application to complete College business/academic tasks

SOC2 – Service Organization Controls report

  • When do I need to include this? If your application stores or processes sensitive/regulated data.

HECVAT – Higher Education Community Vendor Assessment Toolkit

  • When do I need to include this? If your application stores or processes sensitive/regulated data.

Data Steward approval

  • When do I need to include this? If your application stores sensitive/regulated data, you will need approval from the respective Data Steward.

When should I submit the checklist?

  • The sooner, the better! There are multiple individuals and departments that can be involved, and thus their availability might not sync up. If you require technical changes such as Single Sign On integration or network and email changes, please allow for at least four weeks lead time.

What if I have a question that isn’t answered here?