The Software Acquisition Checklists are tools used with Berea College’s Vendor Risk Management system and are part of the procurement process. This system ensures that proper due diligence was completed in assessing a vendor’s security controls and posture when evaluating the use of software/applications before purchasing.
What checklist do I need?
This is dependent upon the location of the application/data
- For internally developed software, please use this link: https://bereaedu.wpenginepowered.com/iss/wp-content/uploads/sites/133/2017/02/Internal-dev-checklist-09102020.pdf
- For software that will be installed locally, either in Berea College’s data center or Berea College endpoints, please use this link: https://bereaedu.wpenginepowered.com/iss/wp-content/uploads/sites/133/2017/02/Locally_installed_checklist_4_2022.pdf
- For applications that are stored offsite, aka “in the cloud,” please use this link: https://bereaedu.wpenginepowered.com/iss/wp-content/uploads/sites/133/2019/07/SaaS_Checklist_4_2022.pdf
What are the steps to this process?
- Send a completed checklist and all supporting documentation to #IT-Checklists@berea.edu.
- After the initial review, the signature process will begin. Due to the number of individuals involved in this process, we ask for one week’s lead time.
- Once all signatures are in place, the requestor will be notified the process is complete, and they may move toward the next steps in the procurement process.
What if I need to renew an already existing application?
- Checklists are subject to annual review, typically done around the renewal of the application.
- Please note that if there has been a change in ownership of the vendor, different data being stored/processed or a change in functionality (ex: application now accepting credit cards), you will need to complete a new checklist with the updated information.
- For all locally installed applications – Locally Installed Application Renewal Checklist
- For 3rd party solutions that are to be installed on campus – Software/Application (locally installed) Acquisition Checklist
- For all internally developed software – Internally Developed Software/Service Checklist
- For cloud-based (externally hosted) SaaS solutions – Cloud Solution/SaaS Acquisition Checklist
FAQ
Who fills out the checklist?
Generally, the requestor or related individual within the College will. However, you may also have your vendor contact assist with or fill out the checklist for you.
What supporting documents do I need?
This greatly depends on the type of data that is being stored/processed by the application in question and the scope of its users. If there is sensitive/regulated data, the College requires up-to-date documentation detailing the organization’s security controls. Below is a brief list of common types of documentation and their requirements:
Service Contract – The contract between the vendor and the College. This should be included with every checklist.
SLA Contract – Service Level Agreement document which should be included with every checklist.
VPAT – Voluntary Product Accessibility Template
Please include if it is mandatory to use this product/application to complete College business/academic tasks.
SOC2 – Service Organization Controls report;
Please include if your application stores or processes sensitive/regulated data.
HECVAT – Higher Education Community Vendor Assessment Toolkit
Please include if your application stores or processes sensitive/regulated data.
Data Steward approval – If your application stores sensitive/regulated data, you will need approval from the respective Data Steward.
When should I submit the checklist?
The sooner, the better! There are multiple individuals and departments that can be involved, and thus their availability might not sync up. If you require technical changes such as Single Sign On integration or network and email changes, please allow for at least four weeks lead time.
What if I have a question that isn’t answered here?
Feel free to email your questions to the #IT-Checklists@berea.edu group.