Electronic and Information Technology (E&IT) Decisions - E&IT Review Process Flow

Below is an outline of the steps, roles and activities associated with the E&IT Review Process. The estimated duration reflects a typical review; some reviews may take longer, depending on the availability of the information, responsiveness of the vendor, level of risk, and other factors.

NOTE: "E&IT Requester" encompasses the individual requester, local IT/security staff, management and admin support. Please see the E&IT decision responsibilities for details.

Step 1: Discovery - Estimated Duration: 1-3 Days

The goal of Step 1 is to identify the requester's responsibilities, articulate opportunities, risks and trade-offs to Cal Poly, and collect the information needed to conduct the review.

Summary:

  • Gather contact information
  • Describe the product/service, e.g., "who" will use it; "what" it is; "when" and "how" it will be deployed; "where" it will reside, e.g., Cal Poly or  outsourced (cloud-hosted); "why" this product/vendor; "how" it will be used
  • Describe compliance impacts, use case scenarios, e.g., data classification (Level 1,2,3), other (e.g., FERPA, HIPPA, PCI, Section 508)

Activities:

What You Do (E&IT Requester)

  • Identify need, conduct market research,evaluation and product selection
  • Engage local  IT support, Information Security Coordinator, others as needed in the decision process
  • Ensure accurate and thorough information is collected
  • Identify any variances to CSU/campus standards
  • Complete and submit the online E&IT Review Checklist
  • Submit requisition, waiver form or other purchasing documentation

How We Assist (E&IT Review Team)

  • ITS determines if product/service has already been reviewed or is already licensed
  • ITS engages Contracts and Procurement (C&P)
  • C&P reviews supporting documentation, e.g., agreement, contract, quotes, scope of work

Step 2: Vetting - Estimated Duration: 2-14 Days

The goal of Step 2 is to help the requester make the best possible decision, ensure compliance obligations are met, provide due diligence and oversight over limited campus resources.

Summary:

  • Review for compliance with existing laws, policies and standards, including accessibility, information security, technology integration and support, contracts and procurement
  • Review for strategic technology direction and fit with CSU/campus infrastructure, initiatives, projects and roadmaps
  • This includes: policies and standards for integration, reliability, security; resource and support requirements; data access and use; and business processes, e.g., opportunities, impacts and sustainability

Activities:

What You Do (E&IT Requester)

  • Actively participate and demonstrate responsibility for your acquisition
  • Clarify compliance and technical questions, e.g., accessibility, data, security, use scenarios
  • Submit compliance documentation, e.g., for "cloud hosted" / outsourced services, annual review, substantive updates

How We Assist (E&IT Review Team)

  • ITS consults with the requester, vendor/developer, campus technical teams, management
  • ITS reviews accessibility documentation, assesses compliance status, Cal Poly risks
  • C&P consults with campus, vendor teams
  • ISO consults with requester, information security coordinator, IT staff, vendor
  • ISO assesses compliance status, Cal Poly risks
  • ISO provides guidance to mitigate or eliminate risks

Step 3: Findings/Acquisition - Estimated Duration: 1-5 Days

The goal of Step 3 is to document findings, approvals, exceptions, and to identify next steps.

Summary:

  • Finalize assessments, e.g., compliance, technology direction and fit
  • Finalize E&IT review documentation, noting
    • Areas of compliance and fit
    • Concerns or variances
    • Mitigating actions, commitments
    • Conditional approvals
    • Exceptions granted
    • Expectations for ongoing review, e.g., substantive updates
  • Acquire E&IT product/service if approved

Activities:

What You Do (E&IT Requester)

  • Finalize online E&IT Form, comments, supporting documentation, links
  • Finalize compliance and related documentation, e.g., exception requests, EEAAP
  • Commit to ongoing responsibility/support for acquired product/service
  • Take next steps as directed

How We Assist (E&IT Review Team)

  • ITS documents accessibility status, provides guidance to mitigate risks
  • ITS documents approvals and findings
  • ITS processes exception requests
  • ITS escalates to management if necessary based on findings
  • C&P documents contractual and supporting information
  • C&P documents approvals and findings
  • C&P generates purchase orders, approves waivers or other documentation.
  • ISO documents findings and provides guidance

E&IT Review Forms

 

 

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000

Contacts

Did you know?

Stay Safe Online Tips