Information and Communication Technology (ICT) Decisions - ICT Review Process Flow

Below is an outline of the steps, roles and activities associated with the ICT Review Process. The estimated duration reflects a typical review; some reviews may take longer, depending on the availability of the information, responsiveness of the vendor, level of risk, and other factors.

NOTE: "ICT Requester" encompasses the individual requester, local IT/security staff, management and admin support. Please see the ICT decision responsibilities for details.

• Step 1 - Discovery (Estimated Duration: 1-3 Days)
• Step 2 - Vetting (Estimated Duration: 2-14 Days)
• Step 3 - Findings/Acquisition (Estimated Duration: 1-5 Days)
• ICT Review Forms

Step 1: Discovery - Estimated Duration: 1-3 Days

The goal of Step 1 is to identify the requester's responsibilities, articulate opportunities, risks and trade-offs to Cal Poly, and collect the information needed to conduct the review.

Summary:

• Gather contact information
• Describe the product/service, e.g., "who" will use it; "what" it is; "when" and "how" it will be deployed; "where" it will reside, e.g., Cal Poly or  outsourced (cloud-hosted); "why" this product/vendor; "how" it will be used
• Describe compliance impacts, use case scenarios, e.g., data classification (Level 1,2,3), other (e.g., FERPA, HIPPA, PCI, Section 508)

Activities:

What You Do (ICT Requester)

• Identify need, conduct market research,evaluation and product selection
• Engage local  IT support, Information Security Coordinator, others as needed in the decision process
• Ensure accurate and thorough information is collected
• Identify any variances to CSU/campus standards
• Complete and submit the online ICT Review Checklist
• Submit requisition, waiver form or other purchasing documentation

How We Assist (ICT Review Team)

• ITS determines if product/service has already been reviewed or is already licensed
• ITS engages Procurement Services
• Procurement Services reviews supporting documentation, e.g., agreement, contract, quotes, scope of work

Step 2: Vetting - Estimated Duration: 2-14 Days

The goal of Step 2 is to help the requester make the best possible decision, ensure compliance obligations are met, provide due diligence and oversight over limited campus resources.

Summary:

• Review for compliance with existing laws, policies and standards, including accessibility, information security, technology integration and support, contracts and procurement
• Review for strategic technology direction and fit with CSU/campus infrastructure, initiatives, projects and roadmaps
• This includes: policies and standards for integration, reliability, security; resource and support requirements; data access and use; and business processes, e.g., opportunities, impacts and sustainability

Activities:

What You Do (ICT Requester)

• Actively participate and demonstrate responsibility for your acquisition
• Clarify compliance and technical questions, e.g., accessibility, data, security, use scenarios
• Submit compliance documentation, e.g., for "cloud hosted" / outsourced services, annual review, substantive updates

How We Assist (ICT Review Team)

• ITS consults with the requester, vendor/developer, campus technical teams, management
• ITS reviews accessibility documentation, assesses compliance status, Cal Poly risks
• Procurement Services consults with campus, vendor teams
• ISO consults with requester, information security coordinator, IT staff, vendor
• ISO assesses compliance status, Cal Poly risks
• ISO provides guidance to mitigate or eliminate risks

Step 3: Findings/Acquisition - Estimated Duration: 1-5 Days

The goal of Step 3 is to document findings, approvals, exceptions, and to identify next steps.

Summary:

• Finalize assessments, e.g., compliance, technology direction and fit
• Finalize ICT review documentation, noting
  • Areas of compliance and fit
  • Concerns or variances
  • Mitigating actions, commitments
  • Conditional approvals
  • Exceptions granted
  • Expectations for ongoing review, e.g., substantive updates
• Acquire ICT product/service if approved

Activities:

What You Do (ICT Requester)

• Finalize online ICT Form, comments, supporting documentation, links
• Finalize compliance and related documentation, e.g., exception requests, EEAAP
• Commit to ongoing responsibility/support for acquired product/service
• Take next steps as directed

How We Assist (ICT Review Team)

• ITS documents accessibility status, provides guidance to mitigate risks
• ITS documents approvals and findings
• ITS processes exception requests
• ITS escalates to management if necessary based on findings
• Procurement Services documents contractual and supporting information
• Procurement Services documents approvals and findings
• Procurement Services generates purchase orders, approves waivers or other documentation.
• ISO documents findings and provides guidance

ICT Review Forms

• ICT Review Checklist - to be completed by requester to initiate the review process
• CSU Vendor Accessibility Requirements 
  (VPAT 2.2 508, Accessibility Roadmap, Accessibility Statement)
• Equally Effective Alternate Access Plan (EEAAP) 2.0 Template
• IT Policy/Security Exception Request Process - to be completed by requester if needed
• ICT Review Overview and Process Flow [PDF] - handout outlining overview, process flow
• Visit our HECVAT page for more information on using the HECVAT in the ICT process.