Please use the following questions to determine whether something is an "in-scope" IT purchase:
-
Is this request for the procurement of a service or a product designed to collect, process, transmit, store, or otherwise handle University information?
Examples include:
- A computer server designed to provide file storage for a department
- An application used to track performance and risk metrics in a department
- An online survey application used to collect data on behalf of the University
- A third party service used to assist with the processing of information collected by VCU
-
If you answered "yes" to the question 1, then will the product or service provider create, access, process, or manage University information on behalf of VCU?
Examples include:
- A third party website that allows students to submit school application
- An online survey tool designed to help the data collection for a University project
- A third party data storage tool designed to provide storage space for University data
- An online learning management system designed to provide training and progress tracking for students and / or employees
- A third party data processing company used to normalize University data collected by a department
-
If you answered "yes" to 1 and 2, then the purchase qualifies as a third party IT purchase, and the IT Governance Data Classification form must be completed to initiate a risk assessment process.