Please use the following questions to determine whether something is an "in-scope" IT purchase:
Is this request for the procurement of a service or a product designed to collect, process, transmit, store, or otherwise handle University information?
- A computer server designed to provide file storage for a department
- An application used to track performance and risk metrics in a department
- An online survey application used to collect data on behalf of the University
- A third party service used to assist with the processing of information collected by VCU
If you answered "yes" to the question 1, then will the product or service provider create, access, process, or manage University information on behalf of VCU?
- A third party website that allows students to submit school application
- An online survey tool designed to help the data collection for a University project
- A third party data storage tool designed to provide storage space for University data
- An online learning management system designed to provide training and progress tracking for students and / or employees
- A third party data processing company used to normalize University data collected by a department
If you answered "yes" to 1 and 2, then the purchase qualifies as a third party IT purchase, and the IT Governance Data Classification form must be completed to initiate a risk assessment process.