Cloud Procurement Procedures

I. General

Depending on the nature of the service and classification of the data involved, Third Party or Cloud Services procurement can be complex and can take a fair amount of time. Please review the Standards and Guidelines for Procuring Cloud or Third Party Information Technology Services in order to make sure you understand your responsibilities.

II. Overview

Owner of a proposed service should ensure that the following departments are made aware of the desire for the service as early as possible.

• Information Security Office: Due-diligence security checks need to occur on all cloud procurements involving Confidential or Controlled information, or for any mission critical system.
   
• Procurement Office: Determine whether the dollar amount or nature of the service requires request for proposals (RFP's) or bids. Contact the Procurement office if you require guidance.
  
  
• Office of University Compliance and Legal Affairs: If no formal procurement process is required, once a vendor is selected, obtain the contractual language from the prospective vendor and provide it to the University Attorney for review. If a formal procurement process is required, Procurement Services will coordinate the contract review with Legal Affairs. If a Purchase Order is going to be issued, please make your vendor's aware of UTA's standard terms and conditions.
  
  
• Office of Information Technology – If there are any integration points, or resources required from OIT, then make sure that OIT Project Management Office has been contacted.

The above process will ensure that appropriate approvals; adequate risk mitigation, data roles and responsibilities, and billing (if any) have been considered and established. An additional benefit of this process is to obtain the best price or performance, avoid unnecessary licensing costs, and aid with choosing Cloud Services that can be supported and even customized.

III. Procurement Planning

While the Office of Procurement, Legal Services, Information Security Office and Office of Information Technology can work concurrently and cooperatively on a particular acquisition, it will take time to review and approve. Please do not wait until the end of the fiscal year to request a review of the service, as this is generally a peak period for all departments and will risk procurement delays.

IV. Procedure for the Sponsoring Department

You are encouraged to reach out to the Information Security Office as early in the fiscal year as possible.

1. Log onto Service Now and Request Software Purchase Approval.
2. Complete the Information Security Sponsoring Department Procurement Questionnaire found below in the forms section below.
3. OIT and ISO will determine if the institution already offers an equivalent service. If one exists, then OIT will work with you to determine if you or your department can take advantage of the agreement that is in place. 
4. If you determine that UT Arlington data will be created, transferred, manipulated or otherwise handled on the service then have the vendor complete the Contracting Party Attestation of Information Security Practices (below).

V. Procedure for Vendor or Third Party

To expedite the due-diligence review, please do the following:

1. Determine if your application stores, accesses, or transmits highly sensitive or confidential regulated data (such as HIPAA, PCI or FERPA data,  see https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.htmlfor more information on FERPA data) .
2. Depending on Findings:
   • If no highly sensitive or confidential data - provide a completed copy of the Higher Education Community Vendor Assessment Tool (HECVAT) Lite Weight Version.  Note that a link is also found below in the forms section.
   • If the application or service uses highly sensitive or confidential regulated data -  provide a completed copy of the Full Higher Education Community Vendor Assessment Tool (HECVAT). Note that a link is also found below in the forms section.
   • We ask vendors to consider sharing their completed HECVAT with the HECVAT Cloud Broker Index (https://www.ren-isac.net/hecvat/cbi.html) so that security assessors from other institutions may take advantage of the report saving both the institution and vendor time during future assessments. For more information on the HECVAT see https://www.educause.edu/hecvat 
3. Include a SOC 2 report (or an independent information security audit report).
4. If there are data transfer requirements from UTA to your organization, include documentation that details the list of fields.

If a Non Disclosure Agreement (NDA) is needed to provide the documentation, you may use UT Arlington's https://Mutual Non Disclosure Agreement Template or send us your NDA to sign.

VI. Updates and modifications to this document

This document will be modified as necessary to address changes in technology, processes and identified risks, and is intended to complement, and does not supersede, relevant UT System or UT Arlington policies and procedures governing the security of University data. In the absence of specific policies, policy statements found in this document will stand as provisional until such time that it is incorporated into a HOP policy or procedure. Significant changes to this guideline will be announced to Information Security Administrators and/or in the MavWire.

VII. Forms

Please submit the latest version of these forms electronically.

1. To be completed by sponsoring/requesting department - Information Security Project Questionnaire for Cloud Services (Version 1.5)
   
   
2. To be completed by the Vendor or Third Party
   • No HIPAA nor FERPA data - Higher Education Community Vendor Assessment Tool (HECVAT) Lite Weight Version.
   • With HIPAA or FERPA data - Higher Education Community Vendor Assessment Tool (HECVAT) Full
   • Vendors are encouraged to share their completed HECVAT's with the HECVAT Cloud Broker Index (https://www.ren-isac.net/hecvat/cbi.html) so that security assessors from other institutions may take advantage of the report saving both the institution and vendor time during future assessments. For more information on the HECVAT see https://www.educause.edu/hecvat 

VIII. Mutual Non Disclosure Agreement Template

Vendors or third parties may use UT Arlington's Mutual Non Disclosure Agreement Template if there are concerns about the confidentiality of the information being requested during our due-diligence assessments. Please send the completed/redlined document to security@uta.edu. We will then forward it to our legal affairs for final approval and signature.

IX. Revisions