Technology Acquisition FAQ

 

These are frequently asked questions related to completing the Technology Acquisition Request form. 

Why do I need to fill out the Technology Acquisition Request form?

Software and devices used at SHSU, whether purchased or free, are required by Texas law to be reviewed to ensure compatibility, support, and compliance.

What document(s) should I include to help my technology request move faster?
  • Quote or Contract
    • Not required but recommended because it helps IT know exactly what needs to be reviewed (product, versions, etc.).
  • VPAT or ACR (Accessibility Documentation)
    • VPAT: A template a vendor completes to describe product accessibility.
    • ACR: The completed report showing accessibility results.
  • HECVAT or SOC 2 Type 2  (Security Documentation)
    • HECVAT (4.0 or higher) - A template completed by the vendor and used to assess the vendor’s data protection, privacy, and security practices.
    • SOC 2 Type 2 - An independent audit report that shows how a vendor’s security controls operated over time. SOC 2 Type 2 may be accepted as an alternative to a HECVAT in some cases.
    • Security documents may be required if:
      • the solution stores, accesses, or shares university data
      • a cloud or SaaS product
      • connects to campus systems
      • involves sensitive or regulated information
    • HECVAT is the preferred document for security assessments.

Where can I find more detailed information about compliance requirements?

You can use these links for more detailed information about compliance requirements. 

Why are you asking me about accessibility information?

Standards outlined in Section 508, Title II, and TAC 213 require that all electronic and information technology (EIT) developed, purchased, maintained, or used by federal and state agencies is accessible to individuals with disabilities. This includes ensuring that people with temporary or permanent disabilities can use the requested product. To support this, we request an Accessibility Conformance Report (ACR) from your vendor. Having this information before submitting your request can help expedite the review process, though it is not mandatory for submission. 

Why do you need me to provide manufacturer and/or vendor contact information?

The email address is used to address technical questions. For example, we need to contact them regarding technical documentation. Inaccurate or incomplete information will slow down the approval process.

How do I know if my data classification is confidential, protected, or public?

Think about what kind of info the system will store. For example: 

  • Student records, medical info, or saved credit card data? Probably Confidential
  • Internal documents like HR files, research, operational information or non-confidential information that require additional protection. Likely Protected.   
  • Info you'd be fine with putting on our public website? That's Public

Here's a link to the IT 06 Data Classification policy to help you decide. 

What does 'impact' mean? How do I determine that?

In this context, impact refers to how the university as a whole would be affected if something went wrong with the software.  For example, if it were hacked or suddenly stopped working. While the issue might cause serious problems for you or your department, it's important to think about how it could affect the entire university. Consider factors like student and employee safety, whether key services would be disrupted, how much it might cost to fix, and how it could affect the university’s reputation. To help you properly evaluate these criteria and determine the most appropriate impact level for the software, use the examples in the matrix below.

Impact Level Safety & Security Operational Disruption Financial Loss Reputation Damage
Low Minor inconvenience (like a false alarm or brief access to non-sensitive information), with no lasting effects.  A short disruption to less critical services (like Wi-Fi or internal dashboards) that was quickly resolved.  Low costs (under $100K) incurred, mostly from staff time or minor service fees.  Little to no public attention; maybe a few complaints or social media posts. 
Moderate Some people experienced distress or discomfort (like being harassed due to a data leak), but no one was seriously harmed.  Important services (like course registration or payroll) were down for hours or days, causing delays and extra work.  Moderate costs ($100K–$1M) incurred, such as paying vendors or staff overtime to fix the issue.  Regional news coverage or public concern required the university to respond and rebuild trust. 
High People were injured or killed, or highly sensitive information (like health records or law enforcement data) was exposed to the public.  Major systems (like emergency alerts or campus security) stopped working for days or weeks, making it difficult or impossible for the university to function.  High costs (over $1 million) incurred, including legal fees, fines, and recovery efforts.  News coverage across the country, loss of trust, and long-term damage to the university’s image (e.g., significantly lower enrollment numbers for the next academic year or two). 

 

 

Print Article

Related Articles (1)

Technology Acquisition Guide
Software and devices used at SHSU, whether purchased or free, must be reviewed by IT to ensure compatibility, support, and adherence to compliance. Laws and regulations technology must comply with Prohibited Technology Legislation, TAC 202, TX-RAMP, TAC 213 and Section 508.