IT and Data Review Process

This review process includes a risk assessment which satisfies requirements that The University System of Georgia (USG) has outlined in the USG Business Procedure Manual for technology procurement. and well as .

NOTE: This process, currently, does not replace the purchasing Checklist for all Services nor the Financial Accounting Addendum, but streamlines the Data Security Review process.

Need Help?

 
 One Stop Help
University: 706-721-4000
Health System: 706-721-7500

Introduction

Objective:

  • Ensures data security and compliance when working with external vendors.
  • Applies to all software/hardware purchases, downloads, installations, or agreements involving data transmission or storage.

Initiating a Request

  1. Access the located in AU’s service portal.
  2. Select:
    • New for first-time requests. All requests are considered NEW if this is the first time going through this review process.
    • Renewal with/without changes for subsequent reviews.
  1. Complete the questionnaire and upload:
    • Vendor quote
    • Privacy policy URL
    • Data Security Addendum (if applicable)
    • Cybersecurity insurance (if applicable)
    • Supporting documents (e.g., SOC 2, HECVAT, RAAR-e Triage)
  1. Submit request

Review Workflow and Timelines

Step Description Estimated Time
Step 1 IT Business Office Review 7 days
Step 2 Customer Consultation 14 days
Step 3 IT Review (Cybersecurity + Architecture) 14 days
Step 4 Privacy Review 14 days
Step 5 Architecture Review Board 14 days
Step 6 Legal Review 7 days
Step 7 Approved Software Review 3 days
Step 8 Final Approval and Notification 3 days

Detailed Review Criteria

IT Business Office/Customer Consultation

  • Cost – if over $500K, will require USG Business Case (modified or full)
  • Consult with customer on additional information needed to complete technical review. Consultation could involve Vendor, Project Management Office and Technical Directors.

IT Review

Cybersecurity (GRC) Review

  • Data protection methods
  • Network connectivity and SSO capability
  • Data storage and access
  • Data usage and recovery plans

Enterprise Architecture Review

  • Duplication of existing software
  • Hosting type (cloud or on-premises)
  • Infrastructure and integration needs
  • Security and compliance with AU standards

Architecture Review Board (ARB)

Purpose: Governing body that ensures the ecosystem architecture aligns with AU’s technology strategy and standards.

Process:

  • Weekly meetings
  • Presentation of findings and recommendations
  • Discussion of exceptions and unresolved issues

Legal & Compliance Considerations

USG Business Procedures Manual Highlights:

  • Technology procurements must follow BPM and USG IT Handbook.
  • Contracts must ensure data protection aligned with risk levels (None, Low, Moderate, High).
  • Cyber insurance and compliance documentation may be required.
  • Annual contract compliance reviews are mandatory.

Final Steps

Once approved:

  • Software is added to the approved list.
  • Documentation is provided for purchase requisition or PCARD use.
  • Attach pdf received from ServiceNow along with any other purchasing documents to requisition created in PeopleSoft Financials. 

Need help?

Should you have any questions about the IT and Data Review Process, please reach out to us at ITANDDATAREVIEW@augusta.edu.

While this process streamlines the Data Security Review, it's important to note that it does not replace the purchasing Checklist for all Services or the Financial Accounting Addendum.

In addition to direct email support, we are actively developing training sessions and a comprehensive User Guide Tutorial to provide further guidance on initiating requests, understanding the review workflow and timelines, and navigating detailed review criteria. These resources will be invaluable as you engage with the process.