General Information

Be able to explain what the product is and how you will use it. IT will ask for a description of the product as provided by the manufacturer and a description of how you intend to use the product, including URLs to product and vendor information if available.

If department administration will be filing the request on behalf of an individual in their department, they will need to be provided this information in advance. Department administration will also be expected to provide contact information for the subject matter expert for this purchase in case additional information is needed.

Have vendor representative contact information available. If you have been working with a sales representative from the vendor or manufacturer of your product providing their contact information to IT will allow IT to contact them directly if more information is needed.

Make deadlines clear. If you have a strict deadline, make it known as soon as possible. While making that deadline cannot be guaranteed due to factors outside of IT’s control, it will help IT to prioritize requests accordingly.

Agreements and Policies

Locate or request all legal agreements and policies associated with your product. These will be required for a review by the UM Office of General Counsel (OGC) under CCR 10.070.B.5.g which states that all agreements entered by the University must be approved by General Counsel.

Common agreements and policies include:

• License Agreements (aka End User License Agreements or EULAs)
• Terms of Use, Service, Sale, etc.
• Privacy Policy

Ensure the correct legal name is used on quotes, invoices, and agreements. Because Missouri S&T is a member campus of the UM System, which is governed by the Curators of the University of Missouri, any agreements or quotes should be issued to:

The Curators of the University of Missouri on behalf of Missouri University of Science and Technology

Have quotes, invoices, receipts, or pricing available. IT will ask for any quotes, invoices or receipts that confirm the pricing to confirm pricing and product.

Be aware of licensing requirements. Some vendors and manufacturers require educational institutions to buy a special education license or even an enterprise license rather than utilizing a free license. Thoroughly investigate the product and ensure that there are not going to be unexpected costs because of this situation.

For Hardware and Instrumentation

Know the system specifications. Have the make and model of the computer system, the operating system (with upgrade plan from Windows 10), and vendor support information available. IT will also need to know if installation media comes with the system, what accounts are preconfigured on the system and if the vendor has a remote access process for support if a computer system is present.

Know the warranty. Understand what the vendor will cover and what IT will be expected to provide services for during the warranty period and what all is covered under the warranty.

Know any network requirements. Understand if the system will need access to the internet or local network and why. Also know if static IP addresses will be required for operation.

For Software

Cloud or Locally Hosted Solutions

Cloud and locally hosted software applications, either fully web-based or client/server based have additional security review requirements.

Know what data integrations are needed. If you need to have data synchronized between existing data systems and your product, know which systems will be required to provide information in advance such as student and personnel data or grades and coursework.

Single Sign-On Integration. Software applications will need to support at least one of the following authentication methods:

• Open ID Connect (OIDC)
• Security Assertion Markup Language (SAML) 2.0

These methods are required for centralized password and access management.

Higher Education Community Vendor Assessment Toolkit (HECVAT). IT Security will require a HECVAT to be prepared by the vendor for evaluation. A HECVAT helps IT Security evaluate risk and compliance factors in an efficient manner.

More information about the HECVAT and when it is required can be found on our {page} page.

Service Organization Control 2 Type 2 (SOC2 Type 2). IT Security will require a SOC2 Type 2 to be provided by the vendor for evaluation. A SOC2 Type 2 evaluation offers independent validation from a third-party. It helps IT Security document that the vendor follows their security standards and that they are effective – this is critical for regulatory compliance the University is expected to follow.

More information about the SOC2 Type 2 evaluation and when it is required can be found on our {page} page.

Data Flow Diagram. A data flow diagram helps IT Security understand how data will move from system to system and party to party. It can be a simple write up or a visual diagram.

Locally Installed Software

Understand system requirements. You will need investigate and understand system requirements for your product. The following should be especially understood:

• Does the system the product will be installed on meet minimum requirements?
  • Does it require dedicated graphics?
  • Does it require administrative privileges to operate?
• Can operating in a managed environment negatively affect its performance?

Data Handling

Know if Artificial Intelligence (AI) will be utilized. If AI will be utilized by your product, know how it will be utilized and, if possible, how data it processes and generates is stored.

Know what data goes in, stays, and leaves your product and how. Be able to answer questions regarding what type of data you will enter or upload into the product, what will processed by the product, and what will be stored by the product. You will also need to know how the data is stored and how has access to it along with how it is transmitted between systems – even if by flash drive or external hard drive.