Skip to main content

IT's Internal Software Review Process

  1. Once an IT Purchase Review request is submitted, IT reviews the request and creates a Help Desk Ticket for the requested product
  2. Freshservice generates the following message that is automatically emailed to the requester and the Software Procurement Team:

    We received your software purchase request and has passed our initial review.  To complete the procurement process, the software must go through an accessibility review. We will work with the software vendor to obtain a Voluntary Product Accessibility Template (VPAT).  If the vendor does not have a valid VPAT, we will contact you about creating a full Equally Effective Alternative Access Plan.

    Once completed, you will be cleared to submit the software in an EREQ to Contracts and Procurement for a final review.  More information is available on our IT Purchasing Requirements website.
  3. Upon receipt of the Help Desk Ticket email, the Software Procurement Team can now begin the review process
    1. For software that has been previously purchased and used on campus (standards/renewals):
      1. The Software Procurement Team will pull the most current VPAT on file for the product requested
      2. The VPAT must still be reviewed to be sure it applies to the version of the product being requested
    2. If the requester provides a VPAT from the vendor:
      1. The Software Procurement Team will review VPAT. (See How do I interpret a VPAT?)
    3. If the VPAT is not provided by the requester, the Software Procurement Team will work with the vendor on obtaining one.
    4. In the event that the vendor does not have a current VPAT on file or the VPAT provided is not fully compliant, the requester will be asked to provide a statement of responsibility in lieu of an Equally Effective Alternate Access Plan (EEAAP). The following message is sent to the requester.

      Unfortunately, the vendor has not provided me with a VPAT. Please provide a statement that you will be responsible for working with any users who require accommodation and will continue to work with the vendor to create a VPAT for the future. This is in lieu of creating a full Equally Effective Alternative Access Plan and to meet the requirements of the Sec 508 law stating that we will continue to work with suppliers to have their software be accessible for its users.
      1. If the requester knows ahead of time that the vendor does not have a VPAT, they can submit their statement of responsibility in the original IT Purchase Review request.
      2. Below is an acceptable statement:

        We will be responsible for working with any users who require accommodation and will continue to work with the vendor to obtain a VPAT. This is our plan in lieu of creating a full Equally Effective Alternative Access Plan and to meet the requirements of the Sec 508 law. 
  4. After review, the approved VPAT and/or statement of responsibility is attached to the Footprints Ticket.
    1. IT Purchase Reviews are logged in the IT Certification Record (includes both hardware and software)
    2. Copies are filed in the Procurement (IT Purchase Review, ATI, VPAT) Team Drive
    3. All VPATs are filed by product name
  5. If the software is deemed a cloud service, the requester will receive the following message.

    SOFTWARE NAME, for which you recently requested an IT Purchase Review, appears to be a cloud service. Per the SSU Cloud Procurement Standard and the CSU Cloud Storage and Security Standard, you are required to sign in and fill out the Department Cloud Usage Checklist (Seawolf ID required). The Department Cloud Usage Checklist elaborates on what kind of data is being stored or shared with a third party, and how it will be accessed. If you have any questions or need any assistance filling out the Department Cloud Usage Checklist, please contact us at iso-procurement@sonoma.edu. You are welcome to email us your questions, request a phone meeting, or request an in-person meeting.
     
    1. This part of the process is handled by the Security Procurement Team.
  6. Once all appropriate documents have been received and reviewed, the status of the Footprints ticket is updated by the Software Procurement Team and the following message is generated for the requester

    This software has successfully gone through the software procurement process and is certified for purchase by Information Technology.  You may now submit the software in an EREQ to Contracts and Procurement for a final contract review.
    1. The requester can attach the approval email from Freshservice to their EREQ. IT’s review process is now complete and the Help Desk ticket can be closed.