The Information Technology Services division regularly advises on requests for new technology solutions for the College in the areas of administration, teaching, research, and our own internal technology functions. These solutions range from small-format software licenses and cloud solutions for individual departments to large scale college-wide technology implementations which may involve major infrastructure changes, Claremont Colleges adoption, and multi-year funding. In all cases, ITS is committed to ensuring that these solutions are appropriate, beneficial, and secure for the Pomona College community. To that end, Pomona College employs a Technology Solutions Review process, led by the Business Analyst for Enterprise Services in ITS. The goal of the review process is to properly vet technical architecture, data security, accessibility, and legal compliance of requested solutions before contracting with vendors and finalizing purchases. This technology solution review processes are conveyed below.
- The process normally begins by the acquiring Department’s management or lead contacting the Technology Solutions Review Team. This can be done by either submitting an inquiry via the ITS Helpdesk or by email.
- The Technology Solutions Review Team then initiates a first contact interview with the department personnel leading this project, making sure that their needs and vendor requirements are understood and agreed upon, and that the solution has funding. The Technology Solutions Review Team will work in conjunction with the department to ensure that potential solutions meet all the requirements.
- The next step is to contact the vendor and supply all necessary documents for them to complete and return to the Technology Solutions Review Team. These documents cover three main areas: Security, Accessibility, and Legal components; each are described below:
The Higher Education Community Vendor Assessment Toolkit (HECVAT) – this form is a template used for security assessment that includes a questionnaire related to higher education security and data protection information that will help the department measure vendor risk. This form is reviewed by Pomona’s information security team, and a risk summary is provided to the acquiring department.
Voluntary Product Accessibility Template (VPAT) – this form provides a comprehensive report on the vendor’s product and their accessibility standards related to the Section 508 of the Rehabilitation Act. The VPAT report, once received from the vendor, is reviewed by Pomona College’s Communications Team to see if the vendor’s product complies with the latest Web Content Accessibility Guidelines (WCAG).
There are two legal forms that are used, explored below.
- The first one is Pomona’s Master Service Agreement (MSA). This contract is standard to Pomona College and simplifies the negotiation process between the vendor and the College, listing limitations and liabilities that should be agreed upon by both parties. The MSA may be negotiated between the vendor and the college, and modifications can be made to it; or the vendor might have their own they would like to use. An outside counsel guides this process.
- The second form is the Data Processing Agreement (DPA), this form is an addendum to the MSA form and identifies whether the vendor processes Personally Identifiable Information (PII). All data that can identify an individual must be listed in this form. The vendor must provide a complete list of any data fields/information needed from Pomona College (e.g., name, email address, etc.).
- Once the documentation in the three main areas have been reviewed by Pomona College, a summary report will be provided to the management of the department requesting the new technology solution, making sure that all responsible parties, including those who will make the final financial decision, receive the final summary. The report will include risk flags and short summaries for Security, Accessibility and Legal aspects, and will empower stakeholders to make an informed decision on proceeding with the chosen vendor. Those risks flags are identified as follows:
- Green flag will indicate Low Risk and terms and conditions are reasonable and acceptable and the department can proceed with the chosen vendor.
- Yellow flag will indicate that it is a Moderate Risk which indicates this is something that should be reviewed and considered by the department and must proceed with caution.
- A Red flag will indicate that this vendor is a High Risk and there are issues to be greatly considered before moving forward with the vendor. The department must discuss this internally to weigh in on all factors before moving forward with extreme caution.
- Once the department’s stakeholders approve, the Technology Solutions Review Team will coordinate document signatures. This finalizes the Technology Solutions Review process.
- Now that the final decision has been made by the department, the last step is for the department to connect with Finance for vendor contract setup and payment arrangement.
For Technology Solutions Review services, please contact firstname.lastname@example.org.