Last year, the Software and Cloud Services Acquisition and Renewals Process was updated to help streamline the appropriate IT Security and Privacy review. As a reminder, whenever the University intends to utilize a vendor that may be responsible for processing or storing confidential or protected information, it is important to assess the vendor’s privacy and security capabilities and controls. Such assessments occur during the acquisition process and are triggered by the completion of the Software Survey in HuskyBuy. Privacy and security assessments may also be necessary at the time of a renewal, depending on the nature of the service.
The completion of a Software Survey is required for each new acquisition. Departments are not required to complete a Software Survey for renewals. When a requisition is submitted for renewal, IT Security will automatically be triggered to review the requisition in the workflow and will make the determination, in consultation with the University’s Privacy Officer, concerning the necessity of additional assessments. The decision to reassess a vendor for privacy and security considerations depends on the date of the last assessment, if the functionality of the service has changed, or if the vendor is associated with any known risks (e.g. a history of security breaches). The goal of this measure is to help identify renewals that are considered low risk and therefore can be moved through the HuskyBuy workflow more expeditiously.
More information about this updated process and how it may or may not affect your department are available here: https://privacy.uconn.edu/vendors/.