IT Contract and Security Review Process

Policies

All software/services accepting payment must comply with University Policy on Accepting and Handling Payment Cards to Conduct University Business and be approved by the University Commerce Committee. Contact Financial Services at commerce@brown.edu to initiate this process.

OIT either needs to conduct a data security review or confirm that the vendor has been vetted by an OIT approved standardized security assessment vendor (FedRAMP) for any contract associated with software or a service that stores or has access to Brown or research participant data.

If a data security review is needed:
- The expectation is that the department should have enough knowledge of the software, the data associated with the contract and its integrations with Brown services to be able to answer the IT Security Questions. These questions should not be sent to the vendor to answer.
- The goal of these questions is to assign each contract a Data Risk Classification.
If the vendor has been vetted by an OIT approved standardized security assessment vendor:
- The IT Security Questions do not need to be answered. OIT will determine the Data Risk Classification based on the security assessment rating and approval of the vendor.
  - FedRAMP
    - FedRAMP Authorized, Moderate and High - Level 3
    - FedRAMP Authorized, Li-SaaS - Level 2

The risk classification will drive the remainder of the IT contract and security review process.

No Risk	No security review is needed Examples of “No Risk” contracts are the purchase of local software licenses that do not inherently store data within them and are not sending data off premises, i.e., Microsoft Word OIT will review and approve the legal terms in all software, hardware and cloud contracts
Level 1	OIT will review and approve the legal terms in all software, hardware and cloud contracts Security review is needed every 5 years
Level 2	If that data is held at Brown: OIT will work with the technical contacts to confirm adherence to Security Standards for Servers. OIT will review and approve the legal terms in all software, hardware and cloud contracts If the data is being held with the vendor: If not vetted by an OIT-approved standardized security assessment? OIT will send out a Higher Education Cloud Vendor Assessment Tool Lite form (“HECVAT Lite”) to the vendor to fill out (~150 questions.) HECVAT Lite needs to be completed. Once the HECVAT Lite is completed, OIT will review the answers. Additional questions to the vendor and/or department may be needed. If vetted by an OIT approved standardized security assessment vendor No HECVAT is needed (security review complete) OIT will review and approve the legal terms in all software, hardware and cloud contracts Security review is needed every 3 years
Level 3	If that data is being held at Brown: OIT will work with the technical contacts to confirm adherence to Security Standards for Servers. OIT will review and approve the legal terms in all software, hardware and cloud contracts If the data is being held with the vendor: If not vetted by an OIT approved standardized security assessment? OIT will send out a Higher Education Cloud Vendor Assessment Tool form (“HECVAT”) to the vendor to fill out (~300 questions). Once the HECVAT is completed, OIT will review the answers. Additional questions to the vendor and/or Department may be needed. If vetted by an OIT approved standardized security assessment vendor? No HECVAT is needed (security review complete) OIT will review and approve the legal terms in all software, hardware and cloud contracts Security review is needed every year

If you have questions, please email oit-contract-managers@brown.edu or call Veronica Dure, Assistant Director, IT Contracts, at x37291.