All software/services accepting payment must comply with University Policy on Accepting and Handling Payment Cards to Conduct University Business and be approved by the University Commerce Committee. Contact Financial Services at email@example.com to initiate this process.
OIT either needs to conduct a data security review or confirm that the vendor has been vetted by an OIT approved standardized security assessment vendor (FedRAMP) for any contract associated with software or a service that stores or has access to Brown or research participant data.
- If a data security review is needed:
- The expectation is that the department should have enough knowledge of the software, the data associated with the contract and its integrations with Brown services to be able to answer the IT Security Questions. These questions should not be sent to the vendor to answer.
- The goal of these questions is to assign each contract a Data Risk Classification.
- If the vendor has been vetted by an OIT approved standardized security assessment vendor:
The risk classification will drive the remainder of the IT contract and security review process.
If you have questions, please email firstname.lastname@example.org or call Pat Palladino, IT Contract Manager, at x37291.