Software Review Process

Software includes those that are:

• installed on a computer or other device (purchased or free)
• cloud-based (one-time purchase, subscription, or free)
• provided as a service
• used to operate equipment

All software requests must follow the processes outlined below.

Faculty and Staff Responsibility

1. If there is a cost, request budget approval from your respective supervisor.
2. Submit a software review ticket at https://td.northern.edu/TDClient/30/Portal/Requests/ServiceDet?ID=77&SIDs=17
   1. A ticket must be created for any new software and for any request to renew an existing software.
   2. New software may take up to 60 days to complete the review. If legal review is needed, the review will take longer, potentially 90-120 days.
3. Complete the Software Review Checklist (Appendix B) and attach to the ticket.
4. Obtain the following documents from the vendor and attach to the ticket. If you are unable to obtain these documents, please designate that in the ticket.
   • Privacy Policy required
   • Terms of Service or License Agreement required
   • HECVAT (Higher Education Community Vendor Assessment Tool) if available
   • SOC 2 (Service Organization Control Type 2) if available
   • VPAT (Voluntary Product Accessibility Template) if available

Technology, Finance, and Purchasing Responsibility

1. If the software will utilize confidential data or personally identifiable information, the Chief Information Security Officer (CISO) will review security documentation.
2. NSU and BOR security requires that any system utilizing a significant amount of personally identifiable information have single-sign-on (SSO) available. If SSO is unavailable, at a minimum the vendor must have multi-factor authentication (MFA).
3. If the software is to be downloaded on a university device, Technology Services will complete a security scan. If the software does not pass the security scan, the software installation request will be denied. Appeals of this decision can be made to the CISO.
4. The VP of Technology and VP of Finance will review all terms and supporting documents for adherence to university, state, and federal laws. The vendor’s willingness to negotiate terms will impact the time of the review. If necessary, the agreement will be sent to BOR legal counsel for review.
5. If the VP of Technology deems the software should undergo the Systemwide LEAN IT Purchasing Process, the request will go through the process outlined in the attached workflow.

Please note: The Vice President of Finance and Administration is the designated signing authority for software agreements, contracts, or terms of service.