EIT Review

Описание к видео EIT Review

Welcome! This brief training video is designed to explain the WolfMart purchase requisition changes needed to support SUNY’s Electronic and Information Accessibility Policy 6901, in short referred to as EIT. Training is required for all University employees who have purchasing or budgetary authority.
SUNY is the nation’s largest comprehensive system of public higher education, comprised of a growing number of students, faculty and staff with disabilities that may impact the ways in which they access and successfully use electronic information. This growth comes at a time when essential information and services critical to
student application and registration
academic course and program completion
employee hiring and evaluation,
and more,
are increasingly delivered via electronic means. We all share the responsibility of ensuring that the products and services we procure are accessible to the widest possible audience.
We are targeting implementation in Spring of 2021. Stony Brook University requires that accessibility is part of your selection criteria when selecting EIT products and services.
Furthermore, an EIT evaluation must be completed to determine the impact on the University when purchasing electronic and information technology products and services, including:
Local or cloud-based software or services
Mobile applications
Website development
Digital content or services
A product or service that has access to University data
Now let’s discuss the changes to WolfMart.
In order to capture any purchases that may need to undergo an EIT accessibility or information security evaluation, a new required field has been added to the Wolfmart purchase requisition. The field can be found under the “General” section on the Requisition document.
A New window that will open if you click the Field Name: Information Technology, Accessibility and Security Review
The window contains a question that will identify and subsequently route the request to the Office of Equity and Access (OEA) and the Chief Information Security Officer (CISO) for review.
If the purchase contains any of the items listed above, you must answer ”Yes” to the question. Your requisition will then be simultaneously routed to OEA and CISO for review. This review may take up to 30 days.
EIT Review
For the Office of Equity and Access review, there are 2 to 3 required forms.
As discussed earlier, All EIT products and services must be evaluated to ensure that the University is meeting its obligation to ensure accessibility to the greatest extent feasible. Along with submitting the vendor Voluntary Product Accessibility Template (VPAT), you must complete an EIT request form describing the intended use of the EIT along with the size of the user base. Purchases that are determined to be medium or high impact will also require the vendor to complete an EIT-impact form before a review can be conducted.
Information Security CISO Review
For the Information Security Review, there are 2 required forms.
A completed Higher Education Community Vendor Assessment toolkit, HECVAT or heckvat, is required any time a cloud vendor is being used for University business. Examples of University business include, but are not limited to, using a cloud vendor to:
Store or process employee or student employee information, such as name, address, birthdate, resume data, work schedule, etc.
Deliver learning or testing material to students
Enable students or employees to self-enroll for access to a third-party service, such as career development or job hunting
Reach out to student or employees using contact information for enrollment, advancement, marketing, or any other purpose
Host information for or about a research project
Collect information on the University's behalf (e.g. when conducting a survey or collecting enrollment/employment applications)
Process sensitive or non-sensitive information
Process or collect payment of any kind
In most cases, the data involved is categorized by our Sensitive Information Policy as category 2 (Moderate Risk) or 3 (High Risk), and therefore the full version of HECVAT must be completed by the vendor. If the data is categorized as category 1 (Low Risk), the Lite version of the HECVAT is sufficient. In all cases, the SBU internal contact must complete the Vendor Security Information triage form
OEA Forms
VPAT (Supplied by Vendor)
EIT Request
EIT Impact (Completed by Vendor for medium or high impact)
CISO Forms
HECVAT (lite or full)
Information Security Triage
P302: Sensitive Information Policy
www.stonybrook.edu/policy/
This completes our Training video for EIT Purchases in Wolfmart.

Комментарии

Информация по комментариям в разработке