Some staff, students, faculty and the public may find it difficult or impossible to use an electronic product or service that has significant accessibility problems. By supporting IT accessibility, the University helps ensure that as broad a population as possible is able to access, benefit from, and contribute to its electronic programs.
UCI is committed to safeguarding the electronic information entrusted to us. We follow privacy policies and data protection practices not only to comply with regulations but to maintain the trust and confidence of our University community.
When considering purchases of software and IT services, the University is obligated to comply with various laws, regulations, guidelines, and policies such as
UC BFB IS-3 – the systemwide policy for Electronic Information Security.
BFB BUS-49 – to safeguard sensitive financial information, including credit and debit card data.
To support these policies and help you evaluate the possible risk your department may be assuming, Purchasing and the Office of Information Technology have partnered to provide a simple, 6-question Accessibility/Security Review Checklist you can complete prior to each software purchase.
If your checklist answers identify your planned purchase as high-risk, our accessibility and security teams will work with you and the software manufacturer to perform a deeper review. That discovery process will help you make more informed purchasing decisions.
Please note that a deeper review is only recommended when your checklist identifies high risk factors – not all checklists will result in a deeper review.
Frequently Asked Questions
Do I need to complete the checklist for past software purchases?
No, the checklist is designed to help evaluate new purchases beginning May 1, 2017.
Can you give an example of when I should complete a checklist?
If the software will be used by a broad (or unknown) audience, or you think it may be used to store private or personal information (such as health information or credit card numbers, or any student data) it’s a good idea to use the checklist. Our goal is to help each department understand the risk they are assuming when making purchases, and the checklist is a simple way to help identify that. If in doubt, we recommend to err on the side of caution and use the short checklist.
Is there a master list of campus software available to help answer question 1 on the checklist?
Refer to the list of known software in use on campus as of June 2018. This list is a work in progress and we will add others as we are made aware of them. If you know of a specific software that is used on campus but not listed, it’s ok to answer Yes to Question 1. If the software you’re considering is not on this list and you don’t know if anyone on campus is already using it, please choose No/I Don’t Know. Saying “I Don’t Know” does not automatically trigger a deeper review.
How long will a security/accessibility review take if my purchase is deemed high risk?
Please note: only purchases where your checklist answers identify risk should receive a deeper review. For those purchases, please follow the instructions on the checklist to start the review process with the appropriate team (Accessibility, Security, or both). An initial response will be generated within the first 24 hours and we anticipate a 10–15 day review period for high risk purchases. At all times, you will be able to track progress in ServiceNow.
What does the review process look like (if I need one)?
The review process is designed to be a three-way exchange where we work with the requestor and the software provider to determine whether the software complies with policy, and/or where we may need the requestor to help us address any possible mitigating options (ie putting the software behind a firewall, or making an accessibility accommodation). It’s not just “submit for approval and wait for it to be granted,” but rather an interactive process where your prompt responses and involvement can greatly help streamline the process.
What about recurring purchases and renewals? Do I need a checklist each time?
For recurring purchases and contract renewals, you do not need to complete a new checklist. But we do ask that you consider if this new purchase will be used differently than previous instances. If, for example, this instance of Excel will be used to store restricted data, it’s a good idea to use the checklist.
Does this also apply to cloud software?
Yes. Even though the software may be hosted in the cloud and not installed on your local computer, the interface can still introduce risk in terms of accessibility, and the software can also introduce risk for data security and privacy. Please keep both accessibility and security in mind, and use the checklist if you are unsure of the risk.
For help with specific purchasing/buying questions, please contact your department’s purchasing expert, or firstname.lastname@example.org.