ITPC Best Practices

  • Use the Pre-Assessment tool before submitting the IT Purchase review to ensure you have everything you need. Many reviews require a live or sandbox environment that can be used for manual testing. If this is not provided at the time of submitting your review, it can increase the timeline for review completion.
  • Before submitting for review, provide all data categories and elements. See the University Data Classification Table as a resource. If the data inventory is not declared, it will result in a delay of your IT purchase.
  • Use the University Data Classification Table to identify the necessary data steward(s) that you will need to get approval for your use case before purchase. The Data Management Framework website can help guide you on how the university manages its data.
  • Have a technical contact submit the IT Purchase review on your behalf to ensure all questions are answered accurately.
  • If the IT Purchase involves any integration with enterprise applications, please begin working with EAS before submitting the IT Purchase Compliance review form to ensure compatibility. The IT Purchase Compliance form will ask for the EAS contact.
  • If the IT Purchase involves Purple data, HIPAA, PCI or are subject to Export Control Regulations, regardless of costs, have a vendor security point-of-contact documented and prepared to answer cybersecurity questions.
  • If the IT Purchase involves Purple data, HIPAA, PCI or are subject to Export Control Regulations, regardless of costs, please begin working with S&C before submitting the IT Purchase review to ensure it meets both compliance and IT risk management thresholds.