Purchasing, Licensing, and Using Technology at NAU

It is a required process that allows ITS and Accessibility to review and evaluate technology, subscriptions, or hardware prior to use.  The intent of this review is to address a number of concerns including mitigating risk to NAU, ensuring accessibility for all users, maintaining fiscal responsibility by reducing the number of redundant purchases, complying with data management policies, and contributing to an “OneNAU” feel.

There has been a change to how subscriptions will be processed through the ITS Checklist. To ensure the safety of NAU data and systems, ITS will need to review subscription checklists that contain the following:

• The subscription service processes or stores protected NAU data (FERPA, FISMA, HIPAA, etc.)
• The subscription service integrates with an existing NAU system (i.e. PeopleSoft, Salesforce, CAS, etc.)
• The subscription has a high number of NAU users (more than 100)

Please Note: If the subscription meets any of the criteria above, it requires an NAUVAT completed by the vendor attached to the checklist.  If the subscription does not meet any of the above criteria,  the checklist still needs to be submitted for Accessibility review but will take less time to process because ITS will not review it.

If you have any questions or concerns, please contact its.sa@nau.edu.

There are many reasons for the ITS Checklist. Below are 3 of the most common answers you will hear, but a summary of all of this is that “It’s dangerous to go alone!”. The threat from being connected to the rest of the virtual world is real, but the benefits are unlimited. The ITS Checklist allows NAU to have experts from all areas of the University review and ask the hard questions. By taking a proactive approach to protecting our data, our students, and NAU we are maximizing our resource usage and minimizing our risk.

Security:

Because of the inherent risk to NAU when using any technology, a review by subject matter experts allows us to lower the risk of data breaches. In 2018 alone, 14 higher education institutions reported data breaches. Four of those breaches were due to a third party entity (i.e., hosted vendor). Over 40 million records were compromised costing the institutions an average total of 60 million dollars in fines and lawsuits. The ITS Checklist is the first step to maintaining data integrity at NAU. If you use unapproved technology at NAU, there could be serious ramifications. As of 2018, the average cost of a data breach is $3.86 million. If NAU has all of its data stolen it would be over $9 million.

Accessibility:

Usability is a key factor when developing products and websites.  Universally designed products and websites allow as many users as possible to interact within the digital world without the need of additional technology. Designing with accessibility in mind goes one-step further to ensure individuals with disabilities that use assistive technology have the opportunity to interact with products and websites in that same digital world.

Section 504 of the Rehabilitation Act and the Americans with Disabilities Act cover accessibility.  Information and Communication Technology (ICT) purchased, developed, maintained, or used by the University must meet federally recognized accessibility guidelines.  As such, we are required to follow the Web Content Accessibility Guidelines (WCAG) 2.0 at the AA level.

The Department of Education Office for Civil Rights (OCR) enforces compliance with accessibility requirements.  OCR has created over 1,000 resolution agreements with schools around ICT accessibility.

Fiscal Responsibility:

As a government institution we have a fiscal responsibility to allocate resources appropriately.  The ITS Checklist allows us to build a central repository of the technology that is being utilized.  With this information, metric based decisions can be made regarding whether or not we already have a solution available that will meet requirements and identify opportunities where it would be beneficial to purchase group licensing.

We do, when it is technology that we own and maintain. However, many times the business is far more familiar with how the technology is going to be used, what modules or add-ons have been purchased, and the exact business needs of the technology. ITS will not be aware of the detailed understanding of the business needs.  Having the business involved early on allows us to find the right solution for ITS, the business, and NAU as a whole.

Multiple departments are involved in this review, so rather than have each of them reach out to you individually, the departments worked together to compile a single questionnaire.

The checklist is only accessible to NAU employees, so the vendor cannot access it. The form contains questions that the vendor will not be able to answer because they are specific to how you intend on using the technology.

To make it easier for you to get accurate information in order to complete the checklist, we have provided this ITS Checklist Vendor Form. It has a limited number of questions that you can provide the vendor.

Please refer to the ITS Software Page to see what is available at NAU.  If you have additional questions, please open a ServiceNow request or call 928-523-3335.

ITS checklists currently in progress can be viewed on a dashboard. If your checklist is not showing on this dashboard, it could be 1 of 2 things:

1. It has not been started.
2. It has already completed the review process.

If you know the checklist has been submitted, but never received email confirmation, check your spam folder.  If you have additional questions or concerns, please open a ServiceNow request or call 928-523-3335.

The ITS Checklist is required annually and must be completed before a contract will be signed or payment made.  It is recommended you start a month or two prior to renewal or purchase.

The Checklist Review is completed through a collaborative process between Accessibility, Contracts, Purchasing, and Risk Management (CPRM), and Information Technology Services (ITS).

The person who is most knowledgeable about the technology and its intended usage should fill out the ITS Checklist. Because many times it is a collaborative process between the department and the vendor, we have provided this ITS Checklist Vendor Form. This is NOT the ITS Checklist and will not be accepted in lieu of required documentation, but it will allow the submitter to get required information.