Software Acquisition Checklists

The Software Acquisition Checklists are tools used with Berea College’s Vendor Risk Management system and are part of the procurement process. This system ensures that proper due diligence was completed in assessing a vendor’s security controls and posture when evaluating the use of software/applications before purchasing.

What are the steps to this process?

Complete the relevant checklist for your application and attach all supporting documentation. The Checklist will then be routed to all required stakeholders for approval. Due to the number of individuals involved in this process, we ask for one week’s lead time. Once all signatures are in place, the requestor will be notified the process is complete, and they may move toward the next steps in the procurement process.

What checklist do I need?

For software that will be installed locally, either in Berea College’s data center or Berea College endpoints, please use this link: Locally Installed Application Acquisition Checklist

For applications that are stored offsite, aka “in the cloud,” please use this link: Cloud Solution/SaaS Application Acquisition Checklist

What if I need to renew an already existing application?

Checklists are subject to annual review, typically done around the renewal of the application. Please note that if there has been a change in ownership of the vendor, different data being stored/processed or a change in functionality (ex: application now accepting credit cards), you will need to complete a new checklist with the updated information.

For all locally installed applications: Locally Installed Application Renewal Checklist

For cloud-based (externally hosted) SaaS solutions: Cloud Solution/SaaS Application Renewal Checklist

Generally, the requestor or related individual within the College will. However, you may also have your vendor contact assist with or fill out the checklist for you.

This greatly depends on the type of data that is being stored/processed by the application in question and the scope of its users. If there is sensitive/regulated data, the College requires up-to-date documentation detailing the organization’s security controls. Below is a brief list of common types of documentation and their requirements:

Service Contract – The contract between the vendor and the College. This should be included with every checklist.
SLA Contract – Service Level Agreement document which should be included with every checklist.
VPAT – Voluntary Product Accessibility Template
Please include if it is mandatory to use this product/application to complete College business/academic tasks.
SOC2 – Service Organization Controls report;
Please include if your application stores or processes sensitive/regulated data.
HECVAT – Higher Education Community Vendor Assessment Toolkit
Please include if your application stores or processes sensitive/regulated data.
Data Steward approval – If your application stores sensitive/regulated data, you will need approval from the respective Data Steward.

The sooner, the better! There are multiple individuals and departments that can be involved, and thus their availability might not sync up. If you require technical changes such as Single Sign-On integration or network and email changes, please allow for at least four weeks lead time.

If you have a question that wasn't answered above, feel free to email the #IT-Checklists@berea.edu group.