The Information Security Office (ISO) and ASU Purchasing are instituting changes to the technology purchase process to include a mandatory security review. To ensure the ASU Law follows the university’s technology security review process, please forward all of your technology purchase requests to Melanie Knerr in the Business Office effective Thursday, October 1, 2020. Melanie will work with Eddie Garcia to ensure all of the necessary back-ups is in place.
Technology should not be purchased with purchasing cards or submitted for reimbursement. The business office will process the payment through the Financial Management System (FMS) and will require a two week lead time so that the security review can be conducted and the vendor entered into our FMS system.
When you submit your request for purchase please include the justification for the purchase and how it will be used, sample attached. Transactions will ultimately be reviewed at the university level for compliance to these policies.
A security review is required for all technology purchases including when:
- ASU is purchasing or leasing software, or processing a software renewal
- Engaging a supplier to create any code for ASU
- Engaging a supplier to receive, store, or analyze ASU data (including if the data is not online)
- Supplier is hosting, or managing by infrastructure outside of ASU, including in the cloud, ASU data
- Engaging a supplier to collect Personally Identifiable Information (PII) or ASU data via a link on an ASU.edu or another ASU managed webpage
- Purchasing computer hardware (e.g., laptops, desktops, monitors, tablets)
Each of us at ASU is responsible for the security of ASU’s systems. We are also individually responsible for any technology that we install or use. The technology security review process identifies risks and through mitigating controls reduces the overall risk to ASU users, systems, and networks. It will also ensure that proper warranty coverage and inventory control are maintained and prevent costly mistakes when purchasing individual licenses for a product the university or college already owns at an enterprise level.