IT Procurement

As a large public research university, Texas A&M University operates within a complex regulatory environment and is accountable to various stakeholders, including the Texas A&M System, state regulators, federal funding agencies, and the public. Consequently, university colleges and divisions periodically undergo internal and external audits to verify compliance with university policies and security standards. 

IT-focused audits examine areas like data security practices, adherence to specific regulations (like HIPAA or FERPA), compliance with security controls, or general IT governance. Being prepared for these audits is crucial for ensuring they proceed smoothly and minimize disruption to unit operations.

At Texas A&M, technology is essential to our success in teaching, research, and administration. The IT procurement review process is a partnership between the Division of IT and the university community. Our goal is to help you acquire the software, hardware, and cloud services you need while ensuring they are secure, compliant, and protect sensitive university data.

This page guides you through the process of purchasing new IT solutions for your department or project.

Every new technology introduces potential risks. Our review process is designed to protect you, your data, and the university by ensuring:

• Data Protection: We verify that vendors have appropriate security controls to protect Confidential, Sensitive, and other regulated university data.
• Compliance with Policy & Law: We ensure all IT purchases align with university rules, such as SAP 29.01.03.M0.13 Information Security Controls , and state regulations like TX-RAMP for cloud services.
• Cybersecurity: We assess vendor security practices to minimize the risk of data breaches, service disruptions, and other cyber threats to the university.
• Stewardship: We help prevent duplicate purchases of software and services that are already available, saving university resources.

Following these steps will help streamline your request and get you the resources you need more quickly.

Step 1: Check for Existing Approved Solutions

Before making a new request, please check if a suitable solution is already approved and available. This is the fastest way to get what you need.

• Check with your local IT support for department-specific or commonly used software and hardware.

Step 2: If Your Solution is Not Listed, Start a New Review

If you cannot find an existing solution that meets your needs, a new IT security review is required. This is required for any cloud-based service or any software that will handle university data.

What to expect: The review process involves a security assessment of the vendor and their product. We may require the vendor to complete a security questionnaire (such as a HECVAT) or provide documentation like a SOC 2 Type II report. We will partner with you and the vendor throughout this process.

Step 3: The Review and Approval

Once your request is submitted, the Division of IT will:

1. Assess Risk: Evaluate the type of data the service will handle (e.g., public, university-internal, university-confidential).
2. Review for Compliance: Verify alignment with university policies and state laws (TX-RAMP).
3. Collaborate: Work with you and the vendor to address any security or compliance gaps.
4. Provide a Decision: Once the review is complete, we will notify you of the approval status and any conditions for use, such as required IT security clauses in any contract or master service agreement.

Step 4: Proceed with Purchase

With IT approval, you can proceed with the purchasing process through your department's business office or according to university purchasing guidelines, such as using AggieBuy.

How long does a new review take?

The timeline can vary from a few days to several weeks, depending on the complexity of the service and the vendor's responsiveness. Please plan ahead and submit your request as early as possible.

Why can't I just use my P-Card to buy a cheap app or cloud service?

Even free or low-cost services can pose significant risks. The terms of service may grant the vendor ownership of your data or lack the necessary security controls, putting university information at risk and potentially violating state law.

What is TX-RAMP?

TX-RAMP is a state program that provides a standardized approach for the security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency. It is a legal requirement for Texas A&M.

What information should I have ready before submitting a request?

It's helpful to have a clear understanding of what you want the service to do, what kind of data it will store or process (e.g., student records, research data, general business information), and a point of contact at the vendor company.