IT Procurement Vendor Intake Form
The IT Procurement Vendor Intake Form collects pertinent information about prospective new or existing IT vendors and hardware, software platforms and IT service needs. Using this information, we evaluate the contract and determine if adopting the product would compromise WashU’s information security.
Departments should submit this form if they are interested in working with any IT vendor and/or software platform.
Please submit the form prior to entering any contractual obligations with an IT vendor or software platform. The form needs to be filled out in as much detail as possible, including full and accurate contact information, any contracts/paperwork available from the vendor and costs associated with the project. This will initiate the review process, where Resource Management will review the contracts and the project needs, as well as triggering a security review by the Office of Information Security if there is an indication of a possible data risk. Either of these groups will reach out to the requestor with additional questions or to request further information if necessary.
Contracts will be reviewed and negotiated by Resource Management in collaboration with the requestor and appropriate decision maker(s).
For more information regarding the IT Procurement Policy please see:
Step-by-step instructions for completing the form in OneTrust are below. If you need assistance completing the form, please contact the Office of Information Security at infosec@wustl.edu or Lisa Owens in the Office of Resource Management at owenslisa@wustl.edu.
Guidance
1) Click on IT Procurement Vendor Intake Form on the Information Security Forms page.
2) Click the red “Submit IT Procurement Vendor Intake Form” button to begin the form in OneTrust.
3) Enter your WUSTLKey email address to log into OneTrust. If you haven’t already authenticated with DUO, you will be prompted to do so.
4) From the Self-Service Assessment main page, click the “Launch” button under IT Procurement Vendor Intake.
5) Enter a name for your form following the format “Vendor Name – Your Last Name.”
6) Click the “Launch” button at the bottom of the page.
7) Click on the question menus in the left preview pane to begin filling out the form. Please note that any question marked with an asterisk is required and must be completed before the form can be submitted.
8) Be prepared to provide information about the following:
Procurement Screening Questions
- Vendor name
- Decision maker for the project
- New or exisiting vendor
- Date product needs to be acquired
- Name of tool/application
- Description of software and its use
- Where will the application reside (local or cloud)?
- Will PHI or PII be shared with the vendor?
- Is there a signed BAA on file?
- Risks to WashU if the application stops working
- Is sensitive data involved?
Information Security Screening Questions
- Types of confidential and protected data that will be shared with the vendor
- Will the data be transferred outside of the US?
- Will the vendor host WashU data off-site?
- Other impacted projects
- Integration method (e.g., Outlook plug-in, API, vendor specific connector)
- Who is supplying data to the vendor?
- How will data be shared (e.g., cloud, questionnaire, survey)?
- Does the project involve EPIC data?
- Is BJC involved in the project?
- Will the vendor have remote access to the university network?
- Will confidential informtion be shared with the vendor?
- Does the vendor serve a critical business function?
- Impacts of unauthorized access, modification, or destruction of information shared with the vendor
Cost/Funding Information Questions
- Cost associated with this purchase
- Funding source
- Approval status
9) Be prepared to provide the following documentation:
- Master Agreement
- Contract
- Order form
- Statement of work (SOW)
- Quote
- Diagram, plan, or description of the project
10) When you have completed all the required questions, click the “Submit” button it to submit your form for review.