IT Procurement Vendor Intake Form

We use the IT Procurement Vendor Intake Form to collect pertinent information about prospective vendors and software platforms. Using this information, we evaluate the contract and determine if adopting the product would compromise WashU’s information security.

Departments should submit this form if they are interested in working with a new IT vendor and/or software platform.

Please submit the form prior to entering any contractual obligations with a new IT vendor or software platform. Complete the form in as much detail as possible, including full and accurate information for vendor contacts. The Office of Information Security will communicate with the requestor as necessary and will work directly with the vendors to complete the review process. Procurement will work with the requestor and applicable decision maker to help review and negotiate the contracts.


For more information regarding the IT Procurement Policy please see:

https://resourcemanagement.wustl.edu/purchasing-services/procedures/procurement-of-computers-software-and-services/

Step-by-step instructions for completing the form in OneTrust are below. If you need assistance completing the form, please contact the Office of Information Security at infosec@wustl.edu or Lisa Owens in the Office of Resource Management at owenslisa@wustl.edu.

Guidance

1) Click on IT Procurement Vendor Intake Form on the Information Security Forms page.

2) Click the red “Submit IT Procurement Vendor Intake Form” button to begin the form in OneTrust.

3) Enter your WUSTLKey email address to log into OneTrust. If you haven’t already authenticated with DUO, you will be prompted to do so.

4) From the Self-Service Assessment main page, click the “Launch” button under IT Procurement Vendor Intake.

5) Enter a name for your form following the format “Vendor Name – Your Last Name.”

6) Click the blue “Launch” button at the bottom of the page.

7) Click on the question menus in the left preview pane to begin filling out the form. Please note that any question marked with an asterisk is required and must be completed before the form can be submitted.

8) Be prepared to provide information about the following:

Procurement Screening Questions

  • Vendor name
  • Decision maker for the project
  • New or exisiting vendor
  • Date product needs to be acquired
  • Name of tool/application
  • Description of software and its use
  • Where will the application reside (local or cloud)?
  • Will PHI or PII be shared with the vendor?
  • Is there a signed BAA on file?
  • Risks to WashU if the application stops working
  • Is sensitive data involved?

Information Security Screening Questions

  • Types of confidential and protected data that will be shared with the vendor
  • Will the data be transferred outside of the US?
  • Will the vendor host WashU data off-site?
  • Other impacted projects
  • Integration method (e.g., Outlook plug-in, API, vendor specific connector)
  • Who is supplying data to the vendor?
  • How will data be shared (e.g., cloud, questionnaire, survey)?
  • Does the project involve EPIC data?
  • Is BJC involved in the project?
  • Will the vendor have remote access to the university network?
  • Will confidential informtion be shared with the vendor?
  • Does the vendor serve a critical business function?
  • Impacts of unauthorized access, modification, or destruction of information shared with the vendor

Cost/Funding Information Questions

  • Cost associated with this purchase
  • Funding source
  • Approval status

9) Be prepared to provide the following documentation:

  • Master Agreement
  • Contract
  • Order form
  • Statement of work (SOW)
  • Quote
  • Diagram, plan, or description of the project

10) When you have completed all the required questions, the “Submit” button will turn blue. Click it to submit your form for review.