Software Request Security Review

On July 1, 2025, a new Software Request process will be implemented on campus. This page will be updated to share details and instructions about the new process. If you have any questions, contact Procure to Pay for more information.

Overview

The Security Review ensures that any software, service, or platform acquired by SDSU protects university systems and data, and complies with CSU and campus policies. Whether you're purchasing a new cloud platform, deploying on-premise software, or installing a browser add-on, a security review may be required before approval.

All staff and faculty can make a Software Request. Prior to acquisition, all technology products and associated technology purchased or obtained at no cost (including free software) must be reviewed for potential accessibility and data security risks. There is no cost to you or your department to submit a Software Request.

How the Security Review Works

1. Initial Intake

• You submit a Software Request, identifying the type of technology and the data it will access.

2. Data Classification

• Based on your responses on the ServiceNow Software Request, we classify the data as:
  • Level 1 (Confidential): Highly sensitive (e.g., SSNs, HIPAA, student records)
  • Level 2 (Internal Use): Non-public but not regulated
  • Level 3 (General): Public or low-risk data

3. Security Review Trigger

• If the request involves Level 1 or 2 data, integration with SDSU systems, or is a free plug-in/add-on, it enters a formal security review.

4. Documentation Review

• You or the vendor provide security documentation (see below). The IT Security Office evaluates the risks and advises on mitigations or needed controls.

5. Outcome

• You’ll receive feedback from the IT Security Office if deemed High Risk.
• High Risk requests may be escalated to the Associate VP/Management for review.

What Documentation Is Required?

For Level 1 and/or Level 2 data, documentation needs vary depending on where the technology is hosted.

On-Prem (SDSU-Hosted Software)

• System Documentation¹
• Data Flow Diagram
• Device registration in ServiceNow CMDB
• Access control and encryption details
• Installation of Qualys Cloud Agent
• Installation of Log Analytics
• Attestation of Compliance (PCI-DSS) (if applicable)

On-Prem (Local Install)

• Computer onboard into JAMF or Intune
• MS Defender anti-virus
• Access control and encryption details
• Device registration in ServiceNow CMDB
• Level 1/Level 2 data not stored on the computer

Cloud Platforms/SaaS

• SOC2 Type2 or ISO 270xx Certification
• HECVAT²
• Attestation of Compliance (PCI-DSS) (if applicable)

Add-ons/Plug-ins

• Privacy policy
• Statement of data collection and storage
• Terms of Service
• Update and patching process

 Notes

¹ System Documentation consists of network diagram, patch management process, and access control and encryption details.

²HECVAT or the Higher Education Community Vendor Assessment Toolkit, is a standardized questionnaire used by higher education institutions to assess the security and privacy risks of third-party vendors, particularly those providing cloud services. Created by leaders in higher education in collaboration with EDUCAUSE.

What Should Requesters Expect?

• Timeline: Reviews typically take 5–10 business days after complete documentation is submitted. Reviews for Level 1 data or large platforms may take longer.
• Follow-Up: You may be asked to coordinate with IT or provide additional clarification about usage, user roles, or integration.
• Approval or Conditions: Some requests may be approved with conditions (e.g., encryption, limited access, data security plan).

Get Started

More information can be found at the main SDSU Procure to Pay website.