Software Purchase Request

Use this form to request approval before purchasing any software or online subscription, irrespective of the associated cost

The approval process ensures:

  1. Compliance with university policies (usage, licensing, security)
  2. Compatibility with existing systems
  3. Adherence to data privacy and cybersecurity standards
  4. Support for software standardization across departments
  5. Proper licensing and legal compliance
  6. Budget alignment with university resources
  7. IT support and maintenance planning

Before Submitting Your Request:

Before completing this request form, please ensure the following steps have been completed:

  • Review the University’s Software Index to confirm whether a similar or approved solution already exists.
  • Complete the CES Security Risk Assessment Questionnaire to help identify potential risks.
  • Gather the following key details:
    • Purpose and objectives of the software or service
    • Anticipated cost
    • Any hardware requirements
    • Supporting documents or technical information
  • Be prepared to collaborate with your assigned Business Analyst (BA)
    After submission, a BA will contact you to consult on compatibility, integration, and security considerations. This step helps streamline the approval process.

Approval Timelines:

  • Standard requests: 1–3 business days
  • Requests involving personal data, e-commerce, or network changes: 2–3 weeks

Security Requirements (Prerequisite)

Before submitting, confirm that the SaaS solution meets the following minimum security standards:

Access Control
The application must integrate with the university’s Single Sign-On (SSO) system.

  • If SSO is not supported, two-factor authentication (2FA) must be available.
  • If neither option is supported, contact Todd Brown at todd_brown@byu.edu.
  • Regulatory Compliance
    The service must comply with applicable data protection regulations, including:
    FERPA, PCI DSS, HIPAA, GLBA, and others as applicable.

Required Information for Submission

Please have the following ready when filling out the form:

  • Functional Overview
    A brief description of the cloud service/application’s purpose and key capabilities.
  • Data Handling Details
    Specify the types of data that will be processed or stored.
  • Data Classification
    Classify the system using the university’s Data Classification Policy. Use the IT System Classification Tool to determine the correct classification level.
  • Vendor Security Documentation
    The vendor must provide a current security audit report, certificate of conformance, or other recognized documentation that demonstrates adherence to security best practices. Preferred documents include:
    • SOC 2 Type II (third-party)
    • SOC 2 Type I (third-party)
    • ISO/IEC 27001:2013 certification
    • HECVAT v3+ (Required for services handling Restricted data)
    • HECVAT Lite v3+ (For services storing Private data not classified as Restricted)
    • CAIQ v4+

***If the vendor does not possess any of the documents listed above, they must complete the appropriate version of the HECVAT (available through EDUCAUSE).

Please Note: Failure to submit a request prior to purchase may result in:

  • Loss of PCard privileges
  • A request to return the item
  • Lack of IT support
  • Reimbursement of university funds