Use this form to request approval before purchasing any software or online subscription, irrespective of the associated cost.
The approval process ensures:
- Compliance with university policies (usage, licensing, security)
- Compatibility with existing systems
- Adherence to data privacy and cybersecurity standards
- Support for software standardization across departments
- Proper licensing and legal compliance
- Budget alignment with university resources
- IT support and maintenance planning
Before Submitting Your Request:
Before completing this request form, please ensure the following steps have been completed:
- ✅ Review the University’s Software Index to confirm whether a similar or approved solution already exists.
- ✅ Complete the CES Security Risk Assessment Questionnaire to help identify potential risks.
- ✅ Gather the following key details:
- Purpose and objectives of the software or service
- Anticipated cost
- Any hardware requirements
- Supporting documents or technical information
- ✅ Be prepared to collaborate with your assigned Business Analyst (BA)
After submission, a BA will contact you to consult on compatibility, integration, and security considerations. This step helps streamline the approval process.
Approval Timelines:
- Standard requests: 1–3 business days
- Requests involving personal data, e-commerce, or network changes: 2–3 weeks
Security Requirements (Prerequisite)
Before submitting, confirm that the SaaS solution meets the following minimum security standards:
Access Control
The application must integrate with the university’s Single Sign-On (SSO) system.
- If SSO is not supported, two-factor authentication (2FA) must be available.
- If neither option is supported, contact Todd Brown at todd_brown@byu.edu.
- Regulatory Compliance
The service must comply with applicable data protection regulations, including:
FERPA, PCI DSS, HIPAA, GLBA, and others as applicable.
Required Information for Submission
Please have the following ready when filling out the form:
- Functional Overview
A brief description of the cloud service/application’s purpose and key capabilities.
- Data Handling Details
Specify the types of data that will be processed or stored.
- Data Classification
Classify the system using the university’s Data Classification Policy. Use the IT System Classification Tool to determine the correct classification level.
- Vendor Security Documentation
The vendor must provide a current security audit report, certificate of conformance, or other recognized documentation that demonstrates adherence to security best practices. Preferred documents include:
- SOC 2 Type II (third-party)
- SOC 2 Type I (third-party)
- ISO/IEC 27001:2013 certification
- HECVAT v3+ (Required for services handling Restricted data)
- HECVAT Lite v3+ (For services storing Private data not classified as Restricted)
- CAIQ v4+
***If the vendor does not possess any of the documents listed above, they must complete the appropriate version of the HECVAT (available through EDUCAUSE).
Please Note: Failure to submit a request prior to purchase may result in:
- Loss of PCard privileges
- A request to return the item
- Lack of IT support
- Reimbursement of university funds