BPM 3.4.4 – DATA SECURITY: CAMPUS GUIDANCE FAQ | Procurement & Business Services

The University System of Georgia (USG) recently updated the USG Business Process Manual (BPM) to include a new section on Data Security requirements (BPM 3.4.4). The following Q&A provides information on the Supplier Contracts Assessment Intake Form created to fulfill these requirements. The details are shared to help you familiarize yourself with the process and understand how it impacts the contract creation and renewal process. Please be aware that this process is still in its early stages and will be iterated upon as feedback is collected. We appreciate you taking the time to review the below information as we do our best to implement this process smoothly and efficiently.

1. What is considered “data”? Data includes but is not limited to:

Personal Identifiable Information (PII)
Health information
Student information (FERPA)
Restricted research data (CUI)
Contact information including, without limitation: email address, physical address, phone number and other location data
Unique personal identifiers and biographical information (i.e., date of birth)
Information on data subjects: e.g. their personal background and/or photographs
IP address or other online identifier
Information related to visa requirements, copies of passports and other documents to ensure compliance with U.S. laws
Financial information gathered for the purposes of administering fees and charges, loans, grants, scholarships, etc.
Information related to the prevention and detection of crime and the safety of employees, students and visitors of Georgia Tech.

2. What security documentation is needed for the BPM 3.4.4 review process?

When you submit a BPM Intake Form, you will be asked to obtain one or more of the following to complete a Third-Party Security Assessment (TPSA):

FedRamp Medium or High Certification (Active), OR;
ISO 27001 or ISO 27002 Certification (not expired), OR;
SOC2 Type 2 Report (not more than 3 years old), OR;
HECVAT filled out by Vendor (not over one-year-old)
1. HECVAT FULL v3.02 "HECVAT FULL"
2. HECVAT LITE v3.02 "HECVAT LITE"

If you are seeking to complete this review proactively, having one of these documents on hand can speed up the process.

3. Why is there a BPM 3.4.4 Supplier Contracts Assessment Intake Form?

The University System of Georgia (USG) recently updated the USG Business Process Manual (BPM) to include a new section on Data Security requirements (BPM 3.4.4). This new section helps evaluate and manage external access to any Institute and/or USG data.

Effective immediately, upon the creation of a new contract, amendment of a contract or at the next renewal of an existing contract, all USG institutions and organizations (collectively herein, “organizations”) must ensure that suppliers (or other third parties, herein, “suppliers”) with access to USG data are adequately protecting that data.

All USG institutions and organizations must ensure that suppliers (or other third parties) with access to USG data are adequately protecting that data. Such protection must be at least the same level of protection provided by Georgia Tech and/or the USG and as required by policy, law, or regulation.

Georgia Tech has created a USG-approved process for Cybersecurity review and Procurement review with documentation as required by the BPM. When data is shared with the supplier, the Departmental End user must complete the BPM 3.4.4 Supplier Contracts Assessment Intake Form to meet the USG requirements.

4. How often is the BPM 3.4.4 Supplier Contracts Assessment Intake Form required?

Essentially, whenever GT is purchasing or acquiring a good or service that will grant the supplier access to data. It is also required for any amendment, renewal, and/or one time purchase where data is being shared. This includes zero ($0) dollar purchases. Procurement may also require the BPM review process to be completed for other types of purchases.

Required annually for:

All contracts housed in Workday (WD) plus any amendments and renewals.

Also, but not limited to each purchase of:

Cloud based software, not on a WD contract
Networking equipment, not on a WD contract
IaaS – Infrastructure as a Service, not on a WD contract
Goods or services where the supplier has access to Students, Employees, Minors, Monies, Sensitive/Confidential Data, Mission- Critical Service, and/or Facilities.

5. What types of purchases are not required to follow the BPM 3.4.4 review process?

Maintenance Trades Services (ex. plumbing, roofing, electrical…)
One-time speaker (ex. public address on MLK day)
Event agreements
Search firms
Catering services
Site assessment services
Advertising
Publishing/Journalistic services
Installation of non-IT goods (ex. Tent rental and setup)
Repair services – dining vent hoods, appliance repairs, lab equipment repairs
Equipment maintenance services – PM’s and calibrations: (other than computer/server/IT equipment which require BPM review)
Facility management services
Library Internet Databases for acquiring publications (when no data is being uploaded to supplier)

6. Where do I find the BPM 3.4.4 Supplier Contracts Assessment Intake Form?

The Intake Form is located in ServiceNow at the following link: (BPM 3.4.4 Supplier Contracts Assessment Intake). You can also locate the form by searching “BPM” in ServiceNow or by clicking on the “Financials” box on the home page and then clicking the “Procurement” box and following the link from there.

Questions?

Please submit a ServiceNow ticket to Procurement if you have any additional questions. Additional resources are located at our website at https://procurement.gatech.edu.

BPM 3.4.4 – DATA SECURITY: CAMPUS GUIDANCE FAQ

Procurement & Business Services

Georgia Institute of Technology