Skip to main content

Vendor Management Procedures


This document is to assist custodians, users, managers and information service providers in identifying what vendors meet the level of security, accessibility, and architecture required to operate and protect data for which they are responsible. It specifies the details as referred to by:


All vendors of cloud, software, hardware and systems must meet the requirements of Boise State Policy and procedure and be reviewed and approved by the OIT Software Architecture Review Board (SARB).


It is the responsibility of the users to obtain approval of SARB before the purchase of any software or system. Details, including how to make a request can be found on the SARB Request website.

Some pre-approved software and systems include:

  • Procurement of non-sensitive data, specifically if no Boise State faculty or staff have access to the software and if Boise State is directing users to a third-party website (e.g. ZTRAX).
  • Procurement to access a website that allows specific faculty and staff users to view content (e.g. New York Times).
  • Procurement of social media applications that students and the general public are not required to utilize (e.g. X).
  • Procurement of standard hardware from OIT.
  • Procurement of a vendor where Boise State does not take ownership of the content that students and/or general public are not required to utilize (e.g. AAA Flag and Banner).

It is the responsibility of the SARB to ensure:

  • Vendors meet the level of security based on the type of data they will be processing. This is usually done through a HECVAT or a Boise State Security Assessment.
  • Vendors meet accessibility standards. This is normally accomplished through a VPAT.
  • The software or system must work with a compatible architecture for the University, as determined by the SARB committee and University data architect.

Non-Compliance and Exceptions

A Request for Exception can be submitted at Non-compliance with these standards may result in revocation of access, notification of supervisor, and reporting to the Office of Internal Audit and Institutional Compliance.


Created: February 2022

Last Update: February 2023

Next Review: February 2025