V
ersion 2023.04.28
BPM
3.4.4
–
DATA
SECURITY: CAMPUS
GUIDANCE
FAQ
The University System of Georgia (USG) recently updated the USG Business Process Manual (BPM) to
include a new section on Data Security requirements (BPM 3.4.4). T
he following Q&A provides information
on the recently introduced Supplier Contracts Assessment Intake Form created to fulfill these new
requirements. The details are shared to help you familiarize yourself with the new process and understand
how it impacts the contract creation and renewal process. Please be aware that this process is still in its
early stages and will be iterated upon as feedback is collected. We appreciate you taking the time to review
the below information as we do our best to implement this process smoothly and efficiently.
1.
What is considered “data”?
2.
What security documentation is needed for the BPM 3.4.4 review process?
3.
Why is there a BPM 3.4.4 Supplier Contracts Assessment Intake Form?
4.
How often is the BPM 3.4.4 Supplier Contracts Assessment Intake Form required?
5.
What types of purchases are not required to follow the BPM 3.4.4 review process?
6.
Where do I find the BPM 3.4.4 Supplier Contracts Assessment Intake Form?
1. What is considered “data”?
Data includes but is not limited to:
Personal Identifiable Information (PII)
Health information
Student information (FERPA)
Restricted research data (CUI)
Contact information including, without limitation: email address, physical address, phone number
and other location data
Unique personal identifiers and biographical information (i.e., date of birth)
Information on data subjects: e.g. their personal background and/or photographs
IP address or other online identifier
Information related to visa requirements, copies of passports and other documents to ensure
compliance with U.S. laws
Financial information gathered for the purposes of administering fees and charges, loans, grants,
scholarships, etc.
Information related to the prevention and detection of crime and the safety of employees,
students and visitors of Georgia Tech.
2. What security documentation is needed for the BPM 3.4.4 review process?
When you submit a BPM Intake Form, you will be asked to obtain one or more of the following to complete
a T
hird-Party Security Assessment (TPSA):
1. F
edRamp Medium or High Certification (Active), OR;
2. ISO 27001 or ISO 27002 Certification (not expired), OR;
3. SOC2 Type 2 Report (not more than 3 years old), OR;
4. HECVAT filled out by Vendor (not over one-year-old)
a. HECVAT FULL v3.02 "HECVAT FULL
"
b. HECVAT LITE v3.02 "HECVAT LITE"
If you are seeking to complete this review proactively, having one of these documents on hand can speed
up the process.
V
ersion 2023.04.28
3. Why is there a BPM 3.4.4 Supplier Contracts Assessment Intake Form?
The University System of Georgia (USG) recently updated the USG Business Process Manual (BPM) to
include a new section on Data Security requirements (BPM 3.4.4). T
his new section helps evaluate and
manage external access to any Institute and/or USG data.
Effective immediately, upon the creation of a new contract, amendment of a contract or at the next
renewal of an existing contract, all USG institutions and organizations (collectively herein,
“organizations”) must ensure that suppliers (or other third parties, herein, “suppliers”) with access to
USG data are adequately protecting that data.
All USG institutions and organizations must ensure that suppliers (or other third parties) with access to
USG data are adequately protecting that data. Such protection must be at least the same level of
protection provided by Georgia Tech and/or the USG and as required by policy, law, or regulation.
Georgia Tech has created a USG-approved process for Cybersecurity review and Procurement review with
documentation as required by the BPM. When data is shared with the supplier, the Departmental End
user must complete the BPM 3.4.4 Supplier Contracts Assessment Intake Form to meet the USG
requirements.
4. How often is the BPM 3.4.4 Supplier Contracts Assessment Intake Form required?
Essentially, whenever GT is purchasing or acquiring a good or service that will grant the supplier
access to data. It is also required for any amendment, renewal, and/or one time purchase where data
is being shared. This includes zero ($0) dollar purchases. Procurement may also require the BPM
review process to be completed for other types of purchases.
Required annually for:
•
All contracts housed in Workday (WD) plus any amendments and renewals.
Also, but not limited to each purchase of:
•
Cloud based software, not on a WD contract
•
Networking equipment, not on a WD contract
•
IaaS – Infrastructure as a Service, not on a WD contract
•
Goods or services where the supplier has access to Students, Employees, Minors, Monies,
Sensitive/Confidential Data, Mission- Critical Service, and/or Facilities.
5. What types of purchases are not required to follow the BPM 3.4.4 review process?
•
Maintenance Trades Services (ex. plumbing, roofing, electrical…)
•
One-time speaker (ex. public address on MLK day)
•
Event agreements
•
Search firms
•
Catering services
•
Site assessment services
•
Advertising
•
Publishing/Journalistic services
V
ersion 2023.04.28
•
Installation of non-IT goods (ex. Tent rental and setup)
•
Repair services – dining vent hoods, appliance repairs, lab equipment repairs
•
Equipment maintenance services – PM’s and calibrations: (other than computer/server/IT equipment
which require BPM review)
•
Facility management services
•
Library Internet Databases for acquiring publications (when no data is being uploaded to supplier)
6. Where do I find the BPM 3.4.4 Supplier Contracts Assessment Intake Form?
The Intake Form is located in ServiceNow at the following link: (BPM 3.4.4 Supplier Contracts Assessment
Intake). You can also locate the form by searching “BPM” in ServiceNow or by clicking on the “Financials” box
on the home page and then clicking the “Procurement” box and following the link from there.
Questions?
Please submit a ticket in ServiceNow to request help from Procurement if you have any additional questions.
Additional resources are located at our website at https://procurement.gatech.edu/home.
See also: Why is this BPM 3.4.4 Supplier Contracts Form Needed? Is it Required? (service-now.com).
