V
ersion 2023.04.28
BPM
3.4.4
–
DATA
SECURITY: CAMPUS
GUIDANCE
FAQ
The University System of Georgia (USG) recently updated the USG Business Process Manual (BPM) to
include a new section on Data Security requirements (BPM 3.4.4). T
he following Q&A provides information
on the recently introduced Supplier Contracts Assessment Intake Form created to fulfill these new
requirements. The details are shared to help you familiarize yourself with the new process and understand
how it impacts the contract creation and renewal process. Please be aware that this process is still in its
early stages and will be iterated upon as feedback is collected. We appreciate you taking the time to review
the below information as we do our best to implement this process smoothly and efficiently.
1.
What is considered “data”?
2.
What security documentation is needed for the BPM 3.4.4 review process?
3.
Why is there a BPM 3.4.4 Supplier Contracts Assessment Intake Form?
4.
How often is the BPM 3.4.4 Supplier Contracts Assessment Intake Form required?
5.
What types of purchases are not required to follow the BPM 3.4.4 review process?
6.
Where do I find the BPM 3.4.4 Supplier Contracts Assessment Intake Form?
1. What is considered “data”?
Data includes but is not limited to:
Personal Identifiable Information (PII)
Health information
Student information (FERPA)
Restricted research data (CUI)
Contact information including, without limitation: email address, physical address, phone number
and other location data
Unique personal identifiers and biographical information (i.e., date of birth)
Information on data subjects: e.g. their personal background and/or photographs
IP address or other online identifier
Information related to visa requirements, copies of passports and other documents to ensure
compliance with U.S. laws
Financial information gathered for the purposes of administering fees and charges, loans, grants,
scholarships, etc.
Information related to the prevention and detection of crime and the safety of employees,
students and visitors of Georgia Tech.
2. What security documentation is needed for the BPM 3.4.4 review process?
When you submit a BPM Intake Form, you will be asked to obtain one or more of the following to complete
a T
hird-Party Security Assessment (TPSA):
1. F
edRamp Medium or High Certification (Active), OR;
2. ISO 27001 or ISO 27002 Certification (not expired), OR;
3. SOC2 Type 2 Report (not more than 3 years old), OR;
4. HECVAT filled out by Vendor (not over one-year-old)
a. HECVAT FULL v3.02 "HECVAT FULL
"
b. HECVAT LITE v3.02 "HECVAT LITE"
If you are seeking to complete this review proactively, having one of these documents on hand can speed
up the process.