CPP ATI/IT Review Process

  1. Prior to purchase*, submit an ATI/IT Review via eHelp
    1. To submit an ATI/IT Review, click ATI/IT Review or search “ATI” on eHelp after you have logged into eHelp
    2. Attach any related, invoice, requisition, grant, contracts or bid information to the ATI/IT Review request.  
    3. *Includes requisition, direct pay, & Pcards - state, ASI and foundation purchases.  
  2. The IT Compliance Program Analyst or Requestor contacts vendor for compliance documents
    1.  Accessibility Information
      1. VPAT - The VPAT is the vendor's testament of the accessibility strengths and limitations of their product in meeting the provisions of Section 508. The terms and conditions assigned to the PO reflect the vendor’s responsibility to comply with the accessibility statements represented within the submitted VPAT.
        1. VPAT 2.2 Template (VPAT 2.2 Template (Word)) following the CSU instructions (CSU Vendor Accessibility Requirements).
      2. Accessibility Roadmap to address any barriers to accessibility  (CSU Accessibility Roadmap Template).
      3. Other vendor Accessibility requirements:  CSU Vendor Accessibility Requirements.
    2. Security compliance information
      1. CSU & CPP Security Policy, Standards & Guidelines
      2. Higher Education Cloud Vendor Assessment Tool (Excel) (HECVAT) - The HECVAT is a standardized assessment tool that allows higher education institutions to ensure cloud services are appropriately assessed for security and privacy needs.
      3. User access reviews for systems with Level 1 & Level 2 data.  
        1. Application administrator(s) will be asked to provide a review of user access review at the time of renewal. The application administrator(s) will review and/or edit users to ensure the user access is current.  The review will be documented as part of the ATI/IT review process.    
  3. IT Security & Compliance assesses the gathered information. 
    1. Review accessibility and security compliance information
    2. Perform and document accessibility compliance testing for websites and online applications.
    3. Contact vendor regarding any compliance concerns
      1. Obtain roadmaps to address any barriers to accessibility or security risks. (CSU Accessibility Roadmap Template).
    4. Contact requestor for any compliance concerns
      1. Document a plan for equally effective access to address any barriers to accessible access to programs, services, learning outcomes, etc.  
        1. An Equally Effective Access Plan (EEAAP) is gathered for providing equitable, effective and full participation in the use of the ICT product or service with consideration of any documented accessibility limitation.  
      2. Document any needed security risk mitigation plans.  
  4. IT Security & Compliance completes the review.
    1. Escalate any compliance concerns to the CISO and/or CIO.  
    2. Requestor receives an emails documenting the completed ATI and IT Review. 
      1. Separate emails are sent for ATI and IT Reviews.  Emails are sent from:  IT@CPP Service Portal.  
        1. IT Review  requires the CIO signature for ICT hardware purchases $5,000 or more; software & IT services of over $1,000.  (The CIO's Office will forward requisition to Procurement & Support Services once it is signed.)  
        2. If the purchase is under the CIO thresholds mentioned above, forward your purchase requisition directly to Procurement & Support Services.  
For more information about ICT requisitions, please contact Judy Shui (909) 979-6484, Carol Gonzales 909-979-6457 or Cathy Schmitt Whitaker at (909) 979-6023.