This is restricted access content. Please don’t forget to logout if you are using public computer.
Technology & Information Services Review
Schools and central divisions are required to complete a Tufts Technology Services (TTS) Technology & Information Services Review under the following scenarios:
- When purchasing or engaging any technology or service that involves Tufts data (including vendor hosted solutions, cloud services, consulting engagements, and third party services)
- When existing technologies or services undergo significant changes or upgrades (such as changes to functionality, data handling, hosting, or system access)
- When adding new modules, software components, integrations, or services to an existing product or vendor
- Before accepting donated software, technologies, or services, regardless of cost
What Is Considered Information Technology or Information Services?
Information Technologies or Information Services include any item or engagement — such as hardware, software, systems, platforms, applications, equipment, licenses, or services — that is being considered for implementation or use at Tufts.
This includes professional services and consulting engagements where a vendor or service provider:
- Requires access to Tufts systems or networks, and/or
- Receives, accesses, processes, stores, or analyzes Tufts data, including bulk data about members of the Tufts community.
Use the following checklist to help determine whether a review is required.
If any one or more of the questions are answered “Yes,” a TTS Technology & Information Services Review is required.
IT & Information Services Checklist
Networking
- Does it use the Tufts wired or wireless network, VPN, or cellular network?
Data / Information
- Will Tufts data be sent to or received from other university systems?
- Does the product or service collect, process, analyze, or exchange data or information?
- Will Tufts data be provided to a vendor, consultant, or third party service?
- Is Tufts data stored or hosted by the vendor in an on premises or cloud based platform?
Web
- Is there a web portal or login used to access dashboards, reports, or data?
- Will the product or service publish Tufts data to a public facing website?
Software
- Is there software or a system behind the product or service that collects, tracks, stores, or manages information?
- Does it require software installation, configuration, or updates?
Professional Services / Consulting
- Does the engagement involve technology, data analysis, system access, medical equipment, mobile applications, or websites?
- Will the service provider require access to Tufts systems or Tufts data to perform their work?
Areas of Review
Technology & Information Services Reviews include a coordinated assessment of the following areas:
- Solution Architecture & Integrations: Review of the overall solution design, including system architecture, data flows, integrations with Tufts systems, and operational considerations – Performed by the appropriate TTS Service Area Director
- Security & Privacy: Evaluation of data protection, privacy, risk, vendor access, and compliance regulations with Tufts security and data handling requirements – Performed by the Office of Information Security (OIS)
- Accessibility: Assessment of digital accessibility to ensure compliance with applicable accessibility standards and Tufts policies – Performed by the TTS Accessibility Team
- Contractual & Legal Terms: Review of contractual terms and conditions related to technology or services, including data protection, privacy, security obligations, AI, permitted use of Tufts data, vendor access to systems, risk allocation, and regulatory compliance – Performed by TTS IT Contracts, Procurement, or University Counsel as applicable
Examples of When to Request Review
The following are common examples of scenarios that require a Technology & Information Services Review. These examples are not exhaustive.
- Considering a project to address a business need that requires software, a system, or a cloud based service, including free or trial offerings
- Purchasing or obtaining (including for free) a product or service that integrates with other Tufts systems; requires Tufts data to be pre loaded, uploaded, or routinely updated; or receives bulk data about members of the Tufts community (e.g., students, faculty, staff, patients, alumni, donors, or research subjects)
- Accepting donated software, technologies, and/or services that will be used in clinical, operations, or instructional settings
- Implementing vendor hosted or cloud services where Tufts non-public data is stored, processed, or analyzed outside of Tufts managed systems
- Engaging consulting or hosting services for websites or mobile applications
- Purchasing or obtaining (including at no cost) information analysis, assessment, or professional services that will require giving access to Tufts Institutional Data that is not considered public information
- Purchasing or obtaining (including at no cost) software, systems, or services that may involve sensitive or regulated data, such as student records, health or clinical information, sensitive personal information (SPI), regulated data, or other sensitive institutional data per the TTS Information Stewardship Policies
TTS also will perform security and accessibility reviews for tools that will be distributed broadly and integrated into applications such as Canvas integrations, Zoom apps, Teams apps, browser plugins, etc.
Getting Started
Tufts Community (non-TTS)
Contact TTS in one of these two ways:
- Contact the TTS Director in your service area and discuss the initiative. The TTS Director will evaluate and discuss next steps. If the initiative is recommended to continue through the process, these two next steps must be performed:
- The TTS Director or their designate will perform a goals and technical expectations review discussion with you.
- You need to download and complete the Background and Overview Information (.docx) form, thoroughly answering the questions, and send the fully completed form to:
Please make sure to include the name of the TTS person who performed the technical review with you.
- Send an email to it@tufts.edu with the subject “Technology & Information Services Review” explaining your initiative and goals. An IT representative will find the right TTS Directorate to evaluate your request and discuss next steps.
If the initiative is recommended to continue through the review process, steps 1.1 and 1.2 above will need to be completed.
TTS-Initiated Review
Reviews initiated within TTS assume the relevant TTS Director has performed a technical review. The next steps after this technical review are:
- Submit a request to the TTS IT Acquisitions Intake Portal.
- Download and complete the Background and Overview Information(.docx) form, thoroughly answering the questions, and send the fully completed form to:
Next Steps
After this initiative goes through intake, a TTS representative will contact you with the status. Do not proceed with purchasing anything until cleared to do so.
Other Requirements
- All solutions must use TTS central SSO for user authentication. Make sure you check with the vendor to make sure you are buying the right licenses to enable this. Sometimes a vendor requires purchasing “enterprise” licenses to get integration with Tufts authentication systems. Any concerns can be discussed during the review process.
- Any solution which requires the import of, or is used to store, Tufts’ data, must support automated data flows, including API or direct SQL access. Exceptions to this data flow process must be discussed with TTS Director of Data Strategy and Engineering as early as possible. Exceptions must then be approved by the CIO.
- Follow standard purchasing and contract processes with Procurement and TTS Contracts.
More Information
- For more information about this review process, contact IT Acquisitions at ITAcquisition@tufts.edu
- For general IT support, contact Tufts Technology Services at 617-627-3376 or it@tufts.edu
Provided by Tufts Technology Services