Application and Cloud Services Assessment Requestor Questionnaire v6.0

Please fill in a valid value for all required fields

Please ensure all values are in a proper format.

Are you sure you want to leave this form and resume later?

Are you sure you want to leave this form and resume later? If so, please enter a password below to securely save your form.

You must upload one of the following file types for the selected field:

There was an error displaying the form. Please copy and paste the embed code again.

There was an error initializing the payment processor on this form. Please contact the form owner to correct this issue.

Application and Cloud Services Assessment Requestor Questionnaire

The Risk and Compliance team assesses server applications or services for appropriate use for the specific data type and this questionnaire assists in providing an understanding of your IT purchase to determine if a full assessment is necessary. Please fill out the questionnaire below and we will begin our assessment. Please note, we complete requests in the order we receive them and timelines are dependent on the responsiveness of the requestor, vendor, and the complexity of the agreement.

Product Information

Please give the main email contact that needs to be included on communications for this request:*

Please list any other email contact(s) that need to be included on communications for this request:

What school, unit, or department are you associated with?*

Please indicate if there is a deadline to complete this purchase:

https://ucdenverdata.formstack.com/forms/images/2/calendar.png

Month

Day

Year

What is the name of the product/service you wish to purchase?*

What is the name of the supplier/vendor associated with this purchase?*

What are you purchasing? (Select all that apply):*

Software on-premise (the application is hosted on a server within the department or CU data center) Software off-site (vendors hosts at their location or a third-party site) Mobile Application (Smartphone, Tablet, etc.) Hardware or Equipment Consulting Services and/or Staff Augmentation Custom Content Creation/Application Development

Other: Other Value

What is the term of this contract/purchase/agreement?*

1 year 2 year 3 year

Other: Other Value

Will University data be collected, processed, or stored through the use of this application? *

Yes No

What is the classification of the data used for this application/service? Please refer to this Data Classification link ( https://www.cu.edu/security/data-classification ) for guidance and select one option below: *

Public Data Confidential Data Highly Confidential Data

What is the potential impact if a loss of data confidentiality, integrity, or availability occurs? High, Moderate, or Low - as defined on this link https://www.cu.edu/security/about-adverse-impact*

Low Impact Moderate Impact High Impact

Where do users access data from?*

On Campus Off Campus Both

Where is the data stored?*

On-premise: CU hosts the data within a department server or OIT Data Center. Off-premise: Vendor hosts data at their location or a third-party location. Desktop Application: Data is stored locally on a laptop/computer/tablet.

Is an internet connection required to send data out to an external vendor resource?*

Yes No

How will you be purchasing this product/application? *(Select all that apply):? *

Procurement Service Center (cost or no cost CU Marketplace requisition) Procurement Card / Open Source / Free Request for review prior to generating purchase request, RFP, or acquisition

Other: Other Value

What type of purchase is this? *

Renewal/upgrade or additional module New Request

If this is a renewal, has the RAC previously reviewed this product/application? If so, please list the date below.*

If this is a renewal, do you have a current Business Associate Agreement (BAA) with the vendor? If “yes,” please provide a copy via email.*

Yes No Not Applicable

Please describe in detail how the product, application, or service will be used.*

If you have not already, please reach out to the Office of Regulatory Compliance (ORC) using the link (https://redcap.ucdenver.edu/surveys/index.php?s=LNXN9C3JM9) to determine if a BAA is needed since this application will be used with HIPAA/PHI data

More information can be found here https://research.cuanschutz.edu/regulatory-compliance/home/hipaa/business-associate-agreements

Please note, this process is separate from the Application Assessment process.

If you selected, “On-premise” or “Off-premise” solution to the question "Where is the data stored?" additional information is needed. Please respond to questions in the following section.

Will this product collect, process, or store any of the following personally identifiable information (Select all that apply)? *

Name Email Address Date of Birth Address Student or Employee Identification Number National Identification Number (SSN, Passport #, etc.) Race or Ethnicity Sex, Gender Identity, or Sexual Orientation Cookie IDs or Website Tracking Details Uncertain about the data the product will handle

Other: Other Value

How do users access this application/service?*

Web Browser Desktop Application

Other: Other Value

Will this product collect, process or store any of the following data types (Select all that apply)? *

Employee Data (Including Student Employee Data) Student or Academic Data (Including, but not limited to: grades, courses taken, transcripts, homework assignment, etc.)(FERPA) Patient Health Information (HIPAA) Credit Card Numbers or Transactions (PCI-DSS) Financial Account Numbers or Information (GLBA) Data provided by subjects residing in the European Union (GDPR) Human Subjects Research Animal Research Uncertain about the data the product will handle

Other: Other Value

If PHI is stored, will the data be de-identified? *

Yes No

If the data is not identifiable, please describe how the data will be de-identified and shared with the vendor. *

More information can be found here https://research.cuanschutz.edu/regulatory-compliance/home/hipaa/business-associate-agreements

Please note, this process is separate from the Application Assessment process.

How many records will be stored/processed in the product or application?*

1 – 25 records 26 - 99 records 100 - 499 records 500 – 9,999 records 10,000+ records

Records may be applicable to the amount of data stored on each individual or it can apply to the amount of data files stored.

Will this request require integration with other CU Systems?*

Yes No

If yes, the integration is a separate process. Please fill out this form to begin the data integration process - https://forms.ucdenver.edu/secure/dataintegrationrequest

Please describe the systems that this product will integrate with and the connection that will exist between the product and the system. If the product will integrate with a system containing Confidential or Highly Confidential data, please indicate this as well. *

Who will have access to the data: *

CU Staff/Faculty Affiliates Vendors

In accordance with University policy, will University data be stored within the US? *

Yes No Unsure of which country the data will be stored in.

Please provide the vendor’s email contact information for this product:*

Please state the individual completing this form and please list your Title as well:*

Please state the Business Owner (i.e. Department Head, PI, etc.) and please list your Title as well:*

Please feel free to offer any additional information regarding this purchase that may be pertinent for our review/assessment in the box below: