What Technology Purchases Need Review?
The IT Governance group at VCU must review technology and software before they are purchased and used. This process ensures the technology is safe, accessible, and follows VCU standards, policies and compliance requirements.
Visit the IT Governance Dashboard to see what is currently under review and approved for use by units.
IT Governance Review Matrix
This table summarizes the types of technology that must be submitted for review versus those that are exempt or already approved.
| Category | Key Details and Examples | Third-Party Vendor and Data Sharing | IT Gov Review Required? |
|---|---|---|---|
| New Software | Examples include: a new system for processing purchase orders across multiple departments; cloud service to store staff health and benefit information; software that connects to our main financial system to calculate payroll. | YES (Shares or transmits VCU data with any vendor or external institution) | YES |
| Already Approved Software | Check the Approved Software List. This software is approved for use with Category III data without submitting for review. | YES (Vetted to handle Category III data only) | NO |
| AI Technology | Generative AI and other AI technologies must be vetted and approved. Review the current list of available AI technology at VCU. | YES (Shares or transmits VCU data with any vendor or third party provider) | YES |
| Software with AI Features | An approved technology that is currently in use has had AI features added by the vendor. | YES (Shares or transmits VCU data with any vendor or third party provider) | YES |
| Contract Renewal | Re-review is required typically every 3–5 years upon software contract renewal, or every 3 years if there is no formal contract. | YES (Shares or transmits VCU data with any vendor or third party provider) | YES |
| Browser Extensions | Browser extensions are currently not reviewed by IT Governance; however, use caution when installing as some gain full access to your Google account. | POSSIBLE based upon extension installed (do not enable extensions that share data with a third party). | NO |
| Online Subscription Service | A single subscription to an online journal, service or research database, etc. | NO (No VCU data is shared with the third party). | NO |
| Individual Software | Standard software installed on a single computer without external data sharing. | NO (Installed locally; NO third party receives, stores, or transmits VCU data) | NO |
| Hardware Purchases | Examples: Desktop computers, technology accessories, and classroom technology hardware. | N/A | NO |
What happens if I do not put an IT investment through IT Governance review?
- Governance review is required due to:
- Accessibility compliance requirements.
- Risk management for data security and data privacy.
- Reporting requirements on software subscriptions from the VCU Controller's office.
- Not utilizing the Governance process prior to purchase puts both the individual and the corresponding department/unit in violation of our Business Partner Security Standard.