Information Technology Services chairs the Solution Consulting committee. This committee is in place to evaluate any software or cloud acquisition made by CSU Bakersfield. This committee evaluates the security and accessibility of the products being acquired and provides oversight to prevent duplication of products and services, thereby reducing software costs to the campus community.

Products that would require a Solutions Consulting review include any software or cloud-based tool. Including freeware products, hardware devices that also have a software interface or require connectivity to the campus network, such as laboratory devices, tools utilized in a classroom or lab, or other Internet of Things (IoT) devices.

The committee comprises representatives from various departments on campus including Information Technologies Services, Procurement, and the Center for Accessibility and Essential Needs (CAEN).

Members

Solutions Consulting Committee

Brian Chen

Deputy Chief Information OfficerITS - Enterprise Applications

Email: bchen@csub.edu

Bryan Ellison

Service Operations ManagerITS - Support Services/Reprographics

Email: bellison2@csub.edu

Crystal Jenkins

Procurement and Contracts SpecialistProcurement and Contract Services

Email: cjenkins@csub.edu

Doug Cornell

Information Security OfficerInformation Technology Services

Email: dcornell@csub.edu

Jaimi Paschal

Director of Academic Technology Services and ITS GrantsITS - Academic and Instructional Tech

Email: jpaschal@csub.edu

Jason Watkins

Acting DirectorCenter for Accessibility and Essential Needs

Email: jwatkins4@csub.edu

Pierre Igoa

Web Services and Communications ManagerInformation Technology Services

Email: pigoa2@csub.edu

Shan He

Web AccessibilityWeb Services

Email: she@csub.edu

Terri Kelly

Procurement and Contracts SpecialistProcurement and Contract Services

Email: tkelly13@csub.edu

Goals

Reducing the Legal Risk to the Campus – Every product being utilized on the campus brings additional legal risk. From a product not being properly secured and leaking campus data to unauthorized users, poorly run service organizations that lose campus data, failure to address contractual obligations being placed on the campus in contract terms or user agreements, all expose the campus to legal risk.

Accessibility – The campus must comply with the CSU’s Accessible Technology Initiative (ATI), which reflects the California State University's (CSU) ongoing commitment to providing access to information resources and technologies for individuals with disabilities. This commitment is articulated in Executive Order 1111, the CSU Board of Trustees Policy on Disability Support and Accommodations.

These reviews are conducted by the campus Technology Accessibility Review Committee (TAR).

Compliance – The campus must comply with various groups with oversight of our activities, some of these regulating bodies include: The state of California, The California State University Chancellor's Office, and the US Federal government, Family Educational Rights and Privacy Act (FERPA), Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability (HIPAA) Payment Card Industry (PCI).

CSU IT Security Requirements

• Systems Acquisition, Development and Maintenance Policy
• Formal Risk Assessment Process
• Acquisition Policy

Controlling Costs – Given the diversity of our campus, it can be challenging to track which products are being used and the functionality they provide. The Solutions Consulting committee is responsible for identifying newly requested products for campus use and detecting any duplicate services. This effort aims to minimize the overall costs incurred by the campus.

Identifying Compatibility – The Solutions Consulting committee ensures that any new software product or service operates seamlessly on campus computing devices and does not create usability conflicts with other software packages.

Documenting Services – The Solution Consulting committee is responsible for tracking the products being used on campus. They maintain records of the data being gathered or utilized by each product, the application owner, and the application administrator.

Process

Please note that, depending on the vendor's responsiveness to documentation requests, the complexity of the solution, the backlog of tickets, and team availability, Solutions Consulting reviews typically take 5-8 weeks or more.

Before purchasing a product, you are required to complete a Solutions Consulting request form. Kindly ensure that each form includes only one product.

Begin by consulting the list of campus-approved software. If the desired product has already received approval from Solutions Consulting, no further review is required, allowing you to bypass the Solutions Consulting review process entirely.

Additionally, if a comparable product with equivalent functionality has been previously approved, it is strongly advised to use the existing approved software rather than initiating a new review. This approach helps manage campus expenditures efficiently and minimizes administrative workload.

If a review is required, you can access the form here: Solutions Consulting Request Form.

After submitting it, the Solutions Consulting committee will begin the review process.

• The ticket will be assigned to a committee member who will help the requester through the Solutions Consulting process. This person will be your point of contact throughout the process.
• The committee may request that the requester provide additional information from the company. Typical documentation may include contract terms, privacy policy, terms of use, data being collected, number of anticipated records, data classification, cyber liability Insurance coverage, Higher Education Community Vendor Assessment Toolkit (HECVAT), SOC 2, Voluntary Product Accessibility Template (VPAT) configuration requirements, PCI assertions, security contact information, application owner and administrator details, and technical configuration documentation.
• Based on the provided documentation, the campus Technology Accessibility Review Committee (TAR) will evaluate the accessibility of the product for users with disabilities. They may request that an Equally Effective Alternate Access Plan (EEAAP) document be drafted and signed, outlining how the application owner will assist the product users with accessibility concerns.
• Based on the documentation provided, ITS Security team will assess the product's security and evaluate the security controls and related compliance requirements. They will also provide recommendations on additional controls or deployment configurations that may be necessary when using the product on campus.
• Once the groups have completed their reviews, the Solutions Consulting committee will vote to approve or disapprove a product at a regularly scheduled weekly meeting.
• The Solutions Consulting committee will inform the requestor of their decision — approval or disapproval — and close the ticket. Please note that Solutions Consulting approval does not guarantee the product can be acquired. After the Solutions Consulting process, Procurement must complete the contractual review and verify funding.
• If required, the ITS Security team will update any application or data inventories.
• The requester then can work with Procurement to complete the purchase of the product or service.

If the Solutions Consulting committee concludes that a product or service presents an unacceptable security, accessibility, or contractual risk, the request may be denied. In such instances, the requester has the option to obtain a formal written waiver from a campus official holding a cabinet-level or higher position. At their discretion, the designated official may assume liability on behalf of the campus and authorize the product for use.

Communication

Any comments or questions can be emailed to the group distribution email at its-sc@csub.edu.

Additional Resources

General Data Protection Regulation (GDPR)

The GDPR is a comprehensive data privacy law enacted by the European Union (EU) to protect individuals' personal data and privacy rights. Following guidance from the CSU Chancellor's office legal team, CSUB has determined that the risk of maintaining GDPR compliance is too burdensome for the campus. Therefore, procurement will not process any solution governed by GDPR protections.

Accessibility Conformance Report (ACR) / Voluntary Product Accessibility Template (VPAT®)

A VPAT is a document that vendors use to explain how their Information and Communication Technology (ICT) products comply with accessibility standards, particularly those set by Section 508 of the Rehabilitation Act. Simply put, it’s a self-assessment report (or completed by a third party) that helps buyers evaluate a product’s accessibility features before purchasing. A VPAT is required for all software being acquired for use on campus. An ACR is a completed VPAT.

The Higher Education Community Vendor Assessment Toolkit™ (HECVAT)

The HECVAT is a tool designed to help college and university professionals more easily measure vendor risk.