The following procedure will need to be followed for all software and electronic services purchases, regardless of whether the purchase will be submitted through Reaction (https://reaction.scs.illinois.edu ) or purchased via P-Card by a staff member.
Why is the University launching this new procedure? The new procedure ensures that the University is in compliance with FERPA (Family Educational Rights and Privacy Act), a federal law protecting student privacy, and ensures that University data is adequately protected.
The basic steps are:
Submit the Lightweight Risk Assessment (LRA)
The first step in any software purchase or renewal is the Lightweight Risk Assessment (LRA). The LRA really needs to be filled out by the faculty or staff member requesting the software as there are many "use case" questions that other staff will not have answers for. The LRA is an online form (an offline version is available but can only be used for preparation, not submission!).
The online LRA is something of a "choose your own adventure" form - the answers to the first few questions determine what questions are presented next. The off-line version contains ALL questions, not all of which will pertain to your situation. If you are unsure how to answer some of the questions, first consult the "LRA Useful Information" KB article. Additional inquiries can be sent to SCS Computing (scs-computing@illinois.edu ) and we will discuss your questions and needs with you.
You can add Jay Guelfi, (jeguelfi@illinois.edu ) (or other SCS Comptuing staff) as the “person responsible for configuring, maintaining and updating this system/solution” (question 4 on the LRA) and/or as an “alternate University contact”. Jay can then get a copy through the CyberSecurity office if needed. NOTE: Please DO NOT add scs-computing@illinois.edu - TDX (Tech Services' ticket system) and RT (SCS Computing's ticket system) do not play nicely.
After you submit the LRA form, you’ll receive an email from “GRC Survey” indicating that they’re received the Vendor Risk survey. At some point, you’ll likely also receive an email from servicereplies@uillinois.edu with a subject that contains a service request number and the words “Lightweight Risk Assessment”.
LRA Evaluation & Findings
Once the LRA is submitted, it is reviewed by the GRC (Governance, Risk and Compliance) team, a subset of the University's CyberSecurity Office. The GRC will determine what additional steps, if any, will be required before the purchase is allowed.
This review is an effort to ensure that student data (FERPA data) is adequately protected. They will get back to the faculty or staff member who submitted the request with their findings.
IMPORTANT NOTE: Per https://cybersecurity.illinois.edu/governance/ , the GRC has 90 days to review the submitted LRA and provide written feedback. If a faster turnaround is needed, you can try emailing digitalrisk@illinois.edu to see if that's possible.
The GRC will reply to the ticket with any questions, and will update the ticket with their final report. When the final report is issued, the subject line will have the service request number and will end with “has been updated to Resolved ”. Please note that each email from TDX (Tech Service's ticket system) will have slightly different subject lines, so if you view your email by “conversation”, the emails won’t be together. To see all of the emails, you'll need to search by ticket number.
Submitting the P-card forms or Reaction Purchase Request
Once the LRA has been reviewed and findings issued, the software and/or electronic service can be purchased either by a staff member with a P-card or by submitting a Purchase Request in Reaction.
If requesting the software be purchased by P-Card