Skip to main content
Information Services Homepage
Enterprise Applications

Technology Acquisition Review (TAR) process

  1. Home
  2. Information Services
  3. Enterprise Applications
  4. About Us
  5. Technology Acquisition Review (TAR) process

The TAR process enables the University to check for certain key requirements when purchasing software. These include compatibility with our network and other applications, security considerations, accessibility and other legal requirements. When you submit a TAR request in Workday, it will be routed to staff in the Procurement Office, General Counsel, Information Services, and Inclusive Excellence. They will review the request, and if approved, the TAR Request ID will be required to complete the Purchase Requisition (also in Workday).

A core pillar of the TAR is Vendor Due Diligence. Vendor risk management is one of the biggest risk domains in technology acquisition — covering not just security, but also financial stability, compliance history, business continuity, and what happens if the vendor cannot provide the basic requirements. Requestors must consider this before submitting their request.

Timeline for TAR and Purchasing Processes: 
The timeline to complete a TAR is estimated at a minimum of 10 business days. Complex review cases or cases that require the involvement of legal or additional cybersecurity documentation may require additional time to review. TAR requests should be made well in advance to minimize delays in the Procurement process. The completion of the TAR is a prerequisite of the procurement process and the timeline does not include the time required by the Procurement Department to complete the purchase.

You can read more about the TAR process here

 

You must submit a TAR if the technology in Workday:

  • Is software, licenses, SaaS, cloud service, or externally hosted system?
  • Is hardware that connects to the network or has software/firmware?
  • Is new, a renewal with changes, or a significant expansion (more users, new data, new integration).

TAR is required even if:

  • The product is free or “trial.”
  • Only one person will use it.
  • Another department already uses it (unless it’s on a published pre-approved list).

TAR is not needed when:

  • You’re buying standard computer hardware from IS’s recommended list.
  • You’re buying low-risk peripherals (e.g., mouse, monitor) that don’t store data and don’t connect to cloud services.

 

Following is what each reviewer will be looking for:

  1. General Counsel’s Office will review the request to ensure legal compliance and risk
  2. Information Services will assess:
    1. Required support and service levels 
    2. Necessary data integrations
    3. Alignment with existing IT process 
    4. Potential technology redundancy
    5. Timing and scheduling constraints 
  3. Information Security team members will determine if the service complies to current security standards. 
  4. Office of Accessible Education (OAE) team members will determine compliance with applicable accessibility standards.
  1. Check for existing solutions

    • Visit the SCU IT website to see if there’s a current tool that already meets your need.

  2. Confirm budget

    • Work with your department finance manager to make sure funding is available.

  3. Gather vendor documentation (if applicable)
     Ask the vendor for:

    • VPAT (Accessibility)

    • Security docs (SOC 2, ISO 27001, HECVAT, or similar)

    • Any contract, order form, or terms & conditions

Having these up front speeds up your review.

Go to Workday (TAR Request Form)

    • Log in Workday with your SCU credentials. If you need help with Workday, contact the Technology Help Desk (techdesk@scu.edu).
    • In Workday search box, type in: Create Request
    • In the Request Type field, type in or select Technology Acquisition Request (TAR) and click OK.

Complete the TAR questionnaire

    • The person who knows the most about the product should fill out the form.
      • You can also submit on On Behalf of someone else. 
    • Answer all questions as accurately as possible.
    • Attach vendor docs (VPAT, security reports, quote, contract, etc.).

      If payments, marketing, or branding are involved
      • University Finance Office approval:  Required if the tool collects funds, handles payment plans, or processes transactions.
      • Marketing & Communications approval: Required if the tool involves branding, advertising, photography/video, public websites, or social media.
      • Attach these approvals to your TAR request.

Following is a list of applications currently licensed by Information Services. Some have enterprise level (site) licenses, meaning most faculty, staff and/or students can use them as is.

List of applications

If interested in purchasing additional licenses or if you want access to applications on this list, please reach out to techaccessreview@scu.edu​. For licenses specific to Adobe or Canva, reach out to purchasing@scu.edu

Required reviews

Is a review needed if another campus unit has an approved TAR? 

Yes, a review is needed even if another department has an approved TAR for the same product or service, unless the product or service is on the authorized list. Adding more users may change the support model, accessibility impact, and/or security risk. Prior reviews can expedite new TAR reviews. Please reference the previously approved TAR in the notes section of the Workday intake form. Technology acquired by more than one unit is considered for campus-wide acquisition and pre-approval. 

Is a review needed if I am the only user of the technology? 

Yes, a review is needed even if used by one employee. Technology that stores or processes sensitive data or connects to the campus network may impact other software on laptops/desktop computers or could have a security risk. Technology used to create or manage information can introduce accessibility barriers for other individuals. In addition, the TAR process helps to centrally collect and manage the campus software and services inventory to demonstrate compliance with software licensing requirements. Technology acquired by more than one unit is considered for campus-wide acquisition and pre-approval. 

What if there are changes to scope or nature of deployment following review? 

If the scope or nature of deployment changes, please submit another TAR Form. An example of scope change is expanding the service to more users. An example of the nature of deployment changing is changing a workflow to collect sensitive data elements that weren’t being collected previously. 

Can I buy software using my procurement card? 

Software that is not covered under an existing campus agreement or that has not been authorized via the campus TAR Process cannot be purchased on a campus procurement card and is recommended a purchase requisition with an approved contract is submitted in Workday for manager approval. All software purchases must go through the review and approval process and receive authorization from Information Services and the University Finance Office and Procurement prior to completing the purchase. Additional Procurement Card Policies.  For hardware or software purchases exceeding $ 5,000 a purchase order is required via an approved requisition in Workday. Please refer to the Procurement Guide for additional information

Does TAR approval guarantee that the software will be purchased?

No, as the department incurring the expense should have sufficient budget to make the purchase. Before going through the TAR process, work with your department’s finance manager to ensure that sufficient funding exists for the purchase, if approved.

Completing the Workday intake form 

Who should complete the form? 

The requestor (contact) should be the SCU faculty or staff member who is most knowledgeable about the technology being reviewed. Some of the questions are technical and may require consulting the Vendor or Information Services. 

How can I get help completing the form? 

Contact techaccessreview@scu.edu or Procurement Office at purchasing@scu.edu to request assistance completing the TAR form on Workday. 

What do I do if I don’t know the answer to a question on the form? 

All questions must be answered accurately before a review can be completed. If a question is not answered, the highest possible risk will be assumed. Contact the Vendor or the Technology Help Desk to obtain assistance completing the TAR form. 

Who do I contact with questions? 

 Contact TAR committee members at techaccessreview@scu.edu or Purchasing at purchasing@scu.edu

Review process 

How can I find out the status of a review? 

There are two ways to find out the status of a review: 

  1. Log in to Workday and look up the status via the submitted requisition. 
  2. Review previously received ticket email messages.

I am planning an IT project. Can I get an early review? 

Yes; Information Services team members are available to consult during the project planning phase. Assistance is available to ensure Requests for Proposals (RFPs) include necessary technology, operational, and integration requirements, information security requirements, accessibility requirements, and associated contract terms. 

If you have questions, contact the University Finance Office.

Documentation 

How can I add supporting documentation? 

Navigate to your TAR Request in Workday and upload any attachments. 

What is a VPAT? 

A VPAT, or Voluntary Product Accessibility Template, is completed by a vendor and provides relevant information on how their product or service claims to conform to Accessibility Standards. 

What vendor documents are needed for cloud-based services that will store SCU data? 

The vendor will be asked to provide one of the following cloud security assessment documents (Some vendors will require an NDA in place before sharing this documentation; this should be factored into the time required for review): 

For vendors hosting Level One data, the requester should be prepared to request additional documentation from the vendor.  If your vendor does not have any of the above cloud security assessment documents, request the vendor to complete the attached HECVAT LITE

What is the risk acceptance process? 

The risk acceptance process is used to document non-compliance with SCU policy. The process will involve a discussion between the Vice President of the requesting division, the Chief Information Security Officer, the Chief Information Officer and the University Procurement Director. The process will be documented in writing and will list any mitigating controls that are used to reduce the risk, and indicates when the risk will be remediated or next reviewed. Once the process and mitigations have been documented, the Vice President capable of assuming the risk and the Chief Information Officer must approve the risk acceptance. The risk acceptance documentation must be loaded into Workday for audit purposes. 

Contracts 

What are supplemental IS contract terms? 

Supplemental IT contractual terms are SCU boilerplate contractual language that is edited as applicable to the technology deployment scope. The Information Security team determines if the acquisition requires a contract to protect SCU liability. The applicable terms should be forwarded to Procurement & Office of General Counsel to determine the best way to proceed. 

How do I proceed if supplemental IS contractual terms are required? 

If you have already submitted a requisition, forward the main/first ticket to the  Procurement Department. If you were planning to use a P-card, contact the University Finance Office to determine the best way to proceed. 

How are contracts prepared and negotiated? 

Contact the Office of the General Counsel and the Procurement Office for assistance preparing and negotiating contracts. 

What if the vendor does not agree with SCU contractual terms? 

The vendor can redline the draft contract with tracking enabled and identify the areas of disagreement or concern. The edited draft contract should be returned to the Office of the General Counsel, who manages vendor contract negotiations.