Software Purchase Assessment
Office of Information Technology
Miami Dade College
See Security & Operation Assessment for Software Purchases for guidelines. Please fill out sections A-C
prior to acquiring an application. If the application will be hosted by a 3rd-party vendor, please ask the
vendor to provide information for section D.


If the application will be housed at MDC, please also fill out Application Hosting Service Request
Form.
If the application will be interfacing with existing MDC systems (i.e., Odyssey), please also fill out
EBS Service Request form.
Submit all forms to IT Help Desk (305-237-2505 or ITHelpDesk@mdc.edu). Please allow 2-4 weeks for
initial assessment.
A. General Information
Date of Request:
Campus/Department:
Requestor Name:
Requestor Email & Campus Phone:
Sponsor (must be a department head or senior
officer):
Sponsor Email & Campus Phone:
Functional Lead:
Functional Lead Email & Campus Phone:
B. Application
Application Title:
Software Version:
Description:
Manufacturer Name:
Website:
Vendor Sales Contact:
Vendor Technical Support Contact:
License Type:
License Volume:
C. Usage
Who will be using the Application? For what purpose?
What class of data does the Application collect? See Data Classification Standards.
What class of data does the Application store? See Data Classification Standards.
What class of data does the Application transmit outside of MDC firewall? See Data Classification
Standards.
Will the application interface with existing MDC systems (i.e., Odyssey)? If yes, please fill out EBS
Service Request form.
Will the application be housed by OIT? If yes, please fill out Application Hosting Service Request
Form.
D. External Hosting (To be filled out by the vendor)
Please provide a sample SLA for the service provided
Provide a High Level description of your data center environment
Please describe the physical and logical security controls you have in place
Please describe your disaster recovery plan/procedure/capabilities
What safeguards do you have in place to segregate MDC data from other customers' data to prevent
accidental and/or unauthorized access to MDC’s data?
What security-related certifications do those in your company who are involved with this product’s
development and support hold? Examples of recognized certifications: SANS GSEC, CISSP, MCSE, and
CCIE. How do you write secure code? How do you train your developers in writing secure code?
Describe the procedures and safeguards you have in place for sanitizing and disposing of customer
data according to prescribed retention schedules or following the conclusion of a project or
termination of a contract to render it unrecoverable and prevent accidental and/or unauthorized
access to customer data.
Do you undergo regular security audits by certified third parties? Please describe your procedures in
auditing the security of the application (and any supporting code, such as Ajax, ActiveX controls and
Java applets). Describe your procedures and timelines on resolving and mitigating identified issues.
MDC may demand written proof of audit at any time during the duration of the service. If you object
to providing the audit results, please explain in detail the reasons for your objection.
Please describe what procedures and methodology you have in place to manage security incidents
including detection, notification, and investigation to mitigate any damage and to restore any lost
data? Describe how you will notify MDC of a security breach or vulnerabilities, and provide a timeline
for resolution.
F. This section will be filled out by Information Technology
Application name:
Requestor:
Sponsor:
Functional Lead:
Reviewers:
Date of Review:
☐ Approve
☐ Approve with these questions or concerns:
☐ Deny for these reasons: