Skip to Main
ISAC Banner Image

ISAC

Overview and Purpose

Information Systems Acquisition Committee (ISAC) governs the acquisition of information systems, related equipment, and software for the UT Southwestern Medical Center campus. The Committee has these goals:

  • Reduce institutional technology risk
  • Decrease redundancy and technology sprawl
  • Drive cost savings

The Committee has established a process to streamline and clarify what requesters need to complete and provide for an acquisition request. See requirements for acquisitions needing ISAC approval.

ISAC Review Process

  1. Before You Get Started

    Let us help you assess if an ISAC review is necessary.

    • Do you need an ISAC Review?
      Checklist with a question mark over it

      If you are unsure if your acquisition needs an ISAC review, take the 5-question ISAC Quiz and review some of the common acquisitions that require a review. Previous ISACs – Refer to List Before Submitting

    • Does your ISAC submission also require TX-RAMP certification?
      cloud with laptop and arrow icon

      Review the questions below to determine if TX-RAMP certification is required.

      1. Is the Application or Service hosted by a Cloud Service Provider (accessed through the internet) and requires a new contract or contract renewal?
        1. If the answer is NO – TX-RAMP not required
        2. If the answer is YES, then proceed to the following three questions – a YES answer to any means TX-RAMP is required.
      2. Does the Cloud Application or Service include storing or processing UTSW data at an offsite location?
      3. Does the Cloud Application or Service store or process any sensitive information such as SS#, Credit Card information, PHI, PII, etc.?
      4. Does the Cloud Application or Service interface with a UTSW application that stores any sensitive information? Ex. The data is managed by a third-party and will interface with Epic or Active Directory.

      If TX-RAMP certification is required, Vendor must be certified or willing to apply for TX-RAMP certification, or UTSW cannot enter into a contract.

      TX-RAMP Certification Guidance

    • Ask for Guidance
      envelope icon

      IR contacts can provide some guidance within these respective areas:

      Academic Systems
      Melody Bell, Assistant Vice President, Academic Information Systems (AIS)
      melody.bell@utsouthwestern.edu
      Health Systems
      Kathryn Flores, Assistant Vice President and CIO, University Hospitals
      kathryn.flores@utsouthwestern.edu
      Research Systems
      Melody Bell, Assistant Vice President, Academic Information Systems (AIS)
      melody.bell@utsouthwestern.edu
      Software Core
      Adolfo Ortuzar, Interim Assistant Vice President, AAIR Compliance and Operations
      adolfo.ortuzar@utsouthwestern.edu
    • Special Guidance for Human Research
      envelope icon

      This guidance document is intended to clarify when ISAC is required for human subject research studies and how the review provides vital support to ensure the institution and participants are protected.

      View HRPP Guidance on ISAC Review of Research

    • Need a Consult?
      Icon of two people with talk bubble over their heads

      Not sure if you need to go through the ISAC request process, or are you uncertain about submitting a request form?

      Contact one of our team members. We are available to answer your general questions, assist you with your request, and provide existing resources.

      Send Email

  2. Making a Request

    Your request must include the following elements:

    • Gather Required Documentation
      documents

      Information Security Questionnaire must be submitted with your request form if a third party will store or process UT Southwestern information. This questionnaire may not be needed if all data is de-identified.

      Questionnaire

      Dataflow Diagram will need to be submitted when requested by Information Security. This diagram should illustrate the following:

      • Where data is stored
      • Where data came from
      • Where data is being sent
      • Protocol and port used during data flow

      Voluntary Product Accessibility Template (VPAT) is a document that evaluates how accessible a product is for people with disabilities. This document produced by the vendor details how the product supports each requirement of Section 508 of the U. S. Rehabilitation Act. For additional information, please contact Adolfo Ortuzar, Director of AAIR Operations, by email.

      Exclusive Acquisition Justification (EAJ) Form is available through Purchasing. However, it is only necessary if the purchase has met the requirements for an EAJ.

    • Your Considerations
      Clipboard icon

      These key criteria must be considered in completing the ISAC request process.

      • Alternative technologies and those already in place at UTSW
      • System and data integrations needed
      • Initial and maintenance costs (hardware and software)
      • Consider costs such as implementation, professional services, and annual hardware and software licensing costs
      • System availability requirements and unplanned system downtime impact
      • Required Disaster Recovery Strategies for critical systems which could increase cost due to additional services or hardware
      • Risks to UTSW data, systems, and operations
      • Identification of the data owner
      • Data contract terms
    • Submit a Request
      Paper and pencil icon

      Log in with your valid UT Southwestern credentials (even if the acquisition has no financial cost). Attach all related documentation to the request. See the Submission Deadlines for scheduling information.

      ISAC Approval Form

  3. Analysis and Assessment

    ISAC requests will be assessed for requirements such as security, technology and vendor risk, data and system resilience, contractual needs such as a Business Associates Agreement if covered under HIPAA and federal accessibility requirements, based upon responses and attached documentation.

    1. Initial review for complete information and documentation
    2. Security, technology and vendor risk assessment
    3. Data and system resilience
    4. Contractual requirements
    5. Accessibility
    6. Request added to ISAC meeting agenda (ISAC will notify you when you are on the agenda. See Meeting Schedule.)
  4. ISAC Review and Approval

    The Committee will consider technology requests based upon the analysis and assessment that results from provided information, documentation, discussions with the vendor, consideration of alternate or existing technology, among others. A verbal presentation by user to the committee may be requested.

    1. ISAC review of all submitted information and let you know if you need attend the meeting
    2. ISAC decision (e.g., approved, rejected, deferred, or if there are contingencies)
  5. Renewals and Modifications

    ISAC approvals are specific to a specific technology, its intended use, and department specified in the request.

    • Committee approvals are generally valid for the natural lifecycle of the information system.
    • Approval is only for the system and use which was specified in the request.
      For example, approval of a cloud survey system for conference meal selections does not constitute approval to use the system for collection of patient data.
    • The Committee chair should be consulted for any major modifications to existing systems to determine if a system review and re-approval is warranted.
  6. Emergency Approvals

    Requests for emergency approvals must be requested by a department director or higher and will be evaluated by the ISAC Chairs for approval. The request should include:

    • Reason(s) the request cannot wait for the next monthly ISAC meeting
    • Impact should the request not be processed as an emergency
    • Deadlines driving the emergency request
    • Reason temporary alternatives are not viable

    Emergency approval requests will only be considered once the ISAC Approval Request form has been completed. The request can be submitted via Nancy.Cornelison@utsouthwestern.edu.

    All emergency approvals will require electronic off-cycle voting by the committee or approval for the request to proceed further through the acquisition process.

Submission Deadlines and Meeting Dates

ISAC meetings are held the first Tuesday of each month at 9 a.m. virtually and in the Data Hall, BLA.120. All submission forms that miss the submit by date will be reviewed in a later committee meeting.

View ISAC Submission Deadlines