Policy Number: 3349-OP-208
Effective Date: 04/01/2021
Responsible Department: Information Technology, Accounting and Budget
The purpose of this Policy is to outline responsibilities for the assessment, approval, and procurement of technology and to ensure such procurement aligns with established University policies, guidelines, and the University’s technology and security environment.
This policy applies to all technology to be procured by the University, regardless of the source of funding, location, or intended purpose; this includes technology purchases, renewals, donations, and the use of no-cost technology.
- “Availability” refers to the ensuring of timely and reliable access to and use of Data or Systems. A loss of Availability is the disruption of access to or use of Data or Systems (e.g., hard drive failure, destruction of a System, System unresponsiveness, denial of service attack).
- “Data” refers to any instance of information, regardless of form or storage medium, that is categorized by an organization or by a specific law or regulation.
- “Procurement” refers to the obtaining, purchase, or acquirement of a good or service, and for the purposes of this policy, also includes renewal of a good or service.
- “Purchaser” refers to a University employee with procurement authority for their division or department.
- “System” refers to an information technology resource that can be classified, may have security controls applied, and is organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of University Data.
- “Technology” refers to the broad term used to describe the aggregation of University Data, Systems (cloud-based, externally hosted, on-site), technology services, the University network, or any other device that may affect the security of the University’s technology environment.
- “University Data” refers to data that is created, collected, stored, and/or managed in association with fulfilling the University’s mission or its required business functions.
D. Policy Statement
- University Responsibilities
- In addition to the Purchaser, the Information Technology (“IT”) Department and Accounting & Budget Office are responsible for the procurement of University technology.
- Technology Assessments
- All procurement of University technology must operate effectively within the University’s technology environment, satisfy University security standards, follow established University purchasing policies and guidelines, satisfy proper licensing and grant requirements, and have defined expectations for the technology’s implementation, support, maintenance, network connectivity, and lifecycle replacement; therefore a technology assessment is required before technology is approved or procured for use at or by the University.
- A technology assessment should be requested once a Purchaser has identified the technology intended for procurement. The Purchaser will need to work with the technology vendor or third party to gather any details needed as part of the assessment.
- The technology assessment checks for:
- compatibility with the University’s existing IT and security environment;
- compliance with University policies and applicable laws and regulations;
- alignment with the University’s Strategic Plan and IT standards;
- availability of IT resources for evaluation, testing, and implementation, if applicable; and
- accessibility of the technology.
- To comply with regulations set forth in the Gramm-Leach-Bliley Act (“GLBA”), all technology vendors that access, transmit, or otherwise use University Data or Systems will be asked to provide their System and Organizational Controls 2 (“SOC2”) report (or equivalent) and a copy of their most recent audited financial statements. IT and the Accounting and Budget Office will review these documents to determine vendor eligibility. Vendors that do not provide satisfactory copies of these documents may not be approved for University procurement.
- Though technology may meet the assessment criteria, it may be prohibited for other reasons. IT will provide guidance and work with Purchasers to procure technology that complies with this Policy and meets University technology requirements.
- Procurement Approval
- Grant-funded procurement of technology requires approval from the Grants Accounting department and such purchases are subject to University policy, uniform guidance, sponsored requirements, and the approved scope of work.
- Technology procurement requires the approval of the Chief Information Technology Officer (“CITO”) or designee. The CITO may require additional or more stringent property management requirements than University policy states for tracking technology assets.
- The Accounting & Budget Office will not process purchase orders for technology that does not have accompanying written or electronic approval from the CITO or their designee, or grants accounting if applicable.
- Audit and Reporting
- The University reserves the right to periodically review and audit the performance and security of University technology vendors to ensure continued value, service, compliance, and reliability. Such reviews and audits will be conducted by the Purchaser, with the assistance of IT, at least annually.
- Technology procured outside of the scope of this policy will be prohibited from connecting to University Systems, including the university Network, and such technology will not be eligible for University technology support.
- University personnel that fail to adhere to the responsibilities outlined in this policy are subject to University sanctions, which may include, but not limited to:
- suspension or loss of access privileges to University Systems;
- payment of any financial penalties and costs; and
- disciplinary action, suspension, or termination of employment or contract.
- Policy Maintenance and Review
- IT and the Accounting and Budget Office will:
- be responsible for the implementation and coordination of procedural efforts associated with this policy; and
- review this policy and any associated procedures; and
- make updates to this policy and any associated procedures based on changes to law, regulations, or other University policies.
- IT and the Accounting and Budget Office will: