Before an IT purchase can be made at NC State, many products must go through an IT Purchase Compliance (ITPC) review to ensure they are compatible and compliant with university systems, processes and regulations. IT purchases must be reviewed annually.

Requirements

An ITPC review is required for all IT purchases that fall into one of the following categories:

• Involve red or purple data, HIPAA, PCI or are subject to export control regulations
• Include digital components, such as websites, mobile applications or software-as-a-service, intended for use by the NC State community
• Cost $5,000 or more

All other IT purchases under $5,000 may also be submitted for review. IT purchases under $5,000 that are not reviewed must still meet university security and accessibility standards and it will be the department’s responsibility to ensure compliance.

Review Types

The ITPC process will include the following reviews, as necessary:

• Security
• Accessibility
• PCI compliance
• Email communication
• Enterprise data integration
• Architectural Review Board
• Export control

Changes to Approved IT Purchases

Approved IT purchases must undergo a new ITPC review if any of the following occur:

• The scope changes
• Significant capabilities or features, including AI, are added
• Use of data becomes higher than classified in the initial review
• The audience becomes broader than originally identified

What is an IT Purchase?

An IT purchase is defined as all information and communication technology products obtained by the university to support its mission and that employs, stores or transmits university data, integrates with university systems, or is used by faculty, staff or students.

IT purchases include:

• Software applications and operating systems
• Web-based applications
• Artificial Intelligence (AI)
• Cloud-hosting services
• Products that process electronic payments
• Network and storage solutions
• Integrated hardware such as endpoints connected to special purpose devices

ITPC Process

Starting Nov. 10, the ITPC process is transitioning to a new tool. All new ITPC requests and renewals will be submitted and tracked through ProcessUnity. Stay tuned for more information.

Documentation

Before Submitting a Request

1. Identify a technical contact to submit the ITPC request. This contact should be familiar with the product.
2. Check the Reviewed IT Purchases list to see if your IT purchase has been reviewed in the past year. If so, contact VRLM for approval evidence you can provide to Procurement with your requisition.
3. Gather all necessary compliance information prior to submitting. The review process may be delayed until all necessary information has been provided.

Submitting a Request

The ITPC review process may take 2-12 weeks depending on complexity and the vendor’s responsiveness.

Feel free to submit reviews early, even before funding is established. This will allow the purchase process to move quicker when you are finally ready to purchase. This is especially important for end of fiscal year purchases.

Approval

Once all reviews have been completed, the requester will receive notification of the approval status. If more than one product is available that meets the needs of the department or college, the purchaser should consider the one that best meets NC State’s compliance standards.