IT Purchase Compliance
Regardless of cost, the Office of Information Technology’s IT Purchase Compliance applies to all IT purchases that involve purple data, HIPAA, PCI or are subject to Export Control Regulations. For all other conditions, this requirement applies to all IT purchases that have a cost of $5,000 or more. This includes new IT purchases as well as maintenance and support renewals for IT purchases made previously.
IT Purchases include:
- Software applications and operating systems
- Web-based applications (SaaS)
- Cloud hosting services
- Products that process electronic payments
- Network and storage solutions (e.g, Load Balancer, IP management, VPN, storage platform, etc.)
- Integrated hardware such as endpoints connected to special purpose devices (i.e. microscopes)
An IT Purchase is defined as all information and communication technology products obtained by the university to support its mission that employs, stores or transmits university data, integrates with university systems or utilized by faculty, staff or students.
IT purchases must be reviewed BEFORE the purchase to ensure the IT purchase complies with University standards and follows Federal and State guidelines. To accomplish this, IT Purchase Compliance will include reviews of the following if determined necessary:
- Data Security
- IT Accessibility
- PCI Compliance
- Email Communication
- Integration with Enterprise Systems
- Vendor Screening
Only after the requested IT purchase has been reviewed and approved by OIT will the Purchasing Department process the requisition or execute the agreement.
For more in depth information regarding this process, please see About IT Purchase Compliance.
The depth of the review process will depend on the impact and scope of the product or service. At this time, OIT requires a review of IT purchases that cost $5,000 or more and all purchases that involve purple data, HIPAA, PCI or are subject to Export Control Regulations, regardless of costs.
Although not required at this time, all other IT purchases under $5,000 may also be submitted for review. If a department decides to not have a purchase under $5,000 reviewed, it must still meet University security and accessibility standards and it will be up to the department to ensure compliance.
Roles and responsibilities of the requestor, vendor and the Office of Information Technology can be found on the Roles and Responsibilities page.
What to expect during an IT Purchase Compliance review can be found on the Submit a Request for Review page.
Once all reviews have been completed, the Requestor will be notified if the review has been approved or denied. The Requestor will also be informed if there are any conditions that must be met prior to the approval if a Conditional Approval is provided.
If more than one product is available that meets the needs of the department or college, the purchaser should consider the one that best meets NC State’s compliance standards.
Timing of IT Purchase Compliance
Requestors should plan in advance for these reviews to be conducted. Depending on the complexity, reviews may take up to 2-12 weeks, based on the depth of the review required and the supplier responsiveness.
Feel free to submit reviews early even before funding is established. This will allow the purchase process to move quicker when the department is finally ready to purchase. This is especially important for end of fiscal year purchases.