Statement of Need:
Purchases of Third Party Applications (including software, Software as a Service, cloud storage, etc.) occur on campus on a daily basis. At times this results in purchases that can put sensitive university data at risk, do not meet the needs of the campus population with disabilities or requires integration with enterprise level applications.
Many times the experts in security, accessibility, and enterprise applications are involved after the purchase has been completed, when it’s too late to offer advice and guidance. This often results in frustration, delays, non-compliance or the recommendation to cease the use of the application. Instead, software applications should be reviewed by experts in security, accessibility, and enterprise applications prior to the purchase occurring to ensure the applications are compatible with University, State and Federal guidelines.
The goal of this process is to have any IT purchase requests from campus for software, software as a service and cloud storage services be reviewed by the Office of Information Technology (OIT) prior to the purchase. More specifically, the goal will be to review purchase requests of software for:
- Data security issues,
- Potential data breaches,
- Non-compliance with accessibility,
- Non-compliance with security standards,
- Non-compliance with campus email standards,
- The need to integrate the software into enterprise applications.
The end result of the review process is to provide a recommendation to the Purchasing Department regarding the purchase of the software application.
In order for the review of software purchases to be successful, Information Security Risk & Assurance, University IT Accessibility Services, Enterprise Application Services and Software Licensing Management, all teams within various OIT units, established the IT Purchase Compliance process that the customer should complete before the purchase is allowed to continue. The process has been reviewed and approved by the Purchasing Department and the Office of General Counsel.
When there is a need to purchase a software application or renew the maintenance or support of existing software that costs $5,000 or more, the Purchasing Department will need to see an approval from OIT to indicate the software application has been reviewed and approved prior to the purchase. In order to do this, the customer is asked to complete the IT Purchase Compliance form. Once submitted, Software Licensing Management will ensure that all necessary reviews are conducted in a timely manner.
Each section of the questionnaire will be reviewed and it may lead to follow-up questions. In this event, OIT will contact the customer. Once all questionnaires and follow-up questions have been answered, each reviewing group will provide an assessment to Software Licensing Management as to whether the software application is approved for purchase. Software Licensing Management will then provide the results of the assessment to the customer in email. This email will indicate whether the purchase is approved.
If approved, the customer should provide a copy of the email to Purchasing along with the purchase requisition. Only when Purchasing receives a copy of the IT Purchase Compliance Review email will they continue the purchasing process. Please note that if Purchasing receives a requisition for a software purchase that is not accompanied by the IT Purchase Compliance Review email, Purchasing will contact the customer to request that a review request be submitted to OIT.
If the purchase is not approved, the customer will be given details of the assessment and an explanation of why the software application purchase should not continue.
In order to not disrupt the purchase process beyond a reasonable time, OIT is committed to return the results of the assessment to the customer within ten business days, barring no major issues being identified by the assessment. Identified issues with security, compliance, accessibility and enterprise level integrations could cause further delays as additional information will need to be gathered from the vendor and be reviewed. This could extend the review process to two to twelve weeks.
This process began June 1, 2016.
Impact: Benefits & Opportunities
Although some may be resistant to this new process, the result will be purchases of software applications that comply with University, State and Federal regulations. In addition, the process prevents many of the issues that OIT units may experience when asked to support, deploy or integrate software applications after the purchase is complete.
An initial review of these software applications has the potential to save campus time and money because it prevents campus from purchasing software that may be disallowed after the purchase is complete, resulting in the unnecessary spending of funds. A review before the purchase allows OIT and Purchasing to direct its resources appropriately, preventing the need to find resources to address the issues caused by misplaced purchases of software applications.