Statement of Need:
Purchases of IT purchases (including software, Software as a Service (SaaS), cloud hosting services, products that process electronic payments, etc.) occur on campus on a daily basis. At times this results in purchases that can put sensitive university data at risk, do not meet the needs of the campus population with disabilities or requires integration with enterprise level applications.
Many times the experts in security, accessibility, and enterprise applications are involved after the purchase has been completed, when it’s too late to offer advice and guidance. This often results in frustration, delays, non-compliance or the recommendation to cease the use of the application. Instead, IT purchases should be reviewed by experts in the various disciplines prior to the purchase occurring to ensure the IT purchase is compatible with university, State and Federal regulations an/or guidelines.
The goal of this process is to have any requests from campus for IT purchases to be reviewed by the Office of Information Technology (OIT) prior to the purchase. More specifically, the goal will be to review IT purchases for:
- Data security issues,
- Potential data breaches,
- Non-compliance with accessibility,
- Non-compliance with security standards,
- Non-compliance with campus email standards,
- The need to integrate the software into enterprise applications.
The end result of the review process is to provide a recommendation to the Purchasing Department regarding the purchase of the IT purchase.
In order for the review of IT purchases to be successful, Information Security Risk & Assurance, University IT Accessibility Services, Enterprise Application Services and Software Licensing Management, all teams within various OIT units, established the IT Purchase Compliance process that the customer should complete before the purchase is allowed to continue. The process has been reviewed and approved by the Purchasing Department and the Office of General Counsel.
When there is a need to complete an IT purchase or renew the maintenance or support of existing IT purchases that costs $5,000 or more or all purchases that involve Purple data, HIPAA, ITAR and PCI regardless of cost, the Purchasing Department will need to see an approval from OIT to indicate the IT purchase has been reviewed and approved prior to the purchase. In order to do this, the customer is asked to complete the IT Purchase Compliance form. Once submitted, Software Licensing Management will ensure that all necessary reviews are conducted in a timely manner.
Each section of the questionnaire will be reviewed and it may lead to follow-up questions. In this event, OIT will contact the customer. Once all questionnaires and follow-up questions have been answered, each reviewing group will provide an assessment to Software Licensing Management as to whether the IT purchase is approved. Software Licensing Management will then provide the results of the assessment to the customer in email. This email will indicate whether the IT purchase is approved.
If approved, the customer should provide a copy of the email to Purchasing along with the purchase requisition. Only when Purchasing receives a copy of the IT Purchase Compliance Review email will they continue the purchasing process. Please note that if Purchasing receives a requisition for an IT purchase that is not accompanied by the IT Purchase Compliance Review email, Purchasing will contact the customer to request that a review request be submitted to OIT.
If the IT purchase is not approved, the customer will be given details of the assessment and an explanation of why the IT purchase should not continue.
In order to not disrupt the purchase process beyond a reasonable time, OIT is committed to return the results of the assessment to the customer as soon as possible, barring no major issues being identified by the assessment. Identified issues with security, compliance, accessibility and enterprise level integrations could cause further delays as additional information will need to be gathered from the vendor and be reviewed. This could extend the review process to two to twelve weeks.
This process began June 1, 2016.
Impact: Benefits & Opportunities
Although some may be resistant to this new process, the result will be IT purchases that comply with university, State and Federal regulations and/or guidelines. In addition, the process prevents many of the issues that OIT units may experience when asked to support, deploy or integrate IT purchases after the purchase is complete.
An initial review of these IT purchases has the potential to save campus time and money because it prevents campus from purchases that may be disallowed after the purchase is complete, resulting in the unnecessary spending of funds. A review before the purchase allows OIT and Purchasing to direct its resources appropriately, preventing the need to find resources to address the issues caused by misplaced IT purchases.