Information Technology Acquisition Policy

1. Purpose of Policy

   University information technology resources enable the university to conduct its critical operations. These resources may also store and transmit confidential, restricted, and other sensitive information and data about the university and its affiliates. If compromised, such data would introduce significant security, privacy, and financial risk. Technology also introduces challenges to cost-effectiveness, efficiency, accessibility, and human resources that should be taken into consideration and planned for through necessary governance and working groups. 

   This policy provides a framework of the requirements that will ensure information technology resources that store and/or transmit university data are compliant with university policies, rules, legal obligations, and procedures before acquisition and throughout implementation. This framework aims to maintain data security compliance, reduce technology costs, validate accessibility and ensure proper planning for implementation.

2. Stakeholders Most Impacted by the Policy

   All employees

3. Key Definitions

   1. Acquisition of Information Technology

      Buying, obtaining, or developing an information technology resource. 

   2. Information Technology Resource

      Any hardware, software application, service, system, or database used in support of university information and data activities. This includes systems or applications hosted on university or 3rd-party servers, services, data centers, or other hardware.

   3. University Data

      Any digital information that supports the operations of the University.

   4. Equitable Access

      The act and process of ensuring that the availability of technology resources to all members of the university community is impartial, fair, accommodating, and reasonable. 

4. Full Policy Details

   The Office of Information Technology will implement an IT Planning and Compliance Review Process to evaluate and approve new and existing technology resources, and provide clear direction for acquisition, implementation, and continual compliance.

   1. University employees will follow all University Purchasing policies, rules, and procedures for technology, including purchases with grant funds, that include sole-source contractual agreements and specific acquisitions processes.

   2. University employees will submit all technology contractual agreements, including click-through, freeware, and shareware agreements through the university contract review processes.

   3. University employees will follow the Technology Compliance Review Process and implement or remediate all required actions to ensure compliance with university policies, rules, and guidelines before the acquisition and implementation of information technology resources.

   4. The Office of Information Technology will coordinate the review of all technology resources for compliance with university policies, rules, and guidelines and approve or decline requests for acquisition and implementation. 

   5. University employees will ensure all information technology resources comply with university policies before its acquisition and throughout implementation.

   6. Implementation

      1. The Office of Information Technology will implement the Technology Compliance Review process in collaboration and coordination with university policy stewards and subject-matter experts (e.g., Manager Purchasing, Director Logistical Services, Director Business Services, Accessibility Compliance Specialist, Sr. Director of IT Security and Privacy).

      2. The Office of Information Technology will implement technology purchasing processes, in collaboration with University Purchasing, as necessary to ensure cost optimization, approval tracking, and compliance with established standards and policies.

   7. Communication

      University IT managers and purchasing agents will communicate this policy, and related procedures, to their constituents.

   8. Exceptions

      1. Third-party resources, such as electronic library content, that are accessible without providing individual credentials (anonymous access control) and do not store or transmit personally identifiable information, usernames, passwords, or any university data.

      2. Additional Exceptions to this policy will be authorized by the Office of Information Technology through the individual information technology acquisitions and compliance review processes.

5. Accountability

   1. Failure to follow this Policy and any associated procedures may subject WMU employees to disciplinary action, up to and including dismissal from employment by the University, consistent with applicable procedures and Collective Bargaining Agreements. 

   2. Additional consequences for non-compliance include loss of access to procurement cards, accounts, and access to Confidential Information, which may result in the inability to perform the essential functions of a position.  There could be additional civil or criminal causes of action for violating FERPA, HIPAA, or other confidentiality regulations and laws.

   3. Technology resources found to violate this Policy should be referred to the IT Acquisitions and Compliance Coordinator, who will contact the unit responsible to begin remediation procedures.

   4. The University reserves the right to remove any non-compliant technology and/or data and terminate vendor contracts if the violation is not addressed promptly.

6. Related Procedures and Guidelines

   1. Cloud computing rules

   2. Contracts for goods and services review

   3. External Release of University Information Policy

   4. Gramm-Leach-Bliley compliance

   5. HIPAA Policy

   6. Rules for Computer Purchasing

   7. Social Security Number Policy

   8. IT Planning and Compliance Review Process

      1. Approved Technology Reviews

   9. University Purchasing Processes 

7. Additional Information

   N/A

8. FAQs

   1. How do I submit a Technology Compliance Review?

      Visit the IT Planning and Compliance Review Process

   2. Do I need to finish the contract review process before submitting the Technology Compliance Review Request?

      No, both requests may be submitted and processed simultaneously. Preference is to conduct Technology Compliance Review before the contract review, however, not necessary. 

   3. How do I find technology that meets my needs, while satisfying university policies?

      Consult with your unit/departmental IT support staff to assist you with technology product selection.

   4. How do I submit a request for a new computer?

      Visit University Computer Technology Purchase Request on goWMU to get started.

   5. What computer brands may I purchase with university funds?

      See Rules for Computer Purchasing for approved vendors

History

Authorization