Information Technology Acquisition Policy
Policy number | 12-14 |
Responsible office | Office of Information Technology |
Enforcement official |
Enforcement official
Chief Information Officer
|
Classification | Board of Trustees-delegated Policy |
Category | Information Technology and Data Security |
Statement of policy
This Policy sets out the framework governing the compliance of the existing and newly acquired technology assets and resources.
Summary of contents/major changes
This is a major revision of the existing IT Acquisitions Policy, providing a new framework governing the compliance of the existing and newly acquired technology assets and resources.
-
Purpose of Policy
University information technology resources enable the university to conduct its critical operations. These resources may also store and transmit confidential, restricted, and other sensitive information and data about the university and its affiliates. If compromised, such data would introduce significant security, privacy, and financial risk. Technology also introduces challenges to cost-effectiveness, efficiency, accessibility, and human resources that should be taken into consideration and planned for through necessary governance and working groups.
This policy provides a framework of the requirements that will ensure information technology resources that store and/or transmit university data are compliant with university policies, rules, legal obligations, and procedures before acquisition and throughout implementation. This framework aims to maintain data security compliance, reduce technology costs, validate accessibility and ensure proper planning for implementation.
-
Stakeholders Most Impacted by the Policy
All employees
-
Key Definitions
-
Acquisition of Information Technology
Buying, obtaining, or developing an information technology resource.
-
Information Technology Resource
Any hardware, software application, service, system, or database used in support of university information and data activities. This includes systems or applications hosted on university or 3rd-party servers, services, data centers, or other hardware.
-
University Data
Any digital information that supports the operations of the University.
-
Equitable Access
The act and process of ensuring that the availability of technology resources to all members of the university community is impartial, fair, accommodating, and reasonable.
Full Policy Details
The Office of Information Technology will implement an IT Planning and Compliance Review Process to evaluate and approve new and existing technology resources, and provide clear direction for acquisition, implementation, and continual compliance.
-
University employees will follow all University Purchasing policies, rules, and procedures for technology, including purchases with grant funds, that include sole-source contractual agreements and specific acquisitions processes.
-
University employees will submit all technology contractual agreements, including click-through, freeware, and shareware agreements through the university contract review processes.
-
University employees will follow the Technology Compliance Review Process and implement or remediate all required actions to ensure compliance with university policies, rules, and guidelines before the acquisition and implementation of information technology resources.
-
The Office of Information Technology will coordinate the review of all technology resources for compliance with university policies, rules, and guidelines and approve or decline requests for acquisition and implementation.
-
University employees will ensure all information technology resources comply with university policies before its acquisition and throughout implementation.
-
Implementation
-
The Office of Information Technology will implement the Technology Compliance Review process in collaboration and coordination with university policy stewards and subject-matter experts (e.g., Manager Purchasing, Director Logistical Services, Director Business Services, Accessibility Compliance Specialist, Sr. Director of IT Security and Privacy).
-
The Office of Information Technology will implement technology purchasing processes, in collaboration with University Purchasing, as necessary to ensure cost optimization, approval tracking, and compliance with established standards and policies.
Communication
University IT managers and purchasing agents will communicate this policy, and related procedures, to their constituents.
Exceptions
-
Third-party resources, such as electronic library content, that are accessible without providing individual credentials (anonymous access control) and do not store or transmit personally identifiable information, usernames, passwords, or any university data.
-
Additional Exceptions to this policy will be authorized by the Office of Information Technology through the individual information technology acquisitions and compliance review processes.
Accountability
-
Failure to follow this Policy and any associated procedures may subject WMU employees to disciplinary action, up to and including dismissal from employment by the University, consistent with applicable procedures and Collective Bargaining Agreements.
-
Additional consequences for non-compliance include loss of access to procurement cards, accounts, and access to Confidential Information, which may result in the inability to perform the essential functions of a position. There could be additional civil or criminal causes of action for violating FERPA, HIPAA, or other confidentiality regulations and laws.
-
Technology resources found to violate this Policy should be referred to the IT Acquisitions and Compliance Coordinator, who will contact the unit responsible to begin remediation procedures.
-
The University reserves the right to remove any non-compliant technology and/or data and terminate vendor contracts if the violation is not addressed promptly.
Related Procedures and Guidelines
Additional Information
N/A
FAQs
-
How do I submit a Technology Compliance Review?
-
Do I need to finish the contract review process before submitting the Technology Compliance Review Request?
No, both requests may be submitted and processed simultaneously. Preference is to conduct Technology Compliance Review before the contract review, however, not necessary.
-
How do I find technology that meets my needs, while satisfying university policies?
Consult with your unit/departmental IT support staff to assist you with technology product selection.
-
How do I submit a request for a new computer?
Visit University Computer Technology Purchase Request on goWMU to get started.
-
What computer brands may I purchase with university funds?
See Rules for Computer Purchasing for approved vendors
Effective date of current version | December 1, 2021 |
Proposed date of next review | December 2, 2024 |
Certified by |
Andrew Holmes, Interim Chief Information Officer |
At the direction of |
Jennifer Bott, Provost and Vice President Academic Affairs |