Acquisition
of Information Technology UPPS
No. 05.02.06
Products and Services Issue
No. 1
Effective Date: 12/14/2012
Review: October 1 E3Y
01.
POLICY STATEMENTS
01.01 This UPPS
identifies policies applicable to the acquisition of information technology (IT)
products or services including, but not limited to, the purchase, rental,
lease, or free acceptance of IT products or services from third-party providers.
01.02 Acquisition of IT products or services shall
be in accordance with UPPS
No. 05.02.02, Texas State Purchasing Policy.
01.03 The vice president for Information Technology
or designee will be responsible for central review and oversight of all
university acquisitions of IT products or services, including, but not limited to,
computing hardware, software, and hosting services, regardless of source of
funds, as authorized in the Rules and Regulations of The Texas State University
System, Chapter III, Paragraph 19.3. Administrative heads shall consult
with the vice president for Information Technology or designee prior to
acquiring any IT products or services to a) assess the acceptability of the
licensing or contract terms, b) ascertain
the nature and amount of university IT support required and available for such products
or services, and c) ensure accessibility of purchased software and hardware.
01.04 Administrative
heads shall address the applicable IT contracting issues described in the IT Contract Issues Checklist when acquiring IT products or
services from third-party providers. The office of the vice president for
Information Technology or designee shall maintain the IT Contract Issues Checklist and assist administrative heads with
evaluation and review of proposed agreements with third-party providers of IT
products or services.
01.05 University
departments and individual faculty and staff shall not entrust any third-party
provider with sensitive or confidential business data in the absence of a duly
approved and authorized agreement between the university and the provider. (NB.
See definition of ‘business data’ in Section 02.05 below and definitions for
sensitive and confidential data in Section
04.08 of UPPS No. 04.01.01, Security of Texas State Information
Resources).
Public
Web information services from third-party providers (e.g., Google, Dropbox,
etc.) may be inappropriate for storing, sharing, or processing business data
because their standard terms of service may fail to afford adequate protection
against loss, destruction, or inappropriate use or disclosure of these data. Consistent
with UPPS No. 03.04.04, Processing, Approving, and Executing
Contracts, Purchases, and Agreements, only designated university officials may
enter into information services agreements involving the university’s business
data.
01.06 Before
engaging third-party IT products or services to store, share, or process scholarly
data (see definition of ‘scholarly data’ in Section 02.04), individuals shall review
Web
2.0 and Cloud Computing Best Practices for guidance and insight into the numerous issues that
should be considered. These issues include information security, personal
privacy, personal liability, copyright and content ownership, minimum service
levels, and provider lock-in, just to name a few. Additionally, staff in the Educational Technology Center and the Alkek Library can provide experienced assistance in
determining the efficacy and suitability of third-party products and services
for specific scholarly endeavors.
01.07 University
faculty and staff who individually engage third-party services by accepting
online Terms of Service or Terms of Use agreements are personally liable for
compliance with those agreements, as well as any consequences that result from
their engagement with those third-party services.
02.
DEFINITIONS
02.01. Information
Technology Products or Services – computing hardware, software, and related services,
including externally hosted “cloud” services, software as a service (SaaS), infrastructure
as a service (IaaS), platform as a service (PaaS), and consumer-oriented Web
services governed by so-called “click-through” agreements.
02.02 Acquisition
– purchase, rental, or lease of information technology products or services with
university funds, or the acceptance of free information technology resources
from a third-party provider.
02.03 Third-Party
Provider – any provider of information technology products or services that is a)
not an organizational component of Texas State University and b) not an
employee of Texas State University who is supplying the products or services as
works done for hire.
02.04 Scholarly
Data – documents, files, and other items of information created, developed,
collected, or maintained solely for research or instructional purposes, or for
direct support of those purposes. Examples include the scholarly work of
faculty or students, the personal or intellectual property of individuals, and
instructional content in which the university has no ownership interest or
license. Owners of scholarly data shall ensure that the security and privacy
controls of third-party service providers are adequate to protect the security
and privacy of their data. Note that research-related data held by units with
research administration and oversight responsibilities (e.g., the Office of
Sponsored Programs, the Office of Commercialization and Industry Relations) is considered
business data (as defined below).
02.05 Business
Data – documents, files, and other items of information created, collected,
maintained, and used to support the continued operations of Texas State
University. Examples include administrative records, student education records,
financial and human resource records, works made for hire, commissioned works, and
similar informational objects, held by the institution’s organizational units,
contracted service providers, or individual faculty or staff. Business data
also includes the following subsets of scholarly data (as defined above):
a.
Informational
items in which the university has an ownership interest; and
b.
Informational
items licensed by the university for instructional or research purposes.
03. ACQUISITION
COMPLIANCE REQUIREMENTS
03.01 In
accordance with §2054.460, Texas Government Code, and §213.37, Texas Administrative Code, any university contract for the purchase, lease, or
free acquisition of information technology products or services shall contain
the following vendor certification:
“Vendor certifies that the electronic and information
resources and all associated information, documentation, and support that Vendor
provides under this agreement, comply with the applicable requirements set
forth in Title 1, Part 10, Chapters 206 and 213 of the Texas Administrative
Code dealing with accessibility by
individuals with disabilities (as authorized by Chapter 2054, Subchapter
M of the Texas Government Code).”
03.02 Prior to contracting with another state agency or institution of higher
education via an “interagency cooperation contract”, Texas State must assure compliance
with Texas Administrative Code Title 1, Part 10, Chapter 204, Subchapter C for any commodity or service identified as “information resource
technologies” with a total cost estimated to exceed the dollar amount specified
in Texas Administrative Code (TAC), Rule §204.31.
04. REVIEWERS OF THIS UPPS
04.01 Reviewers of this UPPS include the following:
Position Date
Director, Purchasing October
1 E3Y
Director, Contract Compliance October 1 E3Y
Director, Technology Resources October 1 E3Y
Business Services
Director, Educational Technology October 1 E3Y
Center
Special Assistant to the Vice October 1 E3Y
President for Information Technology
05. CERTIFICATION
STATEMENT
This UPPS has
been approved by the following individuals in their capacities and represents
Texas State policy and procedure from the date of this document until
superseded.
Director of Purchasing;
senior reviewer of this UPPS
Associate
Vice President for Financial Services
Vice
President for Finance and Support Services
President