Acquisition of Information Technology UPPS No. 05.02.06
Products and Services Issue
Effective Date: 12/14/2012
Review: October 1 E3Y
01. POLICY STATEMENTS
01.01 This UPPS identifies policies applicable to the acquisition of information technology (IT) products or services including, but not limited to, the purchase, rental, lease, or free acceptance of IT products or services from third-party providers.
01.02 Acquisition of IT products or services shall be in accordance with UPPS No. 05.02.02, Texas State Purchasing Policy.
01.03 The vice president for Information Technology or designee will be responsible for central review and oversight of all university acquisitions of IT products or services, including, but not limited to, computing hardware, software, and hosting services, regardless of source of funds, as authorized in the Rules and Regulations of The Texas State University System, Chapter III, Paragraph 19.3. Administrative heads shall consult with the vice president for Information Technology or designee prior to acquiring any IT products or services to a) assess the acceptability of the licensing or contract terms, b) ascertain the nature and amount of university IT support required and available for such products or services, and c) ensure accessibility of purchased software and hardware.
01.04 Administrative heads shall address the applicable IT contracting issues described in the IT Contract Issues Checklist when acquiring IT products or services from third-party providers. The office of the vice president for Information Technology or designee shall maintain the IT Contract Issues Checklist and assist administrative heads with evaluation and review of proposed agreements with third-party providers of IT products or services.
01.05 University departments and individual faculty and staff shall not entrust any third-party provider with sensitive or confidential business data in the absence of a duly approved and authorized agreement between the university and the provider. (NB. See definition of ‘business data’ in Section 02.05 below and definitions for sensitive and confidential data in Section 04.08 of UPPS No. 04.01.01, Security of Texas State Information Resources).
Public Web information services from third-party providers (e.g., Google, Dropbox, etc.) may be inappropriate for storing, sharing, or processing business data because their standard terms of service may fail to afford adequate protection against loss, destruction, or inappropriate use or disclosure of these data. Consistent with UPPS No. 03.04.04, Processing, Approving, and Executing Contracts, Purchases, and Agreements, only designated university officials may enter into information services agreements involving the university’s business data.
01.06 Before engaging third-party IT products or services to store, share, or process scholarly data (see definition of ‘scholarly data’ in Section 02.04), individuals shall review Web 2.0 and Cloud Computing Best Practices for guidance and insight into the numerous issues that should be considered. These issues include information security, personal privacy, personal liability, copyright and content ownership, minimum service levels, and provider lock-in, just to name a few. Additionally, staff in the Educational Technology Center and the Alkek Library can provide experienced assistance in determining the efficacy and suitability of third-party products and services for specific scholarly endeavors.
02.01. Information Technology Products or Services – computing hardware, software, and related services, including externally hosted “cloud” services, software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS), and consumer-oriented Web services governed by so-called “click-through” agreements.
02.02 Acquisition – purchase, rental, or lease of information technology products or services with university funds, or the acceptance of free information technology resources from a third-party provider.
02.03 Third-Party Provider – any provider of information technology products or services that is a) not an organizational component of Texas State University and b) not an employee of Texas State University who is supplying the products or services as works done for hire.
02.04 Scholarly Data – documents, files, and other items of information created, developed, collected, or maintained solely for research or instructional purposes, or for direct support of those purposes. Examples include the scholarly work of faculty or students, the personal or intellectual property of individuals, and instructional content in which the university has no ownership interest or license. Owners of scholarly data shall ensure that the security and privacy controls of third-party service providers are adequate to protect the security and privacy of their data. Note that research-related data held by units with research administration and oversight responsibilities (e.g., the Office of Sponsored Programs, the Office of Commercialization and Industry Relations) is considered business data (as defined below).
02.05 Business Data – documents, files, and other items of information created, collected, maintained, and used to support the continued operations of Texas State University. Examples include administrative records, student education records, financial and human resource records, works made for hire, commissioned works, and similar informational objects, held by the institution’s organizational units, contracted service providers, or individual faculty or staff. Business data also includes the following subsets of scholarly data (as defined above):
a. Informational items in which the university has an ownership interest; and
b. Informational items licensed by the university for instructional or research purposes.
03. ACQUISITION COMPLIANCE REQUIREMENTS
03.01 In accordance with §2054.460, Texas Government Code, and §213.37, Texas Administrative Code, any university contract for the purchase, lease, or free acquisition of information technology products or services shall contain the following vendor certification:
“Vendor certifies that the electronic and information resources and all associated information, documentation, and support that Vendor provides under this agreement, comply with the applicable requirements set forth in Title 1, Part 10, Chapters 206 and 213 of the Texas Administrative Code dealing with accessibility by individuals with disabilities (as authorized by Chapter 2054, Subchapter M of the Texas Government Code).”
03.02 Prior to contracting with another state agency or institution of higher education via an “interagency cooperation contract”, Texas State must assure compliance with Texas Administrative Code Title 1, Part 10, Chapter 204, Subchapter C for any commodity or service identified as “information resource technologies” with a total cost estimated to exceed the dollar amount specified in Texas Administrative Code (TAC), Rule §204.31.
04. REVIEWERS OF THIS UPPS
04.01 Reviewers of this UPPS include the following:
Director, Purchasing October 1 E3Y
Director, Contract Compliance October 1 E3Y
Director, Technology Resources October 1 E3Y
Director, Educational Technology October 1 E3Y
Special Assistant to the Vice October 1 E3Y
President for Information Technology
05. CERTIFICATION STATEMENT
This UPPS has been approved by the following individuals in their capacities and represents Texas State policy and procedure from the date of this document until superseded.
Director of Purchasing; senior reviewer of this UPPS
Associate Vice President for Financial Services
Vice President for Finance and Support Services