Acquisition of Information Technology UPPS No. 05.02.06
Products and Services Issue No. 2
Effective Date: 02/22/2016
Review: October 1 E3Y
Sr. Reviewer: Director, Procurement and Strategic Sourcing
01. POLICY STATEMENTS
01.01 This policy identifies guidelines applicable to the acquisition of information technology (IT) products or services including, but not limited to, the purchase, rental, lease, or free acceptance of IT products or services from third-party providers.
01.02 Acquisition of IT products or services shall be in accordance with UPPS No. 05.02.02, Texas State Purchasing Policy.
01.03 The vice president for Information Technology, or designee, will be responsible for central review and oversight of all university acquisitions of IT products or services, including, but not limited to, computing hardware, software, and hosting services, regardless of source of funds, as authorized in The Texas State University System (TSUS) Rules and Regulations, Chapter III, Paragraph 19.3. Department heads shall consult with the vice president for Information Technology, or designee, prior to acquiring any IT products or services to a) assess the acceptability of the licensing or contract terms, b) ascertain the nature and amount of university IT support required and available for such products or services, c) ensure the products or services comply with information security policy and requirements, and d) ensure accessibility of purchased software and hardware.
01.04 Department heads shall address the applicable IT contracting issues described in the IT Contract Issues Checklist when acquiring IT products or services from third-party providers. The Office of the Vice President for Information Technology shall maintain the IT Contract Issues Checklist and assist department heads with evaluation and review of proposed agreements with third-party providers of IT products or services.
01.05 University departments and individual faculty and staff shall not entrust any third-party provider with sensitive or confidential business data in the absence of a duly approved and authorized agreement between the university and the provider (see definition of ‘business data’ in Section 02.05 and definitions for sensitive and confidential data in Section 04.08 of UPPS No. 04.01.01, Security of Texas State Information Resources).
Public Web information services from third-party providers (e.g., Google, Dropbox, etc.) may be inappropriate for storing, sharing, or processing business data because their standard terms of service may fail to afford adequate protection against loss, destruction, or inappropriate use or disclosure of these data. Consistent with UPPS No. 03.04.04, Processing, Approving, and Executing Contracts, Purchases, and Agreements, only designated university officials may enter into information services agreements involving the university’s business data.
01.06 Before engaging third-party IT products or services to store, share, or process scholarly data (see definition of ‘scholarly data’ in Section 02.04), individuals shall review Social Media in Education and Alkek Library Copyright Guide for guidance and insight into the numerous issues that should be considered. These issues include information security, personal privacy, personal liability, copyright and content ownership, minimum service levels, and provider lock-in, just to name a few. Additionally, staff in the Educational Technology Center and the Alkek Library can provide experienced assistance in determining the efficacy and suitability of third-party products and services for specific scholarly endeavors.
02.01 Information Technology Products or Services – computing hardware, software, and related services, including externally hosted “cloud” services, software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS), and consumer-oriented Web services governed by so-called “click-through” agreements.
02.02 Acquisition – purchase, rental, or lease of information technology products or services with university funds, or the acceptance of free information technology resources from a third-party provider.
02.03 Third-Party Provider – any provider of information technology products or services that is a) not an organizational component of Texas State University, and b) not an employee of Texas State University who is supplying the products or services as works done for hire.
02.04 Scholarly Data – documents, files, and other items of information created, developed, collected, or maintained solely for research or instructional purposes, or for direct support of those purposes. Examples include the scholarly work of faculty or students, the personal or intellectual property of individuals, and instructional content in which the university has no ownership interest or license. Owners of scholarly data shall ensure that the security and privacy controls of third-party service providers are adequate to protect the security and privacy of their data. Note that research-related data held by units with research administration and oversight responsibilities (e.g., the Office of Sponsored Programs, the Office of Commercialization and Industry Relations) is considered business data (as defined below).
02.05 Business Data – documents, files, and other items of information created, collected, maintained, and used to support the continued operations of Texas State. Examples include administrative records, student education records, financial and human resource records, works made for hire, commissioned works, and similar informational objects, held by the institution’s organizational units, contracted service providers, or individual faculty or staff. Business data also includes the following subsets of scholarly data (as defined above):
a. informational items in which the university has an ownership interest; and
b. informational items licensed by the university for instructional or research purposes.
03. ACQUISITION COMPLIANCE REQUIREMENTS
03.01 In accordance with Texas Government Code, §2054.460, and Texas Administrative Code, §213.37, any university contract for the purchase, lease, or free acquisition of IT products or services shall contain the following vendor certification:
“Vendor certifies that the electronic and information resources and all associated information, documentation, and support that Vendor provides under this agreement, comply with the applicable requirements set forth in Title 1, Part 10, Chapters 206 and 213 of the Texas Administrative Code dealing with accessibility by individuals with disabilities (as authorized by Chapter 2054, Subchapter M of the Texas Government Code).”
03.02 Prior to contracting with another state agency or institution of higher education via an “interagency cooperation contract,” Texas State must assure compliance with Texas Administrative Code, Title 1, Part 10, Chapter 204, Subchapter C for any commodity or service identified as “information resource technologies” with a total cost estimate not to exceed the dollar amount specified in Texas Administrative Code, §204.31.
04. REVIEWERS OF THIS UPPS
04.01 Reviewers of this UPPS include the following:
Director, Procurement and Strategic October 1 E3Y
Director, Technology Resources October 1 E3Y
Director, Educational Technology October 1 E3Y
Chief Information Security Officer October 1 E3Y
Copyright Officer October 1 E3Y
05. CERTIFICATION STATEMENT
This UPPS has been approved by the following individuals in their capacities and represents Texas State policy and procedure from the date of this document until superseded.
Director, Procurement and Strategic Sourcing; senior reviewer of this UPPS
Associate Vice President for Financial Services
Vice President for Finance and Support Services