REG - 70.00.10 IT Purchase Regulation
- REG 70.00.4 - Responsible Use Regulation
- REG 70.00.1 - Information Security Policy
- REG 70.00.2 - Data Information Regulation
- North Carolina General Statute Chapter 132 (North Carolina Public Records Act)
- NC Statewide Information Security Manual
- Data Handling Guidelines for University Data Classified as Levels Appendix
- North Carolina General Statute Sec. 121-2(8) (Public record)
- NC Identity Theft Protection Act
- 2017 NCCU Faculty Handbook
- International Organization for Standardization (ISO) 27002
- Request for Authorization to Access Employee Electronic Data Form
Purpose
This regulation outlines procedures for the review, approval and purchase of all North Carolina Central University (“NCCU” or “University”) technology. In order to maintain the confidentiality, availability and integrity of University data, NCCU Information Technology Services (ITS) is charged with endorsing technology purchases that are sustainable, are compatible with existing systems, and can be efficiently supported. To meet these criteria, ITS has worked with the Purchasing Department to establish the following regulation for the purchase of these technologies.
Scope
This regulation applies to all information technology purchases and all HIPAA (Health Insurance Portability & Accountability Act) and PCI (Payment Card Industry) related purchases regardless of cost. This includes new purchases as well as maintenance and support renewals for previously made purchases. This ITS review is not a substitute for any contract reviews that must be conducted by the Office of Legal Affairs (OLA). All signed contracts must adhere to the guidelines established in the Contract Review Process.
An Information Technology (IT) Purchase is defined as all information and communication technology products and services obtained by the University that employ, store or transmit University data, integrate with University systems and are utilized by faculty, staff or students.
IT purchases include but are not limited to:
- Software applications and operating systems
- Web-based applications (SaaS)
- Cloud hosting services
- Products that process electronic payments
- Integrated hardware such as endpoints connected to special purpose devices
- Network and storage solutions (e.g., servers, wireless routers, and network attached backup storage)
- Technology vendors such as website developers or technology consultants where a technology service is provided
IT purchases must be reviewed and approved prior to the purchase to ensure the purchase complies with University standards and follows Federal and State guidelines. Upon submission of the proposed IT purchase to ITS, ITS will conduct an IT Purchase Compliance review. This will include reviews of the following, as necessary:
- Compatibility and integration with enterprise systems
- Vendor screening
- Accessibility
- Duplication of existing systems
Responsibilities
In addition to guidelines defined by the Purchasing Department, ITS will be responsible for the review and acquisition of all technology hardware, software, services and any cloud or externally hosted systems, software and/or services requested by faculty, staff and administrators.
Only after the requested IT purchase has been reviewed and approved by ITS will the Purchasing Department process the transaction or execute the agreement. All IT purchases, including those using a University P-Card, must be preapproved by ITS.
To expedite the ITS review process, the department purchasing the technology is encouraged to include ITS during their technology review and seek guidance from ITS prior to any contract or quote being received. This will allow ITS to review the products/services and provide feedback in advance of the purchasing process if this step is followed. See more under Timing of IT Purchase Compliance.
For new products or services that a department or division is looking to procure, the department must use the following process:
- Submit an IT Consulting request in TeamDynamix
- Upon receipt, ITS will conduct research to determine whether existing products or services are already in use by the University. ITS will then communicate next steps with the requesting department within two (2) business days
- After the initial review and discussion with the department, the IT security, compatibility and project planning can begin.
Review and ITS Approval
If the commodity is a punchout item in Eagles Purch and is coded appropriately for ITS to review, the approval from ITS should be received within one (1) business day.
If the product is quoted by ITS, and appropriately coded for ITS review, the approval from ITS should be within one (1) business day.
If the purchase is for a new product or service that will be for individual use and is coded appropriately for ITS review, and ITS can get in touch with the requester to address any specific questions, the approval from ITS should be received within two (2) business days.
For HIPAA-related purchases, the ITS review will be completed concurrent with reviews performed by the University’s HIPAA Compliance Committee.
For PCI-related purchases, the ITS review will be completed concurrent with reviews performed by the University’s Information Security Council.
For accessibility purposes, ITS will coordinate its review with Student Accessibility Services.
Purchasing Approval
Once all reviews have been completed, the Requestor will be notified regarding whether the purchase has been approved or denied. The Requestor will also be informed regarding whether there are any conditions that must be met prior to receiving full approval, if a conditional approval is provided.
If more than one product is available and that product meets the needs of the department, the purchaser should consider using the product that best meets or exceeds North Carolina Central University’s compliance standards. Standardization will also be evaluated as there may be instances where a product with similar functionality may already be implemented within another area of campus.
Note: All IT purchases must be for University use only. Purchases for personal use are strictly prohibited.
Timing of IT Purchase Compliance
Requestors should plan, in advance, for these ITS reviews to be conducted. While most reviews will be completed within one (1) business day, there may be instances where the review will span several weeks. This variance is based on the complexity of the system to be reviewed, the depth of the review required and the vendor’s responsiveness. HIPAA-related products, PCI-related products and systems requiring Banner integrations will typically involve extensive reviews that span longer than a week. However, in many cases, ITS can identify existing solutions on campus that meet the department’s needs.
Feel free to submit reviews or requests for collaboration when technology needs arise, even before funding is established. This will allow the purchase process to move more quickly, especially when the department is ready to make a purchase. This is especially important for purchases made at the end of fiscal year.
Note: Reliable technology is important to maintaining smooth operations of University functions. Therefore, technology should be kept technically current to remain compatible with required capabilities, security constructs and technology innovations.