Software Purchasing Guidelines
Guidelines for the Acquisition of Information Technology Hardware, Software, and Software as a Service
University policies, standards, and guidelines cover the acquisition of information technology resources. The purpose of these guidelines is to draw together in a central location, most of the generally applicable policy statements for the procurement of new information technology resources for the university.
Note: There are other requirements beyond those listed here that may apply to particular circumstances. Their omission from these guidelines is not an excuse for not meeting all requirements.
IT Procurement and Licensing Solutions (ITPALS) is the office that is your point of contact for computing hardware, software, and software as a service, or computing services. We can help you with the process for procurements and clarification of requirements. We are also available to help you with selections or configurations that meet your needs. We maintain a list of existing contracts that may simplify procurements (see Contract Information to view available contracts).
These guidelines cover the acquisition of computing hardware, computing software, and software as a service. Our office will also assist with procurement of services that help implement or evaluate software. [The terms acquisition and procurement are used interchangeably to refer to any process by which new resources are obtained for the university. “Purchasing” is purposefully not used because acquisition/procurement is not limited to situations where payment is required. Software as a service refers to applications that are hosted or provided directly by a vendor or service provider.]
This guideline does NOT cover acceptance of gifts-in-kind. See instead Policy 12115: Accepting and Reporting Gifts-in-Kind.
Do I have the authority to acquire this information technology resource?
- Acquiring any information technology resource for the university will entail a contract or license, with “license” commonly appropriate for software or software as a service. Contracts or licenses may be the culmination of an original procurement process (e.g., request for proposal, invitation for bid, or sole source) or of an approved purchase from an existing contract (a Virginia Tech contract or an approved alternate contract source)—or just an online click-through stating “I agree.”
Only designated roles, including Department Head, are permitted to commit the university to a contract. Department heads may contract for resources from existing contracts. (Again, see Contract Information under IT Procurement.) Hardware from such contracts is limited to $100,000.
New contracts or licenses may be acquired if the software, hardware, or software as a service affects and is only used by members of their own department or college, and the procurement is $2,000 or less.
Note: If you do NOT have authority to contract on behalf of the university, you may be taking on a personal liability. Free online software procured through clicking “I agree” or the equivalent is a common example. [The related terms contract and license are used to set forth conditions of use for the information technology resource to be procured. Licenses include end-user license agreements (EULAs).] (Reference: Policy 3015: University Contract Signature Policy and Procedures. See Sections 3.3 and 3.6.)
Telecommunications procurements are handled by the Procurement Department and coordinated with Communications Network Services (see Telecommunication Procedure).
If I have the authority, what are my responsibilities?
- By policy, you must send all new contracts or licenses for pre-procurement review to University Legal Counsel. Contact ITLS if you have questions. (Reference: Policy 3015: University Contract Signature Policy and Procedures. See Sections 3.3 and 3.6.)
May I use university data within this potential acquisition?
- First, remember that “university data” is not just data from Banner or another enterprise system; any data you collect, store, use, or transmit is considered university data. (Reference: University Legal Counsel, 236 Burruss Hall (0121); (540) 231-6293; firstname.lastname@example.org)
The use of Social Security numbers (SSNs) and any computing system that stores SSNs must be approved by the Vice President for Finance and Chief Financial Officer. Replacement systems must also have these approvals. A prerequisite for approval is a pre-procurement review by the Information Technology Security Office (ITSO). (Reference: Policy 7100 Administrative Data Management and Access Policy Sensitive Data) [Sensitive university information includes all university information that could cause physical, financial, or reputational harm to the university or to members of the university community if released inappropriately. Under Policy 7100, data elements classified as limited-access are sensitive information.]
Other highly sensitive data include personally identifying information (PII), defined at Virginia Tech as the following data elements about a person:
- Social Security number (see above)
- Credit card number
- Debit card number
- Bank account number
- Driver’s license number
- Passport number
(Reference: Policy 1060: Policy on Social Security Numbers)
Use of any of these elements must have the prior approval of the data steward. For SSNs, the approving authority is noted above. The approving authority for credit and debit card and bank account numbers is the University Bursar. As newer methods of payment are adopted, good practice would suggest that other payment identifiers will be reviewed in the same manner as PII. The University Registrar is the approver for students’ driver’s license or passport numbers, and the Associate Vice President for Human Resources is the approver for those of employees. If you have other situations, please contact ITLS. (Contact: Information Security Office, 540-231-1688; email@example.com; www.security.vt.edu) (Reference: Policy 7105 Policy for Protecting University in Digital Form)
Other sensitive data include student data where privacy is protected by the Family Educational Rights and Privacy Act (FERPA), intellectual property not released to the public, nonpublic customer financial data protected by the Gramm-Leach-Bliley Act, and protected health information. Additional measures may be required for information subject to export control regulations. For all such sensitive university data, a pre-procurement review must be conducted prior to procurement. (See: Standard for Storing and Transmitting Personally Identifying Information) (Reference: Policy 7100 Administrative Data Management and Access Policy Sensitive Data) (Reference: Policy 7025: Safeguarding Nonpublic Customer Information)
All data, sensitive or not, to be used in newly acquired systems—new software, new software applications, new software as a service—must have the approval of the appropriate data steward. Data stewards are listed in the standard that is a companion to the administrative data management policy. (Contact: Office of the University Bursar, (540) 231-6277; firstname.lastname@example.org) (Contact: Office of Export and Secure Research Compliance, (540) 231-6642; email@example.com)
A Word about “Cloud Computing”
This terminology has become widely used but less widely understood. At issue in these guidelines is any software or hardware service carried out by a third party. Data in the "cloud" exists in contrast to systems and services entirely within the control of the university, and typically located on university-owned or university-leased property.
Because of the sensitivity of much of the university’s data, and the need for integrity in all of the university’s data, the use of third-party services needs careful consideration prior to finalizing any agreement, contract, or license. The contract is the ONLY assurance the university has that its data will be protected. Consider the following:
- Do you have contractual assurances that Virginia Tech data are secure from unwanted exposure?
- Do you have contractual assurances that our data will not be corrupted?
- Will the service be available when needed?
- Do you have an exit strategy when we no longer use the service, or the service is no longer available, including removal of your data?
Pre-procurement reviews by the Information Technology Security Office will assist in answering these questions.
Free “cloud” services are just as much a procurement as one for which we pay money, and the obligations of the provider should equally meet our needs for both functionality and data protection. (Reference: Standard for Administrative Data Management) (Reference: Administrative Data Management and Access Policy)
What is a pre-procurement review?
- The Information Technology Security Office (ITSO) is ready to help you evaluate whether procurements under consideration meet sufficient security standards. A pre-procurement review prior to completing an acquisition will help assess the security practices of the vendor, issues surrounding application, data and service security, any roles for third parties, vulnerability assessment and mitigation, disaster recovery, and employee policies of the vendor, as these may be applicable to a procurement. (Reference: Security IT Procurement Questionnaire)
Authentication (verification of your online identity) and authorization (what you are permitted to access and change) are key elements of security. Selecting an appropriate set of credentials (for example, PID and password) is an important responsibility when establishing new resources. Check the Standard for Personal Digital Identity Levels of Assurance and associated guidelines for details.
Once installed, the new computing resource must be kept secure. Follow best security practices and university policy statements. (Reference: Guidelines for Determining the Level of Assurance of Personal Digital Identities) (Reference: Information Technology Security Policies and Standards)
Practice safe computing!
Will the newly acquired information technology work with other university systems?
If you expect that your newly acquired resource will connect with other systems, confirm before the procurement is completed. The Standards and Guidelines for Information Technology Infrastructure, Architecture, and On-going Operations provide information on expected practices. Talk with managers of systems you expect to connect with.
If you plan to connect with the university core enterprise resource system, Banner, contact Deborah Fulton, Associate Vice President for Enterprise Systems, (540) 231-0735; firstname.lastname@example.org.
Effective Date: April 8, 2014
Review Date: May 2016