1.Purpose

The purpose of this policy is to ensure that the University of North Carolina at Greensboro (hereinafter “University” or “UNCG”) procurement of information technology hardware, software, and services follow established UNCG policies, standards, and guidelines, and is centrally managed and approved by the Vice Chancellor of Information Technology Services and Chief Information Officer (CIO), or assigned delegate, prior to technology related acquisitions or agreements.  

2.Scope

The scope of this policy applies to the purchase of all IT resources (such as technology hardware; software; telecommunications; cloud or externally hosted systems; and services) by faculty and staff using institutional, research, and/or grant funds. The scope of this policy also designates Information Technology Services to make final determination of validity and refresh lifecycle support for all IT resources.  

3.Definitions and Roles & Responsibilities

3.1Definitions

3.1.1Cloud Computing Service:

Cloud Computing Service refers to a type of Internet-based computing that provides shared computer processing resources and data to computers and other devices on demand. 

3.1.2Infrastructure as a Service (IaaS):

Infrastructure as a Service (IaaS) refers to a provisioning model in which an organization outsources the equipment used to support operations, including storage, hardware, servers, and networking components. The service provider owns the equipment and is responsible for housing, running, and maintaining it. 

3.1.3

IT resources refers to all hardware, software, peripherals, or services related to technology, data storage, networking, cloud computing, commerce, and communication. 

3.1.4Network:

Network refers to a telecommunications network that allows computers to exchange data. 

3.1.5Peripherals:

Peripherals refers to devices connected to a personal computer that extends its capabilities. Examples of peripherals include, but are not limited to, mice, keyboards, monitors, printers/copiers. 

3.1.6Platform as a Service (PaaS):

Platform as a Service (PaaS) refers to a category of cloud computing services that provides a platform allowing customers to develop, run and manage Web applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. 

3.1.7Server:

Server refers to a computer system which primarily provides one or more network services by communicating across a network. 

3.1.8Software:

Software refers to data or instructions organized in the form of operating systems, utilities, programs, and applications that enable computers and related devices to operate. 

3.1.9Software as a Service (SaaS):

Software as a Service (SaaS) refers to a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. 

3.1.10Users:

Users refers to individuals, whether a member of the University community or not, who are granted access to and use of the University’s information technology, whether on campus or from remote locations. Those individuals include, but are not limited to faculty, students, staff, guests, visitors, and those working on behalf of the University. 

3.1.11Workstation:

Workstation refers to a general-purpose computer intended for use by end-users. 

3.2Roles & Responsibilities

3.2.1Chief Information Officer:

Chief Information Officer has the overall responsibility for the Information Technology Services division, and for centrally managing procurement of IT resources, ensuring compliance to University policies, standards, procedures, and guidelines. 

3.2.2University Executives, Deans/Chairs, Directors/Managers:

University Executives, Deans/Chairs, Directors/Managers ensure procurement of IT resources follows proper adherence to policy as described below, along with related University policies, standards, procedures, and guidelines. 

3.2.3University Procurement Office:

University Procurement Office ensures procurement of IT resources follows proper adherence to policy as described below, along with related state and University policies, standards, procedures, and guidelines. 

3.2.4Users:

Users comply with policy as described below, along with related University policies, standards, procedures, and guidelines. 

4.Policy

Information Technology Services (ITS) is the sole authority that centrally manages the procurement and governance of all University IT resources, assets, and services, including UNCG IT software, hardware, and services.  

ITS manages the purchase and governance of IT-related items in collaboration with the University Procurement Office, and upon authorization and approval of ITS the University Procurement Office has final responsibility and authority for all purchasing activities. 

The procurement of University IT resources, assets, and services is only authorized once it has completed the appropriate University Procurement Office and ITS pre-purchase review and approval workflow, which is assigned to a designated ITS representative and subject matter expert. Purchase reimbursements will not be provided if any faculty or staff attempt to circumvent this policy, whether knowingly or unknowingly. 

4.1General Requirements

Information Technology Services (ITS) authorization, approval, or governance is required if any of the following are true: 

  • ITS assistance will be required to build, install, implement, or support IT resources, assets, and services. 
  • IT resources, assets, and services will utilize the University network. 
  • IT resources, assets, and services will be installed in the ITS data center.  
  • IT resources, assets, and services will require campus credentials (such as Active Directory or Single Sign-on) for authentication.   
  • IT resources, assets, and services are generally made available to students, or employees. 
  • Cloud Computing Services, or Third-Party Software (including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS)), integrate with and/or store University data. 

4.2Pre-Purchase Requirements

The following items are required prior to purchase or processing actions of IT resources, assets, and services: 

  • Asset inventory detail associated with IT resources, assets, and services must be identified by the associating University entity and/or department, and must be submitted to, and archived by ITS. 
  • IT resources, assets, and services with Business Associate Agreements (BAA), Service Level Agreements (SLA), Memoranda of Understanding (MOU), or related documentation must be submitted to, and archived by, the Procurement Office.  
  • IT resources, assets, and services that access the University network, integrate, and/or store University data must indicate a determined Data Classification, per University Data Classification Policy and Data Storage Requirements, to ensure an approved storage service for the class of data in use.   
  • IT resources, assets, and services which cost above $5,000, or integrate with University data classified as High Risk or Moderate Risk, per University Data Classification Policy and Data Storage Requirements, require an ITS security posture and risk assessment (SPRA).  

4.3Post-Purchase Requirements

The following items are required after purchase of IT resources, assets, and services, and throughout their lifecycle: 

  • Asset inventory of purchased IT resources, assets, and services must be maintained by the associating University entity and/or department, which is responsible for providing their inventory, or changes, to ITS, no less than annually.  
  • IT resources, assets, and services with Business Associate Agreements (BAA), Service Level Agreements (SLA), Memoranda of Understanding (MOU), or related documentation must be reviewed or updated by the associating University entity and/or department, and provided to the University Procurement Office, no less than annually. 
  • University entities and/or departments that have purchased IT resources, assets, and services with access to the University network or integrate University data are responsible for maintaining documentation of the Data Classification for that asset, per University Data Classification Policy and Data Storage Requirements, to ensure an approved storage service for the class of data in use. Maintenance of, or any changes to, asset data classification must be provided to ITS no less than annually. 
  • University entities and/or departments that have purchased IT resources, assets, and services are prohibited from uninstalling or modifying device management agents installed by Information Technology Services. 

4.4Exceptions

The Vice Chancellor of Information Technology Services and Chief Information Officer (CIO), or assigned delegate, has the sole authority to make exceptions, in writing, to this policy. 

5.Compliance and Enforecement

Any violation of this policy by a University student is subject to the Student Code of Conduct in the Student Policy Handbook. For employees, violation of this policy will be subject to consideration as “misconduct” under EHRA policies (faculty and EHRA non-faculty) or “unacceptable personal conduct” under SHRA policies, including any appeal rights stated therein. 

If violation of this policy also results in a violation of law, the violation may also be referred for criminal or civil prosecution. 

Violations of this policy may result in termination or suspension of access, in whole or in part, to University information systems at the discretion of ITS where such action is reasonable to protect the University or the University information infrastructure. 

PCard purchases of IT resources outside the regulation of this policy will be subject to non-compliance disciplinary actions detailed within the University Procurement Office Purchasing Card Manual.  

All IT resources, assets, and services owned by a University entity or department which access the University network or integrate with and/or store University data are subject to unplanned, periodic ITS security audit and compliance assessments to ensure adherence to the UNCG Information Security Policy and supporting Information Security Management System (ISMS). ITS security audit and compliance assessment outcomes require plans of remediation from the University entity or department within 30 days of assessment completion, and evidence of completed remediation within 60 days, otherwise applicable IT resources, assets, and services will be subject to removal from the University network.

6.Additional Information

6.2Resources

Portions of this document were informed by the language found in multiple regulations, including the ISO/IEC 27002:2022 Standard. 

6.3Approval Authority

The Chancellor is responsible for the approval of this Policy. 

6.4Contacts for Additional Information and Reporting

Responsible Executive: Vice Chancellor for Information Technology Services and Chief Information Officer (CIO) 

Responsible Administrator: Chief Information Security Officer (CISO) 

Revisions

Revision Date Revision Summary

- Information Technology Procurement. Retrieved 02/04/2023. Official version at https://policy.uncg.edu/university_policies/information-technology-procurement/. Copyright © 2023 The University of North Carolina at Greensboro.