This VCSU procedure seeks to facilitate compliance with the following mandates:
- NDUS procedure 1901.3 “Information Technology Approval Process” sets forth several procedures for technology acquisitions and it requires all institutions to “develop institutional guidelines for IT acquisitions and approvals consistent with good business practices to ensure proper stewardship of state resources.”
- SBHE policy 840 “Contract Review” requires VCSU to adopt procedures to ensure contracts are reviewed and approved prior to execution. Notably, SBHE 840 allows that software costing less than $2,500 does not require legal review and approval provided other procedures pursuant to this policy are followed.
- ND Century Code, CHAPTER 51-30 “NOTICE OF SECURITY BREACH FOR PERSONAL INFORMATION” sets forth criteria for data breach reporting. This law is taken into account in this policy when establishing the limit of information that may be exposed within a software environment that has not had VCSU CIO approval.
- NDUS 1901.2.1 “Data Classification and Information Security Standard” establishes standards for securing and managing data and it contains a classification of common data elements.
- To ensure technology acquired under this policy meets the requirements of the Federal Rehabilitation Act Section 508.
If one or more of the five criteria below apply, users shall obtain the written approval of the VCSU CIO (Chief Information Officer) or his/her delegate prior to making a technology related acquisition or using a service that requires acceptance of a use or license agreement.
- The project meets one of the criteria, and must therefore comply with, NDUS 1901.3.
- Any device connecting to the VCSU campus network, e.g. PDA, computer, networked printer, telephone, fax machine, copiers, etc. This does NOT apply to peripherals such as a keyboard, external computer monitor, USB inkjet printer, or other device that does not connect directly to the network.
- Information technology hardware, software, or services costing $2,500 or more.
- Technology/services involving a use agreement, license or contract, to include online agreements with “click-through” acceptance. Note: This does NOT apply to the following items:
- An update of institutional standard software listed on the Technology Services web site or previously approved by the CIO, e.g. update to Adobe Acrobat Reader.
- Electronic media materials, e.g. electronic books, DVDs, electronic periodicals, and online subscriptions to information repositories. These items may be subject to other approval processes.
- Software costing less than $2,500 including freeware; PROVIDED you do not require other VCSU employees or students to use the software; you do not use the same Password, Passphrases or Encryption Keys for the free or low-cost software as is used to access other systems containing Restricted or Private data; and data classified as Restricted or Private per NDUS 1901.2.1 is not entered or stored in any way.
- The technology will require Technology Services support in any way.
Making an Acquisition Request
If NDUS 1901.3 applies, the request will be in the format prescribed by that procedure.
If NDUS 1901.3 does not apply, an electronic request shall be sent to the VCSU CIO to include the following information, if applicable:
1. An electronic copy of the Use or License agreement and the Privacy Statement.
2. If the technology is considered “electronic and information technology” (EIT) subject to the requirements of the Federal Rehabilitation Act Section 508, the acquisition request shall include a Section 508 compliance audit or test results that document the testing methodology utilized to determine the product or solutions compliance and the results of the accessibility audit. It is also important to note whether the testing was conducted by the vendor or whether an independent third party auditor was retained.
If a Section 508 compliance audit or test is not available, this should be noted along with your efforts to identify competing products and their associated Section 508 compliance audits or tests.
3. Scope and Rationale: Who will use the technology; Settings the technology will be used in, e.g. academic class name; unique characteristics of the technology as compared to similar VCSU approved technology.
4. All information normally associated with a Purchase Order, including assurance of available funding.
Sponsor: Chief Information Officer
Effective: May 2014
Revised: December 2015