Technology Purchasing Procedure

1. Purpose

The purpose of this procedure is to set forth a standard procedure for the purchase of technologies utilized by WVSOM. Its implementation will solidify WVSOM’s commitment to secure use of technology and its data either on-premise or in cloud-based systems, in line with associated compliance requirements for internal/external risk assessments, BRIM insurance, State auditing requirements, WVSOM purchasing guidelines, state and federal laws (GLBA, FERPA, HIPAA, Privacy Act of 1974, Copyright Law).

2. Applicability

2.1

This procedure applies to WVSOM departments and respective faculty/staff that utilize software and hardware while engaging in the mission of WVSOM to educate our students, work with our constituents, alumni, higher institution peers, and the Board of Governors.

2.2

This specific procedure is not intended to replace overall purchasing procedures of WVSOM as a WV State institution, but is to serve as a clarifying enhancement when technology related purchasing is made.

2.3

WVSOM reserves the right to amend this procedure at any time, as necessary or appropriate.

Annual Budget Preparations for Technology

3.1

Annually in September the Chief Financial Officer (CFO) begins the departmental submissions for the next fiscal year budget beginning in July. Coinciding with this process, the Chief Technology Officer (CTO) will request specific technology updates from the departments for continued software renewals, software that may be retired, new software needs, changes in hardware to support end users, and upcoming projects that will require significant technology infrastructure support.

3.2

WVSOM maintains centralized purchasing for campus technology through the 6050 Organizational Spending Unit (SU). This includes software licensing, telecommunication costs, student devices, special projects for technology infrastructure, and technology related contract/professional costs such as memberships to ARIN, Educause, EduRoam, and BMI for copyright. Additionally, the Information Technology Department maintains separate budgets for the department, external cloud contracts such as wvOasis, Oracle, Banner, Microsoft 365, Microsoft Azure, end point device replacement cycle, and student printing. Some technology may be grant funded and expensed appropriately outside of the IT departmental budgets, or by transferring monies from the grant fund to the 6050 SU.

3.3

The Contracts Associate and Software Compliance Specialist (CASCS) job function in collaboration with the IT Department and in conjunction with the Office of Business Affairs, the Director of Contracts, and Office of General Counsel is to maintain the proper licensing and contract requirements related to technology purchasing, in accordance with WV State purchasing guidelines. The CASCS position will maintain high levels of service to the campus community for all technology related purchasing and software licensing needs and review available budgets when requests are made.

3.4

As annual technology budget requests are submitted to the CTO, the expectation is that those departmental submissions have been reviewed and approved by the supervisor and respective Vice Presidents.

3.5

The CTO and CASCS will review prior year increases, requested software/hardware additions, changes to existing software licensing requirements, and projects that will have substantial impact to the technology infrastructure. Considerations will also be made for any construction projects that have technology needs for the budgets in the upcoming fiscal year.

3.6

The technology budgets for WVSOM will be submitted to the CFO, COO, and Director of Finance for final approvals and submission to the Board of Governors. If budget constraints occur in the review process, departmental technology requests may be reduced or withdrawn.

4. Requests for Technology Purchasing

4.1

The IT Department will process, maintain and account for all WVSOM technology software licensing per GA 31-5.2. both on-premise and cloud based, and hardware purchasing.

4.2

Per the WVSOM Purchasing Addendum:
All computer equipment and peripherals, cloud-based software and systems, on premise software and systems or acquisitions MUST HAVE PRIOR APPROVAL BY THE WVSOM INFORMATION TECHNOLOGY DEPARTMENT FOR ANY SOLICITATION AND/OR PURCHASE. The Chief Technology Officer may evaluate and make recommendations on the design and suitability of technology equipment and peripherals, cloud-based software and systems, on premise software and systems, and related services on those purchases.

4.3

Requests for approval for technology purchases, and subsequent installation, or project coordination with the vendor and the IT Department, should be submitted through the ticketing system or formal email to the CTO and CASCS.

4.4

Vendor Management for technology resources will be an essential component of tracking software licensing and installation. This function will be relegated to CASCS for pursuit of the Software/Infrastructure as a Service Addendum (SaaS/IaaS) and Vendor Compliance when coordinating with the Director of Contracts. In lieu of vendor willingness to complete the addendum, the CASCS will maintain supporting vendor security documentation with the Vendor Compliance checklist.

4.5

As part of the WVSOM Information Security Plan Section VII requirements for 3rd party risk assessment under GLBA, the CASCS will determine at the point of purchase request, the data categorization for any anticipated software or system that will be processing/storing WVSOM data with feedback from the CTO and Certified Information System Analyst (CISA). This will help to determine the completion of the addendum to the SaaS form and Vendor Compliance checklist as part of the technology purchasing procedure.

5. Technology Purchasing Process Workflow

5.1 All technology purchasing processes will go through two reviews:

The first review will be by the IT Department (CTO, CASCS, Certified Information Security Specialist) for budget availability , security/risk vendor assessment, data categorization, and alignment with operability within the technology infrastructure. The CASCS will confer with the CTO or the appropriate IT manager regarding hardware (i.e. Help Desk endpoint device/peripheral, Network/Server Manager infrastructure). Considerations for software purchases will cover both on premise and cloud, including contracts as:

  • Terms of Service
  • Terms of Use
  • Conditions of Use
  • Subscription Agreement
  • Master Subscription Agreements
  • Click Through Agreements
  • End User License Agreements (EULA)
  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)

The second as part of the Contracts Office for Legal review which may be elevated to Office of Legal counsel for WV state documents that are being redlined.

5.2

The IT review with the resulting SaaS addendum and the Vendor Checklist should supplement and be provided to the Director of Contracts for the Legal review.

5.3

The CTO and CASCS will either (1) receive request for purchase consideration of software, or (2) have preparation plans for an existing software coming up for renewal. If a new request, the CTO and CASCS will conduct budget analysis to see if the current fiscal year can accommodate such purchase, i.e. if it was budgeted for and if the requested purchase is more than anticipated. If a renewal, the CASCS will start reaching out to the vendor 2-3 months prior to expiration date to obtain the renewal quote. The billing for WVSOM is made attention to the Office of Business Affairs and the CASCS, which ensures the proper contact is in place for obtaining the request for payment. The CASCS will present the renewal quote to the appropriate department for review of the quote and confirmation that the quote is accurate for their needs. The early contact with the vendor for the quote also helps accommodate any vendor form delays, redlines, or legal review.

5.4

In the event technology requests are made that were not planned in the current year fiscal budget, the requestor will need to obtain approval from the appropriate in-line Vice President and identify the budgetary spending unit that will accommodate the purchase. The purchase approval should be sent via email to the CTO and CASCS indicating the budget transfer spending unit source that will be made to then transfer funds to the centralized IT Department budget spending unit for campus technology purchases. The CASCS will then work with Director of Finance for the budget move to accommodate the purchase.

5.5

The CASCS will provide the following forms to the vendor for completion: WV48, WV96, WV Cloud SaaS Addendum, and WVSOM Confidentiality Agreement. These forms are not authorized to be filled out by the vendor. The CASCS will prefill information on the forms based on the quote details (product description, cost, term dates). The CASCS will also request the vendor’s W9 and signed/dated quote for the purchase/renewal. In all instances, the forms should be completed by the vendor first, with WVSOM providing final countersignature. If no redlines, the WV48, WV96, WV Cloud SaaS Addendum, and signed/dated quote will be sent to the CFO for countersignature (WVSOM’s authorized signatories are only the President and the CFO). If redlines are presented by the vendor, the CASCS will coordinate with the Director of Contracts for review and any additional Legal review needed to come to an agreement, if applicable. The WV48 and WV96 forms cannot be redlined under State guidelines unless going through the Attorney General’s office. The WV Cloud SaaS Addendum can be redlined, but will still require internal review before acceptance. For technical point of contacts, under Appendix A on the WV Cloud SaaS Addendum, the vendor is required to fill out their primary security contact, and WVSOM’s Information Technology Department will designate the technical contact for WVSOM.

5.6

The CASCS will review an existing vendor or new vendor for vendor risk assessment and any accompanying data risk concerns. WVSOM’s Data Risk Categorizations (Public, Private, Restricted) are used to determine which level each vendor is ranked and what data is involved. These rankings also corelate to the WVSOM Approved Services for each software. This review process will also be in coordination with the CTO and Certified Information Security Specialist for additional input and review of the Vendor Compliance Checklist. Anything determined to be a “Public” ranking can be bypassed for the WV Cloud SaaS Addendum form completion since it has been determined that the vendor does not hold any confidential data of WVSOM.

5.7

Once the vendor has been vetted and all forms have been completed, the CASCS will coordinate with the CFO for countersignature. This is the final process before the CASCS is given authorization to complete payment, which can be in the form of either WV State Purchasing Card (Pcard) or through entering a requisition in Banner Self-Service for the Office of Business Affairs to generate the Purchase Order (PO), which is then processed at the State Office for the check cutting to the vendor’s address. All documentation for the renewal/purchase process of software will be sent to the Director of Contracts by the CASCS. This allows both the IT Department and the Office of Business Affairs to keep current documentation for each purchase and can reference what is currently in place.

5.8

For hardware requests, the CTO and CASCS will receive a request for purchase. The previously mentioned budget review process for software will also apply for hardware requests to ensure that the appropriate funding is available for the purchase. Once verified to move forward, the CASCS can begin to work through the proper purchasing procedures outlined in the Director of Contracts guideline document.

5.9

All campus purchasing including those associated with hardware/software, after the CTO approval, must flow through the Director of Contract’s office and the Director of Procurement Offices as outline in the WVSOM purchasing guidelines.

6. Post-Purchase Procedures

6.1

Once a purchase is made for either software or hardware, the next part of the process requires post-purchase steps by the CASCS.

Software purchases are coded by the CASCS with the appropriate funding string for both Banner budget documentation and WV OASIS reconciliation for the monthly Pcard statements. The coded packet will include the paid receipt, quote/invoice, signed vendor forms, and approval emails. This vendor packet is stored both physically and digitally. The physical copies are stored in the CASCS’s office in the accompanying vendor folder. The digital copies are stored in the IT Department’s share folder in the accompanying vendor folder and in the Director of Contracts and IT Department shared drive.

6.2

The CASCS maintains a renewal spreadsheet with vendor name, product name, end-user, expiration date, spending unit information, fiscal year budgeted amount, and previous fiscal year purchase amounts for comparison. This spreadsheet is housed in the IT Department’s share folder and is updated after each purchase is made and is also used as a reference point for upcoming renewals with the expiration dates.

6.3

A TeamDynamix ticket is created as a working ticket for the software purchase process and can be closed once the purchase is complete with all necessary forms also being completed, which will be attached to the ticket for documentation.

6.4

A TeamDynamix ticket is also created for hardware purchases. The ticket requires checkpoints for obtaining the quote, making the purchase, and receiving the item. The first two steps (obtaining the quote and making the purchase) is completed by the CASCS, while the final step (receiving the item) is completed by Help Desk, where all hardware shipments flow through. As the final step, Help Desk coordinates with the end-user on campus for the installation and deployment of the hardware.