Number
06.01.09
Division
Finance and Administration - Office of Information Technology (OIT)
Date
April 2018
Purpose
The purpose of this policy is to provide a framework for procurement of IT hardware, software, and externally hosted systems or software.
Policy

This policy establishes a framework for the procurement of information technology (IT) hardware, software, and any externally hosted systems or software for The University of Alabama in Huntsville (UAH).

UAH is committed to providing a wide range of high quality information technology (IT) services to students, faculty, and staff in support of the mission of the university. In order to provide the best, most cost-effective and secure IT resources to UAH, IT resources which exceed a one-time cost of $100,000, or which integrates with either Banner or other enterprise data systems must be reviewed before procurement.

This policy applies to all procurement of UAH owned or OIT supported IT resources.

Procedure

1.0 Standardized IT Resources

UAH's OIT will establish and periodically update a standard set of IT resources that have been pre-approved for support and usage at UAH. This list shall be published on the OIT website and contain:

  • Software licenses available to UAH.
  • Vendors for popular software packages.
  • Supported desktop computers.
  • Supported laptop computers.
  • Supported tablets.

Whenever possible, IT resources shall be chosen from the pre-approved list. If it is not possible to use a pre-approved IT resource, the purchase shall be verified through the Non-Standardized IT Resources process listed below.

2.0 Non-Standardized IT Resources

If it is not possible to purchase and utilize an IT resource from the pre-approved list, then the IT resource must be vetted by OIT to determine total cost of ownership including verifying functionality, integration, support, environmental, computing, security, and legal requirements. OIT will make every reasonable effort to support non-standardized IT resources; however, because of fiscal and staffing constraints, this support may be limited.

The IT resource review is documented below.

3.0 Resource Review

To request the review of non-standardized IT resources, complete the "IT Resource Review Form" on the OIT website at http:/www.uah.edu/oit.

3.1 IT Resource Procurement Review Process

IT resources will be reviewed, at minimum, in the following areas to determine total cost of ownership and integration with existing IT resources and infrastructure:

  • Functionality: The business need will be compared to the capabilities of currently supported IT resources to determine if the need can be met through current resources. Fit cannot, then a selection process will be performed to determine the best product for the required function.
  • Integration: Whenever possible, new products shall integrate with core functionality, including, but not limited to, Trusted Identity Management System and Banner.
  • Support Requirements: Network, staff, storage, and monetary support requirements will be reviewed to verify that UAH will be able to support the IT resource. This support may include custom code development that will require time to plan, produce, and maintain.
  • Environmental Requirements: Review of the environmental requirements will include space, cooling, power, and physical security considerations.
  • Computing Requirements: Processing, memory, and storage requirements will be evaluated.
  • Security Requirements: IT resources will be reviewed to verify that the solution is secure in communications, authentication, and storage of data. This includes verifying that the solution is compliant with all UAH policies and applicable regulations, such as Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), International Traffic in Arms Regulations (ITAR), and Export Administration Regulations (EAR) regulations,
  • Legal Requirements: Any IT resources that require contract must be reviewed by the Office of Counsel.
  • Disaster Recovery Requirements: IT resources will be reviewed to determine criticality and redundancy requirements.

3.2 Cloud Services Procurement Review Process

In addition to the requirements for reviewing local IT resources, the following considerations must be evaluated when procuring cloud services:

  • Application Programming Interface (API): APIS will be reviewed to evaluate the ability to automate tasks to interface with the cloud service. This could include user account management and data transfers from UAH systems.
  • Ability to Retrieve Data: The ability to retrieve data upon termination of contract with cloud service will be evaluated,
  • Uptime Requirements: The cloud service uptime shall be evaluated against the required uptime of the service. This may include times that the cloud service will be unavailable due to software updates.
  • Connectivity Requirements: The connectivity requirements will be reviewed to validate that current Internet or internet2 connections are sufficient to support the cloud service.
  • Data Center Requirements: The cloud service's data center options will be reviewed to verify compliance with all regulations and best security practices. This may include, but not be limited to, data center locations, personnel with access, encryption technologies, and audit logging, backup, and disaster recovery capabilities,
  • Security Requirements: The security requirements may be different for cloud based IT resources.
Review
The IT Investment Advisory Council is responsible for the review of this, policy every five years (or whenever circumstances require).

Cloud Services and Information Technology Procurement