ROWAN UNIVERSITY POLICY


Title: Data Governance: IT Acquisition Policy
Subject: Information Resources and Technology
Policy No: IRT:2013:02
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer:
Date Adopted: 07-01-2013
Last Revision: 04-01-2016
Last Review: 04-01-2016

I.  PURPOSE

This policy sets forth the process for the approval and acquisition of all Information Technology (IT) including, but not limited to software, hardware, IT consulting, and IT services.

II.  ACCOUNTABILITY

Under the direction of the Chief Information Officer, Rowan University management shall implement and ensure compliance with this policy.

III.  APPLICABILITY

This policy applies to all members of the Rowan community who seek to acquire IT Resources for Academic, Administrative, Clinical, or Research purposes. This includes all sources of University funding including, but not limited to department budgets, grant funds from contracts and/or transmittal forms between the University, and external funding sources (public and private), are covered by this policy.

IV.  DEFINITIONS

  1. Academic IT Resources – any software, hardware, IT consulting or IT services that is used to support users (faculty and students) in their teaching, learning, and research activities. Academic IT Resources can be distributed and accessed locally or through the cloud.
  2. Administrative IT Resources – any software, hardware, IT consulting or IT services that is used as an ancillary system in support of Rowan University's Enterprise Relationship Management system (Ellucian's Banner System), whether to augment or replace specific functions with best-of-breed niche products.
  3. Clinical IT Resources – any software, hardware, IT consulting or IT services that allows the user to enter patient specific information, and using formulae or other forms of analysis based on clinical information, glean from that information a patient-specific diagnosis or treatment recommendation that is used to assist in making a clinical decision.
  4. FERPA - The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects students' privacy by prohibiting disclosure of education records without adult consent.
  5. GLBA - The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that institutions deal with the private information of individuals.
  6. Hardware – computer devices that use, process, store, or transmit electronic information.
  7. HIPAA – The Health Insurance Portability and Accountability Act (HIPAA) is the federal law passed by Congress in 1996 that requires the protection and confidential handling of protected health information
  8. Information Resources and Technology (IRT) – the Rowan University department responsible for the governance of all information and technology.
  9. IT Consulting a third party used to provide IT consulting services including system design, planning, auditing, and/or advisory services.
  10. IT Services – a third party used to provide any other IT services, not classified as IT consulting, including IT management, hosting, repair, installation, maintenance, etc.
  11. Rowan University IT Purchasers – faculty, staff, non-employees, students, attending physicians, contractors, covered entities, agents, and any other third parties of Rowan.
  12. Software – computer programs that direct the operation of a computer or processing electronic data.

V.  REFERENCES

  1. Data Governance Policy
  2. Mobile Computing & Removable Media Policyhttps://confluence.rowan.edu/display/POLICY/Mobile+Computing+and+Removable+Media
  3. Workstation Use Policyhttps://confluence.rowan.edu/display/POLICY/Workstation+Use+Policy

VI.  POLICY

  1. Rowan University wants to ensure that we are meeting our responsibilities as IT users by guaranteeing that all IT Resources purchased within Rowan University are compatible with Rowan's information technology (IT) and in compliance with security requirements and regulations. IT purchasing can be an intricate process involving obscure terminology and possible legal or financial obligations for you and the University. Accordingly, prospective purchasers will obtain consultation and approval from Information Resources and Technology personnel who are familiar with these details, and who routinely implement and manage these IT Resources.
  2. All IT acquisitions including, but not limited to, software, hardware, IT consulting, and IT services by academic, administrative, and clinical & research departments will require approval for purchase from the Office of IRT (Information Resources and Technology) since IT Resources:
    1. May be used by more than a single individual and/or have the likely potential for the same or

    2. May need to interface with other University IT Resources or

    3. May be used to process, store, or transmit University data.
  3. The IT purchaser is responsible for obtaining all funds needed to purchase, install, and maintain the IT Resource for current and future costs. These funds will be transferred into the IRT budget via yearly DCA transfers (or other means as needed). The transfers will cover all cost, including:
    1. The internal cost to install the IT Resource(s).

    2. Any consulting required configuring or maintaining the IT Resource(s).

    3. Any additional cost for bandwidth and storage.

    4. Ongoing annual maintenance, licensing, and fees.

    5. Any additional cost to properly protect University data.
  4. NON-COMPLIANCE AND SANCTIONS
    1. Violations of this policy are strictly prohibited and may require the removal of any unapproved IT Resources at the purchaser's expense and possible disciplinary action.

 VII.  ATTACHMENTS

  1. Attachment A - IT Acquisition Requests


By Direction of the CIO: 

Mira Lalovic-Hand
SVP and Chief Information Officer


ATTACHMENT A
IT ACQUISITION REQUESTS

  1. Responsibilities:

    1. IT purchasers will submit IT acquisition requests, and make themselves available during the IT evaluation process to answer questions. IT purchasers are required to notify IRT of any changes and/or cancellations prior to the renewal of IT Resources. IT purchasers are required to complete DCAs within 10 days of notice from ITR so that funds are available to IRT to purchase or maintain IT Resources.
    2. IRT functional leaders (or relevant committees) will evaluate each IT acquisition request and recommend approvals to the CIO within a reasonable time frame.
    3. IRT staff or IRT approved delegates will image and manage all Rowan owned computers
  2. Procedures
    1. Requests for the acquisition of IT Resources will be submitted to the Office of IRT via the University's On-line IT Acquisition Form available as an option in the Finance section of Banner Self Service.
    2. Academic IT Resources
      1. IRT functional leaders will review the request based upon the information provided in the on-line form's "Justification" section along with the following criteria: Can the University:
        • Utilize concurrent licensing to eliminate wasteful per-workstation license costs and only purchase based on actual monitored need.
        • Where concurrent licensing is not available from a necessary vendor, leverage all individual licenses into one master agreement.
        • Utilize existing University-licensed software (or other IT Resources) for the request to achieve similar functionality.
        • Utilize open sources or other lower cost alternatives if they provide similar functionality.
      2. Office of IRT will complete their section of the University's On-line IT Acquisition Form within 10 business days of its receipt.
      3. All Academic IT Acquisitions, including those exempt from this policy, must be authorized by and managed by IRT, and comply with all applicable IRT policies, as well as, state and federal regulations including, but not limited, to FERPA, GLBA, and HIPAA.
    3. Administrative IT Resources
      1. IRT functional leaders meet with the requesting office to review the request based upon the following criteria:
        • Does this IT Resource provide functionality that currently exists in other administrative IT Resources the University already licenses?
        • Does the proposed IT Resource need to interface to existing administrative IT Resources that the University already supports?
        • Will the proposed IT Resource contain data that the University will need to report upon via the Office of IERP?
        • Area all offices that may be impacted as a result of implementing such IT Resource fully informed of the IT Resource 's potential impact on their operations?
        • Assess all cost associated with IRT continuous support of the IT Resource(s).
        • Assess percentage of improvement to current processes in cases where Rowan does not have full capability requested.
      2. If the CIO determines that it is in the best interest of the University (based upon the recommendations by the IRT leadership team), to purchase the IT Resource requested, the requesting office will be so informed. Prior to actual acquisition, the appropriate staff will work with the requesting office to fully develop an IT Resource implementation and support plan. IRT staff will meet with the requesting office, other impacted offices, and vendor representatives, to develop a proposed implementation and support plan. As part of this IT Resource implementation planning process the IRT staff will assess the maturity of the IT Resource for inclusion within the University's production IT environment. The final plan will take into consideration the vendor's roadmap for updated releases to ensure the IT Resource version purchased is indeed production ready. Only when the Office of IRT has approved the proposed plans will approval be granted for the IT acquisition. These plans will include the proposed project team, which will include the Assistant Director of Enterprise Information Services who will represent IRT on the project team and serve as the technical project lead.
      3. All Administrative IT Acquisitions, including those exempt from this policy, must be authorized by and managed by IRT, and comply with all applicable IRT policies, as well as, state and federal regulations including, but not limited, to FERPA, GLBA, and HIPAA.
    4. Clinical IT Resources
      1. IRT functional leaders and Clinical System staff will:
        • Review the IT acquisition request and discuss with the requesting office.
        • Complete a Feasibility Analysis to identify current and future operational processes and problems, requirements (business, application, hardware, network, resources, etc.), training, funding, and on-going support needs.
        • Present Feasibility Analysis to RowanSOM Clinical Governance Committee for review. Governance Committee will determine if project should be funded and when the IT Resource will be implemented based on project prioritize criteria.
        • Notify the requesting department of the outcome.
      2. All Clinical IT Acquisitions, including those exempt from this policy, must be authorized by and managed by IRT, and comply with all applicable IRT policies, as well as, state and federal regulations including, but not limited, to FERPA, GLBA, and HIPAA.