General Description
Purpose:
Establish a software and cloud solution purchasing policy for CSUB employees that integrates our accessibility compliance, information security requirements, payment card industry requirements, integration, and non-duplication of functionality into the product selection process.
Definition:
Software - an application that is installed and runs either on an on-premise server or local desktop.
Cloud Solution – a hosted application, typically subscription based, that is run from a service provider with internet-based servers hosting applications.
Scope:
This policy applies to all CSUB departments, employees and auxiliaries. For all applications, whether it is locally installed software or cloud hosted Software as a Service (SaaS) regardless of price.
Policy/Procedure
Compliance Requirements:
The purchasing project sponsor(s) should note that certain types of data require the university to comply with external mandates. Such mandates include, but are not limited to:
- Federal Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Standards Supporting Documents (PCI)
- Section 508 of the U.S. Rehabilitation Act
- California State University Accessible Technology Initiative Accessibility Requirements
All applications need to be evaluated and approved by the CSUB Solutions Consulting Committee prior to purchase.
The CSUB Solutions Consulting process is part of CSU, Bakersfield’s commitment ensure resources and tools used on campus are accessible, secure, and integrated.
There are 3 main areas assessed as part of Solutions Consulting review:
- Accessibility Risk
- Information Security Risk
- System Compatibility
Chancellor's Office policy requires the campus to purchase Electronic and Information Technology (E&IT) products that meet Section 508 Accessibility requirements. Systems and applications that are not accessible pose a risk to the campus if a student, faculty, staff, parent, or the public is unable to use them.
An information security risk review of the product involves evaluating the type of data the application collects or manages, determining the appropriate controls that would need to be put in place to protect that data, and ensuring service providers have the proper systems and policies in place to protect data they control.
The system compatibility review ensures that the application will work as intended with the systems on campus and is not a duplication of an existing product or service that is already in use on campus.
Controls
Controls
The Procurement Department will not process a purchase request for an application or cloud service without obtaining CSUB Solutions Consulting approval first.
Any application or cloud purchase made on a CSUB procurement credit card (Pro Card) without obtaining prior CSUB Solutions Consulting approval will be denied and the purchaser will be liable for the cost according to the purchasing card policies.
Requesting technology software, services, or solutions - https://csub.service-now.com/sp?id=sc_cat_item&sys_id=2ba42aa8dbdd23006fac36ee9d961976
Review (Frequency and Process)
This policy should be reviewed and updated if needed on an annual basics.