Fayetteville Policies and Procedures 960.0
Acquisition of Enterprise Systems
- Definition
An Enterprise System is a computing or storage platform that resides on the university network, normally costs in excess of $50,000 including hardware, software, and services, and meets one or more of the following criteria:
- potentially used by more than one college, school, or equivalent non-academic unit;
- requires an interface with another enterprise system;
- contains financial, managerial, confidential or other sensitive or mission-critical information; or
- requires accommodation, infrastructure, or application support that the acquiring unit is unable to provide.
Examples of enterprise systems include, but are not limited to, student information systems, web conferencing, lecture capture, email, learning management systems, virtual desktop environments and databases.
This policy does not apply to routine purchases of desktop and notebook computers, mobile devices, general purpose software, or specialized hardware and software of no potential interest outside the unit in which it is purchased and not requiring central support. This policy is intended to supplement existing University policies regarding procurement, which are structured to meet applicable legal requirements, including state purchasing laws and regulations. In addition, the policy is intended to provide internal guidance to University units and is not intended to create any rights in any third parties. - Overview
Colleges, Schools, University Information Technology Services (UITS), and other campus units, working through the University’s Purchasing Division, are authorized to purchase enterprise systems in support of their mission provided that the purchases are coordinated through this policy so that the technology is secure, compatible with existing enterprise systems, not unnecessarily duplicative of existing enterprise system functionality, and capable of being supported on the university network. - Rationale
This policy provides requirements and guidance to colleges, schools, UITS, and equivalent nonacademic units for acquiring enterprise systems and supporting computer hardware, software, and services. In an effort to make the best use of funds, it is vital that all such purchases be coordinated for the following reasons:
- If a purchase is duplicative of an existing system, then it may be possible to include the unit in an existing license, which can realize substantial financial savings.
- System compatibility with the existing infrastructure must be determined.
- A consistent campus computing and storage environment facilitates the most efficient use of resources and leverages economies of size in areas such as disaster recovery, back-up procedures, vendor relations, and sharing campus technical expertise.
- A consistent campus interface and instructional platform saves faculty and support staff learning time and allows for optimal of use of classrooms and other instructional resources.
- To ensure institutional compliance with the Arkansas Technology Access Clause from the
State of Arkansas technology policy standards and Act 1227 of 1999, and other state and
federal laws related to accessibility by individuals with disabilities.
- Procedures and Process
- Acquiring Enterprise Systems
Units contemplating the purchase of an enterprise system must first contact UITS to discuss issues of the proposed system’s impact on the security of the university network, the system’s compliance with state and federal disability statutes, whether the proposed system poses any potential duplication of existing university enterprise systems, and the levels of support the proposed system will require from UITS. For the purposes of this policy, an enterprise system may be housed locally on university owned hardware or remotely on a service provider’s hardware, including being “in the cloud.” Contact with UITS should occur as early as possible in the planning process. All enterprise system purchases, including those contemplated by UITS, must be coordinated with the potential user community, usually through the Computing Activities Council (CAC), and be made in coordination with the appropriate colleges, schools, or other affected units. In addition, units contemplating such a purchase should also contact the University’s Purchasing Division early in the process, to discuss issues from a procurement process perspective, including with regard to vendor contact and solicitation. - Process Details
The process for purchasing an enterprise system is outlined in the following steps, in addition to any procurement process steps required by the University’s Purchasing Division.
- As required by Section I, discussions between the units and UITS regarding the proposed purchase should commence as soon as the units identify the need for the purchase of an enterprise system as defined in this policy.
- Following discussions required by Section I, should the unit decide to proceed with
the purchase, the unit will create a “New Service Request.”
- When a request for a new enterprise system is received by any member of UITS, it will be sent to the appropriate Associate Director.
- The Associate Director will discuss the request with other UITS Associate Directors and the AVCIT. The appropriate representative for UITS will be designated by the AVCIT. This person will review the information available, including accessibility to individuals with disabilities, comment or ask questions, and discuss the system with other responsible persons.
- The New Service Request will require units to document how they expect the enterprise
system to be deployed and maintained, and who within UITS or their own unit will be assigned
the various responsibilities required. The UITS representative designated in Section
II(2)(b) will specifically address issues of resource availability, staffing, and infrastructure
requirements. Should the UITS representative find that additional hardware, software,
or staffing is required by UITS to support the proposed system, the representative
will request additional information from the unit on how the unit will request and
obtain approval for the additional resources. The UITS representative will document
all findings for later review by the unit, the AVCIT, and the CAC. The report will
specifically address:
- whether the proposed system is duplicative of existing enterprise systems,
- whether sufficient resources of personnel, hardware, and software are present with UITS to support the proposed system,
- whether the unit can obtain additional necessary resources to support the proposed system, and
- whether the proposed system can be successfully integrated into the existing university network infrastructure.
- Following review of the proposed system by the UITS representative, if additional information is needed or there is a conflict between the unit and the UITS representative over the suitability of a proposed system, the service request will be forwarded to the Computing Activities Council (CAC) (see Section III) for a recommendation from the CAC on whether the perceived benefits of the proposed system outweigh the costs imposed on UITS and the university. The CAC recommendation will be forwarded to the AVCIT along with the New Service Request and the UITS representative’s report for final review.
- Enterprise system purchases contemplated by UITS will be reviewed by CAC for a recommendation. UITS must request CAC review as soon as the need for a new enterprise system is identified. As a part of its review process, CAC may solicit comment and feedback on the proposed system from the university community and other appropriate stakeholders.
- Following the reviews as detailed in Sections II (1-5) above, the New Service Request ill
be submitted to a Security Design Review conducted by the UITS Security Team.
- There will be a review of the security of the product on each of the following levels
as well as the security connecting each one.
- Platform
- Database
- Application
- The enterprise system will be reviewed to assure that it adheres to other policies related to data security. (See Related Policies below)
- Security measures will be reviewed to establish compliance with applicable statutory requirements, such as HIPAA, FERPA, or the Gramm-Leach-Bliley Act, and with applicable security standards.
- There will be a review of the security of the product on each of the following levels
as well as the security connecting each one.
- Upon completion of the Security Design Review, a report of the findings of the criteria set out in this subsection will be prepared and forwarded with the rest of the documentation regarding the New Service Request to the AVCIT.
- Acquiring Enterprise Systems
- Computing Activities Council
The Computing Activities Council (CAC), a standing committee appointed by the Chancellor, shall serve as an advisory committee for enterprise system purchases governed by this policy, whether initiated by colleges, schools, UITS, other units. The CAC description can be found on the Computing Activies Council page on the Provost's website. - Final Decision and Appeal Process
The Associate Vice Chancellor for Information Technology (AVCIT) makes the final decision on whether a proposed enterprise system should be acquired following the process set forth in this policy. The AVCIT will review all submissions, reports, and recommendations detailed above and will produce a final report detailing his or her decision and the reasons therefore. The decision of the AVCIT may be appealed to the provost and vice chancellor for finance and administration. As a part of this review, the provost and the vice chancellor for finance and administration may allow or solicit additional input from the deans or directors of the affected units and from UITS. Any exceptions to this policy must be approved by the provost and vice chancellor for finance and administration, in consultation with the AVCIT. - Related Policies
Data Classification Policy: Any contract signed must include appropriate language regarding security of highly sensitive and internal data. Data Management Policy: Enterprise systems which involve sensitive data must adhere to this policy.
Previously listed as Fayetteville Policies and Procedures 309.6
Reformatted for Web May 13, 2014
October 10, 2012