Skip to main content
uta
uta

Enterprise Software Procurement Procedures

Contents:

I. General
Certain software that is installed on UTA owned or controlled systems must be properly reviewed by the Information Security Office (ISO) for risk and compliance before purchase. Examples include, mission critical software (i.e. essential for the mission and functioning of the institution), software that may store or otherwise handle confidential information (e.g. FERPA data), or security software (i.e. used for scanning for vulnerabilities, malware detection, monitoring critical systems, or may otherwise affect the security of UTA's information resources). Depending on the nature of the software and classification of the data involved, procurement reviews can be complex and can take a fair amount of time. This procedure outlines the steps needed to quickly and efficiently receive approvals before a purchase is made.

NOTE: Desktop software generally does not need to be reviewed by ISO if it is not considered a security tool or otherwise pose a risk to the institution and its consituents

II. Procurement Overview
The requester (i.e. future owner) should ensure that the following departments are made aware of the desire for the software as early as possible by submitting the Request Software Purchase Approval form in Service Now.

  • Information Security Office: Due-diligence security checks need to occur on all procurements involving Confidential or Controlled information, mission critical system or security. Enterprise architecture reviews will need to be completed, and roles and responsibilities identified before the software is deployed.
     
  • Procurement Office: Determine whether the dollar amount or nature of the service requires request for proposals (RFP's) or bids. Contact the Procurement office if you require guidance.

  • Legal Affairs: If no formal procurement process is required, once a vendor is selected, obtain the contractual language from the prospective vendor and provide it to the University Attorney for review. If a formal procurement process is required, Procurement Services will coordinate the contract review with Legal Affairs. If a Purchase Order is going to be issued, please make your vendor is aware of UTA's standard terms and conditions.

  • Office of Information Technology – If there are any integration points, or resources required from OIT, then make sure that IT Governance has been engaged especially if the service is new. OIT is also responsible for completing accessibility reviews on software purchased by the institution.

The involvement of these departments is essential to ensure that appropriate approvals, adequate risk mitigation, data roles and responsibilities, and billing (if any) have been considered and established. An additional benefit of the this process is to obtain the best price or performance, avoid unnecessary licensing costs, and aid with choosing Cloud Services that can be supported and even customized.

III. Procurement Planning
While the Office of Procurement, Legal Services, Information Security Office and Office of Information Technology can work concurrently and cooperatively on a particular acquisition, it will take time to review and approve.  Please do not wait until the end of the fiscal year to request a review of the service, as this is generally a peak period for all departments and will risk procurement delays. Plan for a minimum of 5-10 business day turn around by ISO depending on the nature of the procurement.

IV. Procedure for the Sponsoring Department

The Office of Procurement, Legal Affairs, Information Security Office and Office of Information Technology have collaborated to develop a more streamlined process to ensure your request is handled in a timely manner. You are encouraged to reach out to the Information Security Office as early in the fiscal year as possible.

  1. Log onto Service Now and Request Software Purchase Approval.
  2. Complete the Information Security Sponsoring Department Procurement Questionnaire found below in the forms section and attach it to your request.
  3. OIT and ISO will determine if the institution already offers an equvalent service. If one exists, then OIT will work with you to determine if you or your department can take advantage of the agreement that is in place. 
  4. If you determine that UT Arlington data will be created, transferred, manipulated or otherwise handled on a third party service then there will be additional steps outlined in the Third Party and Cloud Procurement Procedures.

V. Updates and modifications to this document

This document will be modified as necessary to address changes in technology, processes and identified risks, and is intended to complement, and does not supersede, relevant UT System or UT Arlington policies and procedures governing the security of University data. In the absence of specific policies, policy statements found in this document will stand as provisional until such time that it is incorporated into a HOP policy or procedure. Significant changes to this guideline will be announced to Information Security Administrators and/or in the MavWire.

VI. Forms
Please submit the latest version of these forms electronically.

  1. To be completed by sponsoring/requesting department - Information Security Sponsoring Department_Procurement Questionnaire (Version 1.4)

VII. Revisions

Version Date Changes
1.0 9/7/2018 Initial Publication.