Software and Data Collection Services Acquisition Regulation - Interim
|Title||Software and Data Collection Services Acquisition Regulation|
|Sub-category||Security and Compliance|
Approved to post as an interim PRR on June 25, 2018.
Chief Information Officer (252) 328-9000, Director of Materials Management (252) 328-6434
The purpose of this regulation is to seek good stewardship of the University’s resources by managing cost through standardizing where possible and ensuring flexibility to meet the academic mission. Other purposes are to ensure that resources are used as effectively and efficiently as possible, that data security standards are protecting University data, and that all acquisitions of software are properly vetted and approved, whether on-site, software as a service (SAAS or “cloud”), data collection services, or consulting agreements.
1.2.1. Cloud Services
Cloud services include software or hardware services provided by third parties at remote locations that are not directly controlled by or associated with the University. Other terms that refer to similar services include but are not limited to cloud hosted services, hosted systems, online tools, software as a service, platform as a service, and infrastructure as a service. These include purchased software applications that are hosted at a data center external to ECU and content hosted by external service providers.
1.2.2. Covered Persons
All persons and entities employed by or performing work on behalf of the University, including but not limited to, staff, faculty, student workers, contractors, and volunteers.
1.2.3. Data Stewards
Data Stewards are designated University employees that ensure the Appropriate Use of Institutional Data within their designated areas of administrative responsibility. Data Stewards direct the management of Institutional Data in order to improve its usability, accessibility, and quality. They assist in the development, maintenance, and implementation of data management policies, processes and requirements. Data Stewards are appointed by and delegated authority from the Data Trustees and are responsible for managing defined segments of Institutional data.
1.2.4. Institutional Data
Institutional Data means any information, facts, statistics, data, or records in any medium now existing or existing in the future that are created, acquired, maintained, managed, used, or transmitted by Covered Persons in the course and scope of employment, volunteering, or otherwise on behalf or in furtherance of the mission of the University.
Software as a service, sometimes referred to as "on-demand software" supplied by ISVs or "Application-Service-Providers," is a software delivery model in which software and associated data are centrally hosted on the cloud.
1.2.6. Data Collection Services
Data Collection Services is the systematic approach to gathering and measuring information from a variety of sources to get a complete and accurate picture of an area of interest. Data Collection Services enable a person or organization to answer relevant questions, evaluate outcomes and make predictions about future probabilities and trends.
Software is a set of instructions or programs instructing a computer to do specific tasks. Scripts, applications, programs and a set of instructions are all terms often used to describe software.
The term ‘acquisition’ refers to all the stages from buying, introducing, applying, adopting, adapting, localizing, and developing through to distribution, whether the specific product is purchased or free.
1.3. Prohibition on Software and Cloud Services Use without Approval
The Chief Information Officer and/or their designee is the final approver of all software and cloud services. Data steward approval is required for institutional data storage and/or usage. No software or cloud solution may be used to process or store institutional data without these approvals.
1.4. Applicable Polices, Procedures, Regulations, Federal, State, Local Laws, and Contracts
Use of software and cloud computing services must be in compliance with all University policies and regulations, contracts, and federal, state, and local laws. All University and campus policies, procedures, and guidelines apply to any institutional data, whether the data is stored on University or non-University systems.
Prior to use, all software, cloud solutions, or data collection services must be reviewed by ITCS for compatibility with existing infrastructure and applications, duplication of existing services, security and accessibility of the software or services, and risks associated with its use. Software, cloud solutions, or data collection services that use, process, or store University data regulated by federal or state laws or other applicable regulations, such as protected health information, educational records, or credit card information will be subject to more in-depth reviews. The ITCS review process will typically be initiated during the purchasing process. All departments/units and employees are responsible for ensuring that the review process is triggered, whether software or services are acquired via the Requisition/Purchase Order process, on a University ProCard, or downloaded from the web (in the case of “free” tools and services).
Any use, processing, or storage of institutional data in software, cloud solutions, or data collection services is prohibited unless approved by the relevant data stewards and the Chief Information Officer or his/her designee. This applies to software that is locally installed as well as tools that are cloud-based. It applies to purchased tools as well as free software and services.
2.3. Contract Review and Approval
The Department of Materials Management will maintain a preferred contract template which has been vetted by the CIO and the Office of University Counsel for University use (“ECU Hosted Services Contract”). All contracts, terms of agreement, memorandums of understanding, and service level agreements must include the primary components of the ECU Hosted Services Contract. Any exceptions to this requirement (such as any modified wording that is requested by a vendor) must be approved by Materials Management. In some cases, based on the data type (e.g., protected health information), additional agreements (e.g., HIPAA Business Associate Agreements) and contract terms are required. In the case of software that is downloaded from the internet and requires the user to “click through” any agreement(s) at the time of download, the terms of the click through agreement(s) must be reviewed and approved by the official with the appropriate authority according to the Delegation of Authority to Sign Contracts regulation.
2.4. Risk Acceptance
In some instances, software, cloud solutions, or data collection services may pose risks that are inconsistent with best practices in technical and information security, or pose other risks which the appropriate data steward(s) or their representative committee(s) do not approve.In situations which the applicable data steward(s)/committee(s) do not initially approve the acquisition and use of a specific tool, the decision is final unless the associated risks are formally reviewed and accepted by the appropriate division Vice Chancellor and/or designee, and the Chief Information Officer. These situations require a signed IT Security Risk Acceptance Form. In all cases, the Risk Acceptance requires the acknowledgement of the appropriate institutional data steward(s), and the written approval of the division Vice Chancellor and/or designee, and the Chief Information Officer.
2.5. Periodic Review
Software, cloud solutions, and data collection services are subject to periodic review by ITCS and/or the applicable data steward(s) during the contract and/or purchasing renewal to determine if there have been changes in the technology that impact data collection, processing, storage, interfaces or the use agreement/contract, and to review whether the vendor has met the contractual service level agreement. Software, cloud solutions, or data collection services that use, process, or store University data regulated by federal or state laws or other applicable regulations, such as protected health information, educational records, or credit card information will be subject to more in-depth reviews.Products/solutions that impact sensitive or regulated data may need to be reviewed at more frequent intervals, at the discretion of the applicable data steward(s).
Administrators of software or data collection services are required to follow University best practices as published by ITCS for administration and management of software or data collection service systems.
Unit/Department heads are responsible for ensuring that their subordinates are aware of the requirement to comply with this Regulation. It is the employee/requestor's responsibility to take privacy and security into consideration when making decisions about when it is, and is not, acceptable to use software, cloud solutions, and data collection services. It is the responsibility of the employee using these services to ensure the use is consistent with all applicable policies, regulations, and rules. Failure to comply may result in disciplinary actions.