Information Technology Services (ITS) has been working with Purchasing to develop a policy to address the risks and challenges associated with the purchase, deployment (the software may even be free) and renewal of technology on campus.
That process resulted in the publication of an updated Technology Acquisition and Purchasing Policy for SUNY New Paltz.
ITS has also created a new Technology Acquisition Request Form for new purchases and renewals. Departments should use this form, along with additional documentation described below, when seeking to acquire or renew campus technology.
We realize that it will take some time for us to become fully compliant where every software product used on campus has gone through this process but the time to start is now.
More information about ITS’s challenges and priorities in working toward this solution can be found below.
The Challenges
We identified several challenges primarily related to hardware, software or software service purchases, renewals and uses:
Is this technology needed? We need to make sure that the software is necessary. We may already own the software or have an equivalent solution. A quick review of the product and its purpose can help us determine this.
Is this technology accessible? We need to make sure the software is accessible for campus community members with disabilities. The current method to determine this is to have the vendor provide a Voluntary Product Accessibility Template (VPAT) where the vendor declares the degree of conformance using one of four conformance levels: supports; partially supports; does not support; or not applicable (you can see a VPAT template here). There may be a reason why the vendor does not yet have a VPAT or the circumstances surrounding its use may have limited risk; in that case, an exception request can be completed by the requestor and approved if the criteria are met. SUNY is looking into creating a centralized vendor VPAT repository which could streamline the process in the future.
Is this technology secure? We need to make sure that we know what kind of data is being stored within the software, where the data physically resides, and if the vendor is adequately protecting it. The preferred document we use to determine this is the Higher Education Community Vendor Assessment Toolkit (HECVAT). The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk. Before we purchase a third-party solution, we ask the solution provider to complete a HECVAT tool to confirm that information, data, and cybersecurity policies are in place to protect your sensitive institutional information and constituents’ PII. More information about HECVATs can be found here.
Will this technology create new demands on support staff? We need to determine if there is any ITS related support impact. The product may require ITS staff assistance to implement, or it may be incompatible with other software or hardware that the college owns. It may need to be deployed widely across campus or require periodic updating, for example.
Please Note: This applies not only to purchases made and contracts created through the campus’s Purchasing Department, but also to anything purchased or contracted for through CAS, RF, or Foundation as well.
The Solution
We created a Technology Acquisition Request Form for new purchases and renewals with the goal of collecting the needed information in parallel as much as possible with the procurement process, in order to keep the overall process moving along as best as possible.
The requesting department should fill out this form and attach the VPAT and HECVAT documentation. This information will be reviewed by Information Technology Services and, if adequate, be provided to Purchasing for the processing of the purchase requisition.
More information can be found in this article on the Technology Acquisition and Purchasing Policy.
