Last Edit: 07/26/2018
Purpose
All technology purchases made by any employee or unit within the College should be governed by a guiding set of protocols. This document seeks to define how to evaluate technology needs and how to get approval for technology purchases. Purchases should not be allowed without consultation with CCIT and CC Purchasing. The review process is intended to ensure:
- Appropriate hardware and software is purchased to operate efficiently within the University and College's environment
- We receive the best pricing through economies of scale (when possible)
- Proper review of licensing agreements
- Clear expectations of maintenance, licensing, connectivity, and integrations
Guidelines
All purchases of technology hardware and software, regardless of type, must be approved by CCIT. College units may not procure hardware or software without an approved request in a CCIT Service Desk ticket. Departments are expected to work with CCIT prior to completing purchase requisitions/orders for selected hardware, software, or services. All hardware should follow standardized and approved configurations from CCIT.
Examples of technology covered by this policy include, but are not limited to:
- Desktop or laptop computers made by any manufacturer
- Tablets made by any manufacturer
- Printers and copiers
- Hardware peripherals
- Software purchases (internally through CU or from third-party vendors)
- Single licenses desktop software
- Server-based application software
- Software as a service (SaaS)
- Hosted software solutions
- Technology-based consultation
- Managed technology services
Criteria for approval, depending on the circumstance, may include:
- Encryption
- Network connectivity
- Security
- College-wide standardization recommendations
- Compatibility and integration with centralized systems like SIS, authentication mechanisms (CAS or Shibboleth), or other CUIT-provided services
- Manufacturer reputation
- Vendor review
- University/College relationship
- Reputation
- Support
- Technical support required
- Existing licenses agreements
- Pricing
- University policy/compliance
- Acceptable use
- Network
- Security and endpoint protection
- Records and data management
- PCI
- Federal, state, and agency regulatory policy compliance
- FERPA
- HIPAA
- GDPR
- Use/collection of data
- Accessibility and ADA requirements
Procedure
Departments should execute the following steps for technology purchases:
- Conduct an initial review, where possible, of the needs within the department that this technology is intended to meet.
- Create a CCIT Service Desk ticket requesting the technology needed by emailing ccit@columbia.edu.
- Begin review with CCIT based on the above guidelines; work together to document and discuss discrepancies and issues found during discovery.
- Obtain approval from CCIT for the purchase after successful review.
- For managed, hosted, cloud-based services, SaaS, subscription-based software:
- Complete the University Service Compliance Checklist
- Complete the University Data Protection Agreement
- Complete the pre-RSAM questionnaire
- Submit quote and supporting documentation to CC Finance.
- Upon completion of purchase:
- Hardware - have equipment shipped to CCIT to be inventoried and setup, if applicable.
- Software and/or Services - engage CCIT and the vendor to setup and configure; CCIT may only be responsible for some configuration options, while the department or unit may be responsible for actually setup and use. CCIT reserves the right to request and maintain an administrator (high-level user access/permission set) to all software and services within the College.
College Computer Replacement Policy
Desktops and laptops purchased by the College are replaced on a rotating 4 year basis (this may be less in such cases that the manufacturer does not offer additional coverage.) CCIT will select a standardized desktop system, based on College needs and industry trends, that will serve as the base model for all College units. Existing machines will be replaced when they reach their last year of service support. Computer replacements will be purchased through the College's plant budget for that year. CCIT will also select a standardized laptop system for those units which require it. Units which require laptops will be required to pay the difference in price of the standard desktop base model and laptop. Computers for newly created positions will also be covered from the College's plant budget for that year. CCIT will typically begin a review of current system inventory in March for a purchased to be made in April. Large orders of equipment typically take 2 months to be built and shipped. Once arrived, computers will be imaged and prepped for summer deployments.
Please see CCIT's Inventory Refresh Criteria for more information regarding how the College's workstations are classified and replaced.
Definitions
- Administrator account
- Cloud service
- Data Protection Agreement (DPA)
- Family Educational Rights and Privacy Act (FERPA)
- General Data Protection Regulation (GDPR)
- Hardware as a service (HaaS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Managed services
- Software as a service (SaaS)