IT Standard: Electronic and Information Technology (E&IT) Decisions

Brief Description:

Requirements and responsibilities for reviewing and making university technology decisions

Introduction:

CSU and Cal Poly policies, including the Policy on Electronic and Information Technology (E&IT) Decisions, require close review of all technology decisions. This standard establishes the criteria for reviewing and making technology decisions, provides guidelines for required or recommended reviews and their conduct, and defines the roles and responsibilities of those involved in the review process.

It is important to recognize not only the value of the product or service to the functional area but also that it must integrate effectively with Cal Poly and CSU requirements for service, support, accessibility, security, technology, or compliance to regulation or law.  Finally, available resources and established priorities must be taken into consideration when making any technology decision.

Scope:

Unless otherwise specified, this standard applies to any E&IT product or service being considered, newly acquired or developed, donated, renewed, upgraded, or implemented on campus, regardless of who initiates the request, the funding source, or the cost. Any E&IT product or service may be subject to review based on substantive changes (e.g., technical, functional, operational) since its last review or its potential impact on users and/or the University.

Standard (Required):

All applicable E&IT products and services will be reviewed for:

  • Accessibility, e.g.., Section 508 Compliance, VPAT
  • Information Security, e.g., FISMA/PCI/HIPPA compliance, data classification and handling, certifications (e.g., AOC, HIPPA, ROC, SOC3, SSAE16), etc.
  • Technology Integration and Support, e.g., authentication, data access needs, networking, etc.
  • Fit with established university level IT initiatives, priorities and strategic direction
  • Purchasing requirements, e.g., contract, licenses, sole source, gift-in-kind, etc.

The following categories of E&IT products and services are subject to review:

  • Software and operating systems, including online “cloud-hosted” applications and services, e.g., subscription databases, licenses, subscriptions
  • Web-based content, e.g., websites, online surveys and other content, social media sites, online subscriptions, etc.
  • Telecommunication products, e.g., telephones, cell phones, smart phones, etc.
  • Video and multimedia products and services, e.g., TV displays and tuners, projectors, media players and recorders, wearables, and mediated content such as DVDs, streaming media, etc.
  • Self-contained, closed products, e.g., printers, scanners, copiers, kiosks, digital cameras, scientific instruments, etc.
  • Hardware, e.g., servers, appliances, computers, mobile devices, storage, peripherals, etc.

In general, if a product or service fits into one of these categories, requires user interaction, and involves collecting, creating, analyzing, converting, transferring, storing or duplicating data or information, then it is covered.

The following evaluation criteria will be considered as part of the review process:

  • Potential impact on the university community, e.g., numbers and types of users affected
  • Potential impact on other campus resources, e.g., are ITS/other units needed to implement it?
  • Whether the product or service can integrate with existing IT infrastructure and in what ways
  • Whether there is sufficient commitment and resource for ongoing support
  • Whether the product or service meets a functional need identified as a university priority
  • Whether the product or service meets CSU/Cal Poly compliance requirements
  • Whether other policy and regulatory requirements apply
  • Whether the product or service is already in use, for how long, and the effect of altering or stopping its use
  • Whether an already approved product or service can meet the functional requirements
  • Potential risk/impact to the university of implementing a non-compliant product or service
  • Potential risk/impact to the university of not implementing the specific product or service

Recommended:

Reviews are recommended but not required for

  • E&IT products or services being acquired on behalf of a single individual solely for their own use
  • E&IT products already licensed and approved by ITS for campus use; however, if there have been substantive changes (technical, functional, operational), a review is required

Any other exemptions will be determined by the E&IT Process Review Team.

Responsibilities:

The responsibilities assigned to each of the following roles associated with the E&IT review process have been defined as part of this standard but are posted on a separate page. 

  • E&IT Process Liaison (ITS-ES)
  • Campus Section 508/E&IT Compliance Officer (IS-OCIO)
  • Campus Information Security Office (IS-ISO)
  • VP/CIO or Designee (IS-OCIO)
  • University Technology Governance Council (UTGC)
  • Department/Requester/Admin Support
  • Campus IT Coordinator (Local IT Support)
  • Information Security Coordinator (Division/College)
  • Strategic Business Support Services Buyer (AFD)
  • Vendor/Contractor/Developer
  • Disability Resource Center (Student Affairs)
  • Human Resources/Office of Equal Opportunity
  • Accessible Technology Specialist (CTLT)

Non-Compliance and Exceptions:

  • Issues of non-compliance will be documented as part of the review process
  • Strategies and plans to address issues of non-compliance must be documented by the requester using established university processes, e.g., exception requests, EEAAP form, etc.
  • Requests for exception must be reviewed and approved by the VP/CIO or designee

Implementation

Effective Date: 9/1/2015
Review Frequency:

Annually or as needed based on policies and regulations

Responsible Officer: Vice Provost/Chief Information Officer
RESPONSIBLE OFFICE: Information Services/Office of the CIO

Revision History

Effective Date Actions Taken
July 2015

Revised to encompass all technology decisions, not just software, based on policies and practices established since initial release. Updated to reflect current criteria, required and recommended reviews, and roles and responsibilities in technology decisions

March 22, 2007 Initial release of policy and related standards and practices

 

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000

Contacts

Did you know?

Stay Safe Online Tips