IT Standard: Electronic and Information Technology (E&IT) Decisions
Requirements and responsibilities for reviewing and making university technology decisions
- Cal Poly Policy on Electronic and Information Technology Decisions
- Cal Poly Information Security Program [PDF]
- Cal Poly Accessible Technology Policy
- CSU Accessibility Policy (Executive Order 926)
- CSU Information Security Policy (Section 8000 - ICSUAM)
- CSU Contracts and Procurement Policy (Section 5000 - ICSUAM)
CSU and Cal Poly policies, including the Policy on Electronic and Information Technology (E&IT) Decisions, require close review of all technology decisions. This standard establishes the criteria for reviewing and making technology decisions, provides guidelines for required or recommended reviews and their conduct, and defines the roles and responsibilities of those involved in the review process.
It is important to recognize not only the value of the product or service to the functional area but also that it must integrate effectively with Cal Poly and CSU requirements for service, support, accessibility, security, technology, or compliance to regulation or law. Finally, available resources and established priorities must be taken into consideration when making any technology decision.
Unless otherwise specified, this standard applies to any E&IT product or service being considered, newly acquired or developed, donated, renewed, upgraded, or implemented on campus, regardless of who initiates the request, the funding source, or the cost. Any E&IT product or service may be subject to review based on substantive changes (e.g., technical, functional, operational) since its last review or its potential impact on users and/or the University.
All applicable E&IT products and services will be reviewed for:
- Accessibility, e.g.., Section 508 Compliance, VPAT
- Information Security, e.g., FISMA/PCI/HIPPA compliance, data classification and handling, certifications (e.g., AOC, HIPPA, ROC, SOC3, SSAE16), etc.
- Technology Integration and Support, e.g., authentication, data access needs, networking, etc.
- Fit with established university level IT initiatives, priorities and strategic direction
- Purchasing requirements, e.g., contract, licenses, sole source, gift-in-kind, etc.
The following categories of E&IT products and services are subject to review:
- Software and operating systems, including online “cloud-hosted” applications and services, e.g., subscription databases, licenses, subscriptions
- Web-based content, e.g., websites, online surveys and other content, social media sites, online subscriptions, etc.
- Telecommunication products, e.g., telephones, cell phones, smart phones, etc.
- Video and multimedia products and services, e.g., TV displays and tuners, projectors, media players and recorders, wearables, and mediated content such as DVDs, streaming media, etc.
- Self-contained, closed products, e.g., printers, scanners, copiers, kiosks, digital cameras, scientific instruments, etc.
- Hardware, e.g., servers, appliances, computers, mobile devices, storage, peripherals, etc.
In general, if a product or service fits into one of these categories, requires user interaction, and involves collecting, creating, analyzing, converting, transferring, storing or duplicating data or information, then it is covered.
The following evaluation criteria will be considered as part of the review process:
- Potential impact on the university community, e.g., numbers and types of users affected
- Potential impact on other campus resources, e.g., are ITS/other units needed to implement it?
- Whether the product or service can integrate with existing IT infrastructure and in what ways
- Whether there is sufficient commitment and resource for ongoing support
- Whether the product or service meets a functional need identified as a university priority
- Whether the product or service meets CSU/Cal Poly compliance requirements
- Whether other policy and regulatory requirements apply
- Whether the product or service is already in use, for how long, and the effect of altering or stopping its use
- Whether an already approved product or service can meet the functional requirements
- Potential risk/impact to the university of implementing a non-compliant product or service
- Potential risk/impact to the university of not implementing the specific product or service
Reviews are recommended but not required for
- E&IT products or services being acquired on behalf of a single individual solely for their own use
- E&IT products already licensed and approved by ITS for campus use; however, if there have been substantive changes (technical, functional, operational), a review is required
Any other exemptions will be determined by the E&IT Process Review Team.
- E&IT Process Liaison (ITS-ES)
- Campus Section 508/E&IT Compliance Officer (IS-OCIO)
- Campus Information Security Office (IS-ISO)
- VP/CIO or Designee (IS-OCIO)
- University Technology Governance Council (UTGC)
- Department/Requester/Admin Support
- Campus IT Coordinator (Local IT Support)
- Information Security Coordinator (Division/College)
- Strategic Business Support Services Buyer (AFD)
- Disability Resource Center (Student Affairs)
- Human Resources/Office of Equal Opportunity
- Accessible Technology Specialist (CTLT)
Non-Compliance and Exceptions:
- Issues of non-compliance will be documented as part of the review process
- Strategies and plans to address issues of non-compliance must be documented by the requester using established university processes, e.g., exception requests, EEAAP form, etc.
- Requests for exception must be reviewed and approved by the VP/CIO or designee
Related Procedures and Resources:
- Electronic and Information Technology (E&IT) Review Process
- Cal Poly Accessible Information Technology Procurement Website
- Information Security Standards
- IT Policy/Security Standard Exception Request Process
- Cal Poly Contracts and Procurement Website
- IT Roadmaps Wiki Space - for internal campus use only
- University Technology Governance Council (UTGC)
- Facilities Customer and Business Services - building permits, services requests, etc.
Annually or as needed based on policies and regulations
|Responsible Officer:||Vice Provost/Chief Information Officer|
|RESPONSIBLE OFFICE:||Information Services/Office of the CIO|
|Effective Date||Actions Taken|
Revised to encompass all technology decisions, not just software, based on policies and practices established since initial release. Updated to reflect current criteria, required and recommended reviews, and roles and responsibilities in technology decisions
|March 22, 2007||Initial release of policy and related standards and practices|