Electronic and Information Technology (E&IT) Decisions - E&IT Review Process Overview
In accordance with Cal Poly's policy on Electronic and Information Technology (E&IT) decisions and related standards, all Cal Poly departments, auxiliaries, and employees are required to follow the E&IT Review Process when deciding to acquire, develop or accept E&IT products or services.
Prior to making an E&IT decision, especially one involving a new product or service, it is important to consult with unit management and IT support and Information Technology Services (ITS) to assess the priority, resource implications, potential impact and alternatives, and available tools to meet the need.
Below is a brief overview of why the process exists, what is covered, when it applies, whom to contact and where to go for more information.
E&IT Review Process - Overview
- Whom do I contact?
- Why does the process exist?
- What is covered?
- When does it apply?
- Where do I get more information?
- E&IT Review Process Flow (separate page)
The following staff are available to assist throughout the process
|E&IT Process and Policy Clarifications||Office of the CIOemail@example.com||756.2966|
|E&IT Process Liaison||Craig Schultz, ITSfirstname.lastname@example.org||756.6117|
|Information Security Officer (ISO)||Doug Lomsdalen, ITS-ISOemail@example.com||756.7686|
|Procurement Services||See Web page||https://afd.calpoly.edu/cprm/contact||756.2232|
The E&IT process exists to help requesters make the best possible decision, ensure compliance obligations are met, provide due diligence, and oversee effective use of campus resources.
E&IT requests are reviewed based on criteria established in the E&IT Decisions Standard. This includes compliance with existing laws, policies and standards, e.g., accessibility, information security, technology integration/support, and contracts/procurement.
In addition, E&IT requests are reviewed for strategic technology direction and fit with CSU/campus IT infrastructure, projects and initiatives, including road maps. This includes: policies and standards for integration, reliability, security; resource and support requirements; data use and access; and business processes, e.g., opportunities, impacts and sustainability.
Managed by ITS, the E&IT process is aligned with and seeks to ensure consistency and efficiency of CSU/campus business and compliance processes.
Executive guidance is provided by the VP, Information Technology Services/Chief Information Officer (CIO) in consultation with Cal Poly’s University Technology Governance Council (UTGC).
As the requestor, departments are accountable / responsible for understanding opportunities, risks and trade-offs to Cal Poly associated with their product/service acquisition. The E&IT Decisions Standard-Responsibilities defines each role associated with the E&IT decision process.
The E&IT process covers a broad range of products and services as defined by federal and state laws. CSU Executive Orders and Cal Poly policies/standards provide additional guidance.
E&IT includes: software, Web sites and online “cloud based” services, licenses, subscriptions; computers, servers, appliances, and peripherals; mobile devices; multimedia; network, storage, telecom devices; and self-contained systems, e.g., copiers, instruments, printers, kiosks, digital cameras.
More than one type of E&IT product or service may be covered by a single review.
The E&IT process applies to all new products and services regardless of cost, e.g., home-grown, purchased, donated, research or grant funded. It applies to existing products and services when:
- substantive changes occur, e.g., new user interface, new functionality; move to a “cloud-hosted” model; information security model updates; changes to data collection, handling, storage, retention practices
- use expands, e.g., more users are affected
- no prior review is on file
- prior review occurred three or more years ago
E&IT review is not required if the product will be used by a single individual solely for their own use or it is already licensed and approved by ITS for campus use, e.g., site licensed software.
The E&IT review process is aligned with – but separate from – campus purchasing and other business processes.
Substantive product/service changes will invoke an E&IT review, e.g., contract revision; upgrade that has compliance impacts; improvements on information security, accessibility).
Based on the completed review, an exception process is available for specific situations, e.g., products or services found to be non-compliant.
|E&IT Review Process Flow
E&IT Review Forms
|E&IT Online Checklist Third Party Security Questionnaire,
VPAT, EEAAP, E&IT Overview and Process Flow Charts
|Accessibility & Disability Information||CSU Executive Orders, Cal Poly Policies and Standards, Compliance / Legal, Reference Links/Information|
|Information Security||CSU Policies and Standards, Cal Poly Policies and Standards, Compliance / Legal, Reference Links/Information|
|Contracts and Procurement||Cal Poly Policies and Procedures, Compliance / Legal, Reference Links/Information|
|University Advancement||Gift Acceptance Forms|