Electronic and Information Technology (E&IT) Decisions - E&IT Review Process Overview

In accordance with Cal Poly's policy on Electronic and Information Technology (E&IT) decisions and related standards, all Cal Poly departments, auxiliaries, and employees are required to follow the E&IT Review Process when deciding to acquire, develop or accept E&IT products or services.

Prior to making an E&IT decision, especially one involving a new product or service, it is important to consult with unit management and IT support and Information Technology Services (ITS) to assess the priority, resource implications, potential impact and alternatives, and available tools to meet the need.

Below is a brief overview of why the process exists, what is covered, when it applies, whom to contact and where to go for more information.

E&IT Review Process - Overview

Whom Do I Contact?

The following staff are available to assist throughout the process

Title Name Email Phone
E&IT Process and Policy Clarifications Office of the CIO it-policy@calpoly.edu 756.2966
E&IT Process Liaison Craig Schultz, ITS cschultz@calpoly.edu 756.6117
Information Security Officer (ISO) Doug Lomsdalen, ITS-ISO dlomsdal@calpoly.edu 756.7686
Procurement Services See Web page https://afd.calpoly.edu/cprm/contact 756.2232

Why Does the Process Exist?

The E&IT process exists to help requesters make the best possible decision, ensure compliance obligations are met, provide due diligence, and oversee effective use of campus resources.

E&IT requests are reviewed based on criteria established in the E&IT Decisions Standard. This includes compliance with existing laws, policies and standards, e.g., accessibility, information security, technology integration/support, and contracts/procurement.

In addition, E&IT requests are reviewed for strategic technology direction and fit with CSU/campus IT infrastructure, projects and initiatives, including road maps. This includes: policies and standards for integration, reliability, security; resource and support requirements; data use and access; and business processes, e.g., opportunities, impacts and sustainability.

Managed by ITS, the E&IT process is aligned with and seeks to ensure consistency and efficiency of CSU/campus business and compliance processes.

Executive guidance is provided by the VP, Information Technology Services/Chief Information Officer (CIO) in consultation with Cal Poly’s University Technology Governance Council (UTGC).

As the requestor, departments are accountable / responsible for understanding opportunities, risks and trade-offs to Cal Poly associated with their product/service acquisition. The E&IT Decisions Standard-Responsibilities defines each role associated with the E&IT decision process.

What is Covered?

The E&IT process covers a broad range of products and services as defined by federal and state laws. CSU Executive Orders and Cal Poly policies/standards provide additional guidance.

E&IT includes: software, Web sites and online “cloud based” services, licenses, subscriptions; computers, servers, appliances, and peripherals; mobile devices; multimedia; network, storage, telecom devices; and self-contained systems, e.g., copiers, instruments, printers, kiosks, digital cameras.

More than one type of E&IT product or service may be covered by a single review.

When Does it Apply?

The E&IT process applies to all new products and services regardless of cost, e.g., home-grown, purchased, donated, research or grant funded.  It applies to existing products and services when:

  • substantive changes occur, e.g., new user interface, new functionality; move to a “cloud-hosted” model; information security model updates; changes to data collection, handling, storage, retention practices
  • use expands, e.g., more users are affected
  • no prior review is on file
  • prior review occurred three or more years ago

E&IT review is not required if the product will be used by a single individual solely for their own use or it is already licensed and approved by ITS for campus use, e.g., site licensed software.

The E&IT review process is aligned with – but separate from – campus purchasing and other business processes.

Substantive product/service changes will invoke an E&IT review, e.g., contract revision; upgrade that has compliance impacts; improvements on information security, accessibility).

Based on the completed review, an exception process is available for specific situations, e.g., products or services found to be non-compliant.

Where Do I Get More Information?

Topic Information AVAILABLE
E&IT Review Process Flow
E&IT Review Forms
E&IT Online Checklist Third Party Security Questionnaire,

VPAT, EEAAP, E&IT Overview and Process Flow Charts

Accessibility & Disability Information CSU Executive Orders, Cal Poly Policies and Standards, Compliance / Legal, Reference Links/Information
Information Security CSU Policies and Standards, Cal Poly Policies and Standards, Compliance / Legal, Reference Links/Information
Contracts and Procurement Cal Poly Policies and Procedures, Compliance / Legal, Reference Links/Information
University Advancement Gift Acceptance Forms


Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips