”TigerIT Vendor Management

Policy Title

IT Vendor Management Policy

Full Policy (PDF)

Background and Purpose

Clemson University management of IT Solutions has been heavily directed at procurement and not donation, gifts, and other, often free, solutions. As a result, we have found it difficult to be strategic as more and more IT Solutions were brought to campus.

Its purpose is the following:

  • To protect Clemson University’s interests, property, and data.
  • To manage the responsibilities and liabilities of the acquisition of IT solutions with consideration for a myriad of potential factors including state procurement requirements, data governance, export control, compatibility, accessibility and support.
  • To ensure overall compatibility with current CU IT systems (infrastructure, data security, identity management, etc.), reduce duplication, and minimize financial investment.

Executive Summary

Clemson University began an investigation of the possible vendor management policy based on a finding from Internal Auditing advising the University that more controls needed to be in place to effectively manage the IT Acquisitions for the University. The term “Acquisitions” was used to include, not just IT purchases or licenses, but any IT Solution acquired by a University entity by any means (i.e. procurement, donation, gift-in-kind or other means). As a result of that finding in September 2015, CCIT and Procurement partnered to form a Policy Committee with representatives from Procurement, Legal, CCIT Procurement, Security, and CCIT Internal Operations, to advise and recommend actions to resolve the finding and address the concerns raised by that audit.

Since December 2015, that Policy Committee has met regularly and discussed possible options and proposed a new University Vendor Management Policy and Framework to address those issues. That proposal included feedback from Office of General Counsel, University’s Data Governance Committee, as well requested reviews from CCIT Leadership and Security, Export Control Officer, and the Human Resources Office. In October 2016, the task force submitted this proposal policy and framework to the University Data Governance Committee for their approval. The approval process was completed on December 18, 2017 with the President Executive Leadership Team. The effective date for the policy implementation was January 6, 2018.

Policy

“All IT solutions, whether obtained through procurement, by gift, through research, donation, open source, or other, shall go through the IT Acquisition process before the new IT solution can be used. IT Services delivered by vendors will be reviewed on a periodic basis in order to ensure contractual obligations are met.”

Exceptions

There is a set of five Pre-Assessment qualifying questions. If any of the answers to these initial questions is yes, then the user must complete the Pre-Assessment questions and be vetted by the IT VM Review Committee.

  1. Is there a signature for a legal agreement required with the acquisition?
  2. Is there any university-owned data involved?
  3. Is the value/cost of the acquisition over $2,500 dollars?
  4. Is this an electronic resource used for instruction, information distribution, or communication? (Examples of information and communication technology include Web-based services, software applications, electronic documents, multimedia products, mobile devices, instructional systems, and information kiosks.)
  5. Will this be used for business or academic activities, the delivery of content, or the interaction with individuals for administrative, instructional, or informational purposes?

Hardware will not need to be registered in the Registry Database. That is considered inventory and should be covered under university policy and utilities (i.e. Department Asset Tracking (DAT) Application.)

Policy Reviews

The policy will reviewed annually by IT Vendor Management Policy Steering Committee. The make up of this committee will be determined shortly.

FAQs

How does this policy work?

  • An IT VMP Steering Committee was formed to oversee the policy and review the process annually.
  • Major components of the acquisition process:
    • IT Solution Review Committee reviews Pre-Assessment questionnaires submitted by owners and/or stakeholders with the help of IT Guides. This step assesses data usage, security, and export concerns. It will be chaired by the Assistant CCIT CTO to review compatibility with new solutions with current systems and services (using IT Solution Assessment DB). This board also assists with KPI Reviews of existing solutions.
    • The ITSR Committee will produce a recommendation or assessment (depending on the stage of the IT Solutions) and the evaluation will be used to trigger other University rules or policies, or State / Federal requirements such as Export Control, Legal Issues, Accessibility and other issues.
    • Stakeholders (users, owners, and sponsors) will register all IT Software/Service acquisitions in the IT Solution Registry. IT Guides would assist stakeholder when necessary.
    • Owners will inventory of all their hardware in the University’s Inventory tool (DAT/AIM).
    • CCIT Contract Office monitors major contractual obligations.
    • CCIT will continue to promote and communicate the policy and the need for this change to all users.

What is the principle messaging of this policy?

The IT Vendor Management Policy (ITVMP) was approved (12/18/17).

  • Its two basic directions are as follows:
    • Assess before you acquire any IT Solution (any solution delivered by the use of technology).
    • Register after acquiring any IT Solution.
  • We are engaging campus business offices to lead their areas with this policy.
  • With IT Solutions you are already using, please add them to the ITS registry.
    • CCIT is developing web-based tools to help with this effort.
  • Evaluate your renewing IT Solutions with our suggested KPIs (key performance indicators) and measure their performance.

IT Vendor Management Policy process

How do I enter an IT VMP Registration or register a solution?

You can enter a registration by going to the vendor management website at clemson.edu/ccit/itvmp and clicking on the “Register IT Solution” button.  It will take you to a google form to fill out fifteen questions about your solution.  Once complete, you can submit the form to the IT VMP Team for evaluation.

Is there an option to “fast track” an assessment?

Yes, we have approved a process for “Fast Tracking” an assessment request. There are some requirements and limitations to those requests.

Requirements

A requester could ask for a request to be “fast tracked” with the following requirements:

    • A Deadline date must be given for the acquisition, and that deadline must be less than 7 calendar days from the submission date of the review request.
    • A fast-track request must have a sponsor as well as a requestor. A sponsor must be a Business Manager, from the VP level, or from Purchasing (Kevin Finan / Mike Nebesky).
    • The requester and sponsor must agree that certain circumstances (if discovered) could halt fast-track status  (e.g., breech condition, or a major security issue).
    • There must be agreement from all ITVMP reviewers that this request can be “fast-tracked”. Any objection would trigger a decision to be made at the Deputy CIO / CIO Level.
Assessment Process Changes
    • For Fast-Tracked requests – A label [FT:[Deadline date]] label would added to the end of the name of the assessment request title.
    • Once a Fast-track status is approved, the Final Status would be changed to “Approved” but the Processing Status would remain “Reviewing”.  This allows the request to remain in the reviewing list and be subject to weekly follow-ups.
    • Post an addition to the IT VMP Policy reset the expectations for ITVMP Assessment process. Those expectations would indicate the normal length of reviews, the procedures on how to fast track requests, and the option’s requirements (see below).
Expectations
    • Normal Assessment durations can take up to 14 calendar days with most assessments being completed in 3-5 business days.
    • There are two freeze yearly periods for ITVMP assessments: (1) from June 15th to July 10th for the end of year processing period and (2) another from December 15th to January 10th, for Holiday period.  During those periods, requests can be submitted but they may not be reviewed. Please plan accordingly.
    • Assessment requests are meant to be done as early as possible in the acquisition process, preferably before agreement reviews, and before RFPs or POs are issued. Assessments for new acquisitions should start at the “idea” stage of the project, well before project deadlines have been decided.  Renewal reviews should be submitted at least 60 days in advance of the renewal date. The earlier request for assessments are made, the easier it will be to avoid delays and service disruptions.
    • Assessment requests are primarily technical reviews of the IT Solutions, although they can trigger other reviews, such as Data Management Plans, Legal Reviews, and others. 
    • Assessments may not preclude reviewing agreements or negotiations.  Those actions may continue in parallel with the assessment process if Procurement deems it appropriate and beneficial to the overall process.
    • Some issues could require a full stop of any implementation action (e.g., a breach of the system, active threats to campus, etc.).

What is a Pre-Assessment?

First, there is a set of five Pre-Assessment qualifying questions. If any of the answers to these initial questions is yes, then user must complete the Pre-Assessment questions and be vetted by the IT VM Review Committee.

  1. Is there a signature for a legal agreement required with the acquisition?
  2. Is there any university-owned data involved?
  3. Is the value/cost of the acquisition over $2,500 dollars?
  4. Is this an electronic resource used for instruction, information distribution, or communication? (Examples of information and communication technology include Web-based services, software applications, electronic documents, multimedia products, mobile devices, instructional systems, and information kiosks.)
  5. Will this be used for business or academic activities, the delivery of content, or the interaction with individuals for administrative, instructional, or informational purposes?

If the answers are all “No,” than the user/requestor can acquire the IT Solution and register it within 30 days of obtaining the solution.

If any one of the questions is “Yes,” then the user/requestor needs to proceed to answer the next five questions. Those five questions concern the Primary Assessment Areas and cover The following five questions cover the five areas: Function, Confirmation of an IT Solution Search, Funding / Legal Concerns, Data Usage Concerns, and Support Required.

These questions will “trigger” needed contact to each of their support areas with an initial brief overview of requirements and risk and, as the process continues, a more detailed analysis (as needed) as details and options become more clear in the acquisition process.

What is the Acquisition Process?

The process is a nine-step process divide into three phases (Assess, Acquire, Register).

 

The IT Vendor Management policy chart, showing why the policy has been implemented.

It was designed with the following guiding principles:

  • Reduce delays
  • Share when possible
  • Assess before you buy
  • Acquire correctly
  • Register after you buy
  • Gift/grants are included
  • Search what we have
  • Performance and security matter
  • Review and sign properly

There is an Assessment Overview that details the steps and functions in the acquisition process. The chart is divided into three phases: Assess, Acquire, and Register. All current IT software and service solutions need to be registered.

The Assessment Overview details what needs to be completed, based on what is being procured (software, hardware or service).

General Guidelines

  • Users are required to use appropriate procurement methods to procure IT solutions. Those methods should promote better strategic decisions for Clemson.
  • Initial and renewal acquisitions may take 90 days or more (depending on negotiations of contract terms and conditions). Please consider this timeline when planning your projects. In order to minimize lead time, take the following steps:
    • Include CCIT in the evaluation committee (SME/advisor or voting member) for all RFPs for Information Technology Solutions.
    • As soon as contract terms are known, engage legal, security, or export controls as appropriate.
    • Begin renewal process 90 days or more before expiration of existing contracts.
    • If divesting of the IT solution, check the contract to ensure CU has means of terminating the contract and make sure Clemson University can meet the notification requirements. Some contracts require notification of termination far in advance of the renewal date.
    • Older agreements that are more than three years old may require a legal review depending on the type of agreement in question.
    • All renewed software and services should be reviewed for performance based on the previous terms of contract and using the recommend KPI’s, listed in this framework.
  • Gifts and Grants should be managed through the appropriate office (i.e. Advancement, Sponsored Programs). Supporting services and assistance should be taken in account before accepting gifts or receiving products or licenses.
  • Users are encouraged to share information with the appropriate offices when purchasing IT solutions for any level – individual, department, college, or institution. Clemson University’s direction is to reallocate software licenses whenever appropriate and use licenses to the benefit of Clemson University, regardless of the license funding.
  • Software procurement must be acquired in the University requisition system (buyWays) when possible and always registered in CCIT/Purchasing approved application that records basic information on the IT Solution purchased. All software and service purchased must be registered in the University’s IT Solution Registry by the solutions owner or user within 30 days of acquisition
  • IT service agreements must be properly reviewed by the CU Legal and Procurement offices. Only the Chief Procurement Officer or Vice President level administrator can sign agreements on the behalf of the university.
  • There will be standard Procedure required when soliciting any IT Product. The Procedure will consist of a set standard of questions and will be periodically reviewed and updated, as needed.
  • Software Registration information will include details related to Licensing, and Vendor Management, Measurements. The accompanying Procedure will review Licenses information, key performance indicators (KPI), as well as Security concerns through various methods, which include user surveys, monitoring tools, and questionnaires.
  • Contractual performance audits will be performed in tandem with security compliance audits triggered by the applicable data governance policies.

Definitions

The following are some definitions used in this policy:

Accessible / Accessibility – refers to the ability for intended users, regardless of disability or special needs, to access, use and benefit from an IT Solution. Accessible IT Solutions comply with accessibility standards, enabling users with disabilities to fully participate.

Acquisition – the act of obtaining goods or services. For purposes of this policy, we are breaking down acquisitions into three different types: Gifts & Donations, Grants, and Procurements.

Agreement – a legal agreement between Clemson University and vendor or supplier of a good or service. There are referred to Service Level Agreement (SLA) or End User Agreements (EULAs). This policy applies to external agreements for following types of acquisitions. Reviewing an agreement must be done at Clemson Office of General Counsel, headed the University General Counsel.

Cloud Services – A cloud service is any resource that is provided over the Internet. The most common cloud service resources are “Software as a Service” (SaaS), “Platform as a Service” (PaaS) and “Infrastructure as a Service” (IaaS). Cloud services can be private (locally hosted), public (vendor hosted), and hybrid (mixture of both private and public hosted services.)

Local Software – software which is installed “locally” on an individual workstation. Data use is governed by University’s Data Use Policy.

Private Cloud – cloud services which are local hosted by Clemson University. I.e. VMware, services. Clemson treats this service like local software.

Public Cloud – cloud services which are hosted by external source or vendor (i.e. AWS, Buyways). This service is subject to additional legal and security checks for Data use.

Hybrid Cloud – a mixture of both private and public hosted services. Clemson treats this service, like a Public Cloud service.

Export Controls – typically refers to regulations administered by several federal agencies, especially the Departments of State, Commerce, and Treasury, that implement federal laws put in place to protect national security, and promote foreign policy.

FERPA (Family Educational Rights and Privacy Act of 1974) – federal legislation in the United States that protects the privacy of students’ personally identifiable information (PII). The act applies to all educational institutions that receive federal funds.

Gift or Donation – an item given to someone without the expectation of payment. Clemson’s protocol for receiving gifts is defined by the Clemson Advancement Office.

Grant – non-repayable funds or products disbursed by one party (grantmakers), often a government department, corporation, foundation or trust, to a recipient, often (but not always) a nonprofit entity, educational institution, business or an individual. In order to receive a grant, some form of “Grant Writing” often referred to as either a proposal or an application is required. Clemson’s protocol for accepting grants is defined by the Clemson Office of Sponsored Program under the VP of Research.

HIPAA – Acronym that stands for the Health Insurance Portability and Accountability Act, a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other healthcare providers.

Infrastructure as a Service (IaaS) – a form of cloud computing that provides virtualized computing resources over the Internet. IaaS is one of three main categories of cloud computing services, alongside Software as a Service (SaaS) and Platform as a Service (PaaS).

IT Solution – a general term for any IT-related acquisition, whether it be software, hardware or service product.

IT Support Services – Services needed to support information technology at the University, including information technology acquired via gifts, grants, or procurements at the University. Services could include but are not limited to software deployment, user services, infrastructure and system administration, network engineering, telecommunication services, application development, hosting, and security services. These service are provided or evaluated by Clemson Computing and Information Technology (CCIT).Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.

Platform as a service (PaaS) – a category of cloud computing services that provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.

Procurement – the act of obtaining goods or services, as governed by SC Procurement Code. This code is administered at the University by the Chief Procurement Officer.

Signature Authority – the right to sign for the University and agree to binding terms in written agreements. University is limited to what kinds of agreements it can signed. The Chief Procurement Officer signed all procurement agreements. Other agreements must be signed at the Vice President / Dean Level.

Software as a Service – (SaaS; pronounced /sæs/) is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. It is sometimes referred to as “on-demand software”. SaaS is typically accessed by users using a thin client via a web browser.

Stakeholder – A person, group or organization that has interest or concern in the proposed acquisition.

Revisions

Version 1.02, January 31, 2018