V1201.01 Information Technology Procurement
Purpose
The purpose of this policy is to establish instiutional requirements and authority for the approval, acquisition, implementation, and use of information technology at Valley City State University (VCSU). This policy ensures that information technology used for institutional purposes is consistent with appplicable laws, State Board of Higher Education (SBHE) policies, North Dakota State University (NDUS) procedures, and other VCSU policies and VCSU standatds, and taht associated risks are appropriately reviewed, approved, documented and managed.
Scope
This policy applies to all VCSU employees and governs all information technology aqcuired, implemented, or used for instiutional purposes, regardless of funding source, including but not limited to purchased, licensed, subscribed, hosted, or "free" technologies and services.
Technology acquired and used by an individual employee is exempt from this policy provided it does NOT involve any of the following:
- requires VCSU acceptance of licensing, terms of service, or contractual obligations;
- storage, processing, or retrieval of private or restricted data;
- uses institutional funds to purchase;
- accesses institutional or NDUS data or systems;
- connects to VCSU data or communication networks;
- requires department of Technology Services assistance to deploy or use;
- creates a necessity for other employees to use or rely upon the technology;
- results in content published subject to V1203.01 Digital Accessibility requirements
Policy Requirements
All information technology acquired, implemented, or used for institutional purposes shall comply with applicable requirements established by law, North Dakota Attorney General's Office procedures and standards, SBHE policies, NDUS procedures, and VCSU polices, procedures, and standards, as identified in this policy. Compliance with these requirements is mandatory unless an exception is approved in accordance with this policy.
Approval Authority
-
Chief Information Officer Authority
The Chief Information Officer (CIO) is the institutional authority responsible for approving or denying information technology acquisitions, implementations, and uses governed by this policy. This authority applies regardless of funding source or procurement method.
-
Delegation
The CIO may delegate approval authority, establish conditions for approval, and impose limitations as appropriate to manage institutional risk.
-
Appeal Process
An employee is encouraged to first discuss concerns with their supervisor. Formal appeals of decisions of the Office of the CIO may be submitted to the Vice President for Business Affairs, whose decision is final.
Authority to Establish Procedures
In consultation with the Vice President for Business Affairs, the CIO is authorized to establish, maintain, and revice procedures, standards, forms, documentation requirements, and review processes necessary to implement and enforce this policy. Such procedures may address differing levels of risk, legal requirements, and operational impact in a proportional manner.
Exceptions and Risk Acceptance
Exceptions to the requirements of this policy may be granted by the Office of the CIO or their designee in consultation with the VCSU president based on documented risk acceptance during a procurement request process. Approve exceptions shall be subject to conditions and limitations determined during the review process and documented in accordance impact in a proportional manner.
Procurement Alignment
Information technology procurements shall follow institutionally approved procurement pathways established in coordination with other institutional procurement officials, the Vice President for Business Affairs, legal counsel, and other relevant offices. Required reviews, documentation, and assessments shall be communsurate with the level of risk, regulatory obligations, and institutuional impact associated with the technology.
Enforcement
-
Unathorized Technology
Information technology acquired or used without required approval may be disabled, removed, or otherwise restricted.
-
Institutional Responsibility
Contracts, licenses, or agreements entered into without appropriate approval are not binding on VCSU, and responsibility for associated obligations may be assigned to the originating unit.
Related Laws, Policies, and Procedures
This policy is intended to operate in conjunction with, and does not replace, applicable external and internal requirements, including but not limited to:
- North Dakota Century Code, including 32-12.2-15
- North Dakota Attorney General’s Office Contract Drafting Manual
- SBHE policies including SBHE 503.2 Student Data Privacy and Security Bill of Rights; SBHE 802.7 Identity Theft Prevention; SBHE 803.1 Purchasing; SBHE 804 Equipment and Personal Property Leases; SBHE 807.1 Mobile Devices; Restrictions on Use of State Phones; SBHE 840 Contract Review; SBHE 1200 Consolidated IT Services; SBHE 1201.0 Information Technology Planning, Reporting, and Project Management; SBHE 1202.1 Acceptable Use of Information Technology Resources Policy; SBHE 1203.1 Digital Accessibility; SBHE 1206.1 Data Management – Standardization of the Enterprise Data Lifecycle; and SBHE 1208.1 Emerging Technology.
- NDUS procedures including NDUS 803.1 Purchasing; NDUS 803.2 Collaborative and Cooperative Procurements; NDUS 840 Contracting; NDUS 1200.1 Consolidated IT Services; NDUS 1201.1 IT Planning and Reporting; NDUS 1201.2 IT Project Management; NDUS 1203.1 Digital Accessibility; NDUS 1203.7 Data Classification and Information Security Standard; and NDUS 1208.1 Emerging Technology.
- VCSU policies including V803 Purchasing and Inventory Procedures; V840 Contract Review; V1203.01 Digital Accessibility; V1202.03 Artificial Intelligence; and V1221.01 Digital Signage.
Sponsor: Chief Information Officer
Effective: May 2014
Revised: December 2015
Revised: November 2019
Revised & renumbered (formerly V1901.03) December 2021
Revised: April 2026