This VCSU procedure seeks to facilitate compliance with the following mandates:
• NDUS Procedure 1901.3 “Information Technology Approval Process” sets forth several procedures for technology acquisitions and it requires all institutions to “develop institutional guidelines for IT acquisitions and approvals consistent with good business practices to ensure proper stewardship of state resources.”
• NDUS Procedure 840 “Contracts” requires VCSU to adopt procedures to ensure contracts are reviewed and approved prior to execution. Notably, NDUS Procedure 840 allows that purchase of software costing less than $2,500 does not require legal counsel review and approval, provided other requirements pursuant to the procedure are met.
• North Dakota Century Code, chapter 51-30 sets forth criteria for data breach reporting. These statutes are taken into account in this policy when establishing the limit of information that may be exposed within a software environment that has not had VCSU Chief Information Officer (CIO) approval.
• NDUS Procedure 1203.7 “Data Classification and IT Security Standard” establishes standards for securing and managing data and it contains a classification of common data elements.
• To ensure technology acquired under this policy meets the requirements of SBHE Policy 1203.1 “Digital Accessibility”. Furthermore, this policy authorizes the institutional CIO to grant exceptions to compliance with the World Wide Web Standards defined in the Federal Rehabilitation Act Section 508.
If one or more of the seven criteria below apply, users shall obtain the written approval of the VCSU CIO or their designee prior to making a technology related acquisition or using a service that requires acceptance of a use or license agreement.
1. The project meets one of the stated criteria, and must therefore comply with, NDUS Procedure 1901.3.
2. SBHE Policy 1203.1 “Digital Accessibility” applies AND compliance with subdivision (b) is impossible or would impose an undue financial or administrative burden. Subdivision (b) states, “All new or revised website, web services, and web applications published, hosted or otherwise provided by NDUS or its institutions must be in compliance with the World Wide Web standard defined in the Federal Rehabilitation Act Section 508.” In addition, SBHE Policy 1203.1 requirements shall apply to all software at VCSU.
3. The technology will require VCSU Technology Services support in any way.
4. Any device connecting to the VCSU campus wired or wireless Local Area Network, e.g. PDA, computer, networked printer, telephone, fax machine, copiers, etc. This does NOT apply to peripherals such as a keyboard, external computer monitor, USB inkjet printer, or other device that does not connect directly to the campus Local Area Network.
5. Information technology hardware or services (not including software, websites, web services, or web applications) costing $10,000 or more.
6. Software, websites, web services, or web applications costing $2,500 or more.
7. Software, websites, web services, or web applications costing less than $2,500, including freeware, UNLESS ALL of the following requirements are met:
a. Confidential information and data classified as Restricted or Private per NDUS Procedure 1203.7 is not shared, entered or stored in any way;
b. Use will not result in the appearance of the institution or NDUS system office on social media;
c. The software, website, web service, or web application will not be advertised to the general public or hyperlinked from VCSU public web pages.
d. The software, website, web service, or web application and its use complies with the SBHE, NDUS, and VCSU computer and network use policies and procedures;
e. That in the case of freeware, the employee’s supervisor or other authorized employee has reviewed the terms and conditions of the contract documents and has approved the software; and that in the case of purchased software, the authorized employee has reviewed the terms and conditions of the contract documents and confirms that the department for which the software is being purchased agrees to assume responsibility for liabilities that may arise from agreement with the terms and conditions; and
f. The software, website, web service, or web application is in compliance with the World Wide Web standards defined in the Federal Rehabilitation Act Section 508. If items a-e in this section are met and compliance with SBHE 1203.1 subdivision (b) is impossible or would impose an undue financial or administrative burden, document the reasons why and submit a request for an exception to the CIO. For example: “The developer has not completed a Section 508 compliance audit for this web service and we are not aware of a similar product that is Section 508 compliant. Performing a Section 508 compliance audit on our own for this web service is cost prohibitive for our department and would far outweigh the cost of the web service itself. Upon specific request, accommodations shall be made for any individual needing access to the web service, by revision or otherwise.”
Supervisors with budget approval authority, are authorized to approve software meeting all the requirements listed above in section 7. The CIO may require specific forms for this process.
Making an Acquisition Request
If NDUS Procedure 1901.3 applies, the request will be in the format prescribed by that procedure.
If NDUS Procedure 1901.3 does not apply or if all requirements in section 7 above are not met, an electronic request shall be sent to the VCSU CIO to include the following information, if applicable:
1. An electronic copy of the Use or License agreement and the Privacy Statement.
2. If SBHE Policy 1203.1 “Digital Accessibility” applies, include a Section 508 compliance audit or test result with the request. If a Section 508 compliance audit or test result is not available, this should be noted along with your efforts to identify competing products and their associated Section 508 compliance audits or tests. If compliance with subdivision (b) is impossible or would impose an undue financial or administrative burden, explain with specificity the reasons why. For example: “After reviewing software X, Y and Z as possible solutions, no vendor has completed a Section 508 compliance audit and they are unwilling to do so at this time. Performing a Section 508 compliance audit on our own for these software options is cost prohibitive for our department and would far outweigh the cost of the software itself.”
3. Define the scope of technology deployment: a) Who will use the technology; b) Settings the technology will be used in; c) If applicable, what private or restricted data per NDUS Procedure 1203.7 (if any) will be exposed within the software/web site/system; d) If applicable, include instructor name, academic class name, class section, and state whether student assignments (private data) will [not] be stored in the system. You may also include a rationale for why the technology is needed. For example: “the digital web service called Mix-it-Up produced by ChemDesigner will be used in all sections of Chemistry 100 taught by Smith, Thinker, and Hoover. Assignments will be submitted by students for faculty review within the Mix-it-up service and that is the extent of private data stored in the system. Grades of assignments will be posted in VCSU Blackboard and will not be posted in the digital web service.”
4. All information normally associated with a Purchase Order, including assurance of available funding from a supervisor with budget authorization authority.
Sponsor: Chief Information Officer
Effective: May 2014
Revised: December 2015
Revised: November 2019