IT Non-Standard Resource Procurement Review Process

If it is not possible to purchase and utilize an IT resource from the pre- approved list, then if the IT resource meets any of the below criteria, the purchase must be vetted by OIT to determine total cost of ownership including verifying functionality, integration, support, environmental, computing, security, and legal requirements.

• OIT assistance will be required to build, install or implement hardware or software.
• The resource will utilize the University network.
• The resource will be installed in any UAH data center.
• Software or hardware will require campus credentials (Active Directory or Single Sign On) for authentication.
• Software or hardware generally made available to students and/or employees.
• Software will use and/or store data other than data classified as Public in accordance with the UAH Protection of Data Policy
• Cloud services (Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS)).
• Integration with other campus systems is required.
• Ongoing support from IT is expected.
• Any product with integrated Artificial Intelligence (A.I.) components

OIT will make every reasonable effort to support non-standardized IT resources; however, because of fiscal and staffing constraints, this support may be limited.

Requests will be evaluated against cybersecurity and operational requirements as required.

If the resource does not meet any of the above criteria, OIT review is not required.

IT Resource Procurement Review Process

IT resources will be reviewed, at minimum, in the following areas to determine total cost of ownership and integration with existing IT resources and infrastructure:

• Functionality: The business need will be compared to the capabilities of currently supported IT resources to determine if the need can be met through current resources. If it cannot, then a selection process will be performed to determine the best product for the required function.
• Integration: Whenever possible, new products shall integrate with core functionality, including, but not limited to, Trusted Identity Management System and Banner.
• Support Requirements: Network, staff, storage, and monetary support requirements will be reviewed to verify that UAH will be able to support the IT resource. This support may include custom code development that will require time to plan, produce, and maintain.
• Environmental Requirements: Review of the environmental requirements will include space, cooling, power, and physical security considerations.
• Computing Requirements: Processing, memory, and storage requirements will be evaluated.
• Security Requirements: IT resources will be reviewed to verify that the solution is secure in communications, authentication, and storage of data. This includes verifying that the solution is compliant with all UAH policies and applicable regulations, such as Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), International Traffic in Arms Regulations (ITAR), and Export Administration Regulations (EAR) regulations. Vendors may be required to go through an appropriate evaluation process.
• Legal Requirements: Any IT resources that require contract must be reviewed by the Office of Counsel.
• Disaster Recovery Requirements: IT resources will be reviewed to determine criticality and redundancy requirements.

Cloud Services Procurement Review Process

In addition to the requirements for reviewing local IT resources, the following considerations must be evaluated when procuring cloud services:

• Application Programming Interface (API): APIs will be reviewed to evaluate the ability to automate tasks to interface with the cloud service. This could include user account management and data transfers from UAH systems.
• Ability to Retrieve Data: The ability to retrieve data upon termination of contract with cloud service will be evaluated.
• Uptime Requirements: The cloud service uptime shall be evaluated against the required uptime of the service. This may include times that the cloud service will be unavailable due to software updates.
• Connectivity Requirements: The connectivity requirements will be reviewed to validate that current Internet or Internet2 connections are sufficient to support the cloud service.
• Data Center Requirements: The cloud service’s data center options will be reviewed to verify compliance with all regulations and best security practices. This may include, but not be limited to, data center locations, personnel with access, encryption technologies, and audit logging, backup, and disaster recovery capabilities.
• Security Requirements: The security requirements may be different for cloud based IT resources and vendors may be required to go through an appropriate evaluation process.