WSU Vancouver Purchasing and Information Security are working together to identify purchases containing sensitive or private data and helping departments to best protect that data.
Purchasing process for WSU Vancouver
The process for purchasing software, cloud and hosting services, and data sharing services has changed due to Executive Policy 37, 8 and revised BPPM sections 70.24 and forth coming 70.25. The cost, or lack thereof, of these products is of no relevance to this discussion -- “free” products are included in these requirements. Please take the time and due diligence to read, understand, and follow this process – departments will be held responsible and accountable. Below describes the approach WSU Vancouver has taken in implementing this process.
Why? - Risk Assessment
- Security is a shared responsibility, especially when it comes to the University’s data and systems.
- This process is to help identify University data and make sure it is protected from mishandling and bad actors.
- Departments are responsible for their data and how they store and manipulate it. Departments will be held accountable and responsible if data is not properly secured and protected.
- WSU Vancouver IT and Purchasing are here to help, and work with you, in protecting all data.
Risk Review process for all software, cloud services, and data sharing agreements
- What you must do (for all new purchases and renewals):
- Some software titles have already been evaluated and do not need to go through the full Information Services (IS) Review process. They can be found at this link, pre-evaluated software . Print this web page showing the pre-evaluated/low-risk status of this specific software as documentation and go on to the purchasing section below. If not on the list, continue through the following steps.
- All cloud or hosted services (i.e. Box, Drop Box, Amazon, Google Drive), as well as data sharing agreements and software, not on the pre-approval list above, need to go through the risk assessment process -- no exceptions.
- To initiate an IS Risk Review:
- The email subject line should start with “IS Risk Review – followed by the item’s name and/or description“.
- Provide as much detail as possible in the document.
- Fill out the “Vendor Questionnaire - Initial Risk Assessment Triage.docx". Click the preceding link to download the form
- Attach the completed version in an email to email@example.com.
What happens next? – The Review Process
- Upon receipt of the Evita ticket, it will be determined if a full IS Risk Review is necessary.
- WSU Vancouver Information Security will contact and work with you on the next steps.
Purchasing Process (after IT has come back with a determination of risk)
After you have the results of the assessment, you are free to purchase the product according to purchasing rules. Along with the purchasing documentation, you must include a copy of the IS Risk Review or a print of the web page noted above showing that this specific item has been screened and deemed as low-risk by IT. If the assessment comes back as greater than low-risk, contact IT to discuss the options available. Prior to purchase, WSU Vancouver unit director must approve and accept all risks, documented in writing (i.e. an email), for any products assessed as greater than low-risk.
All items must have a budget code using one of the following objects/sub-objects
- 03FD - Computer Software Rental (Use for the purchase of software licenses).
- 03MJ - Purchased Computing Services (Use for the purchase of hosting, cloud, and data sharing services).
- 03SD - Computer Software – Small Purchases (Use for “smaller” purchases, generally under $1-million).
- 06EB - Computer Software (Use for capitalized products, generally costing more than $1-million and with a useful life of more than 1-year).
Required Purchasing Documentation
- Printed risk assessment documentation, as discussed above, must always be included with all purchase documentation, including K-order department copies sent to purchasing for expenditure authority signatures and filing, or with the purchase request documentation if the Purchasing Department will be placing the actual order.
- In addition, for P-Card Purchases: On the reconciliation report it must be noted “IT Reviewed/Low Risk” either under “Descriptions” or “Notes” or both, so that it prints on the report.
- In addition, for Contract Purchases or larger purchases using F-orders: A Departmental Requisition and a copy of a contract and/or quote/proposal must be sent to Purchasing (Mike Appel) for processing. Remember, only two people (Lynn Valenter and Mike Appel) on the WSU Vancouver campus have authority to sign a contract, including “click-thru” agreements online. Contact Purchasing for all contracts and never agree to them yourself!