NOTICE: Updated Purchasing Process - Software and Service

tech purchase

Are you planning to purchase technology software or services within the next year? To help you enjoy an efficient technology purchasing experience, we put together an overview of the NEW technology purchasing process for software and services.

We were required to change the technology purchasing process for software and services to meet updated state regulations. As a result, software or service purchases and renewals (i.e., websites, subscriptions, and desktop installations) take longer because we can no longer issue Technology Oversight Approvals (TOAs).

NOTE: Hardware TOAs can be purchased as usual. (THINK: external hard drives, microphones, headsets etc.)

Technology Purchasing Process
To begin your technology software or service purchase, submit a ticket through IT@Sam’s service request system, Cherwell. If you need assistance with this process, remember the IT@Sam Service Desk is happy to assist.

Step 1: Request Submission
To ensure your technology request progresses as quickly as possible, it is important to include the below information in your submission:

  1. Vendor name – The vendor’s official company name (e.g., Microsoft Corporation).
  2. Product name – List the full name of the software or service along with any applicable version numbers (e.g., Microsoft 365).
  3. Product website – Include the link to the website of the actual product you are requesting to purchase.
  4. Vendor contact information – If you are working with a specific contact at the company, list the following contact information:
    • Name
    • Email
    • Phone Number
  5. Software or service use – Explain how you plan to use the product and how it will benefit your work, department or SHSU. Additionally, state what data will be stored and if any integrations with existing SHSU systems are desired.
  6. Deadlines – Consider renewal and software implementation dates and list your targeted deadline. Requests should be submitted as early as possible as technology purchases are a multi-step process that depends on multiple variables (e.g., vendor cooperation, product assessment, etc.). Keep in mind, due to these variables, the targeted deadlines may have to be extended. Ideally, renewals should be submitted a minimum of two weeks in advance and software implementation requests should be submitted a minimum of one month in advance.
  7. Data classification – State the type of data that will be stored in the product or service (i.e., confidential, protected or public - Security Policy IT-06 can help with this).
  8. Data category – List all data categories that apply to the data used by the service. (i.e., Gramm Leach-Bliley Act, Payment Card Industry Data Security Standard, Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act , Internal Revenue Service and Criminal Justice Information Services)

Step 2: IT@Sam Reviews Request
Once submitted, we will review your request. A purchasing waiver may be provided depending on the purchase type and your requested deadline.  This waiver is only available when you need to implement a software quickly and if you think the vendor will be compliant with state requirements. This waiver allows you to keep working with the vendor to purchase and implement the software or service while we work on the compliance review.  For all other cases, please continue to plan ahead and follow the IT@Sam purchasing process. 

It is important to note that if our review uncovers security or Americans with Disabilities Act (ADA) issues that do not meet the state requirements for the software to be used at SHSU, then we will work together to establish a plan to begin phasing out this software and working with you to implement an approved software.  

Step 3: Vendor Product Accessibility Template (VPAT) Request
After reviewing your technology request, we will submit a VPAT request to the vendor. This document is required to verify that the software or service is compliant with ADA accessibility standards. These requirements ensure all employees and students have access to the same information regardless of abilities.

NOTE: The timeframe in which we are able to move to the next step of the purchasing process is dependent on how long it takes the vendor to submit their VPAT to IT@Sam for review.

Step 4: Risk Assessment
Finally, the last step.

The IT@Sam Security Office will review the submission packet and vendor security information to ensure the software or service meets all state requirements and will not pose an information security risk to SHSU. The data classification and data categories listed in Step 1 are heavily considered in this assessment. 

At the end of this step, you will receive a notification if the software/service does or does not pass the risk assessment.  If it does not, then we will assist you with finding a new software that meets your needs.  

Purchasing Process Conclusion

As you can see above, this can be a long process dependent on multiple variables. It is important to submit your requests as early as possible to ensure you have plenty of time to purchase and implement your requested software or service by your targeted deadline. 

For additional questions regarding this technology purchasing process, contact the IT@Sam Service Desk.