| |
|
| Issued Under Authority of |
UM Information Security Policy |
| Responsible Office |
UM Information Security Office |
| Category |
Asset and Acquisition Management |
IN PLAIN LANGUAGE
Before purchasing any technology — hardware, software, cloud services, or even free tools — departments must go through an IT review process first. This standard ensures that anything connected to University networks or systems is technically compatible, supportable, and evaluated for security risks before money is spent or contracts are signed. This applies regardless of cost or funding source, including grant-funded or zero-cost solutions. The review process doesn't replace the University's formal procurement rules — it works alongside them to make sure IT purchases are a good fit and don't introduce unnecessary risk.
1. Purpose
The purpose of this Standard is to establish consistent, operational requirements for the acquisition of information technology hardware, software, and services by the University of Montana. As a public institution and State of Montana entity, the University must ensure that IT procurements support institutional missions, comply with applicable laws and policies, and are evaluated for operational, security, and support impacts prior to purchase.
This Standard defines how IT procurement activities integrate with operational review, information security, risk management, and vendor assessment processes, without duplicating formal procurement or contracting procedures governed elsewhere.
2. Scope
This Standard applies to:
- IT hardware, software, peripherals, and services acquired by the University of Montana System
- Purchases that connect to University networks, integrate with University systems, or require IT support
- Cloud-based or externally hosted systems, software, and services
- Zero-dollar, freemium, trial, or grant-funded IT solutions used for University business
This Standard applies regardless of funding source, acquisition method, or campus location. It does not replace State of Montana procurement law, University procurement policy, or contracting authority.
3. Definitions
IT Assets — Information technology assets include hardware, software, and services that process, store, transmit, or support digital University Data or University business operations.
Cloud-Based or Externally Hosted Services — Software applications or services hosted outside University-managed data centers, including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS).
4. Procurement Principles
IT procurement activities must adhere to the following principles:
Operational Fit — Solutions must align with University operational, academic, and research needs.
Supportability — Solutions must be supportable by UM IT, UM System IT, or approved vendors.
Interoperability — Solutions must integrate appropriately with existing University systems.
Security and Risk Awareness — Solutions must undergo appropriate security and risk review.
Stewardship of Public Resources — Purchases must reflect responsible use of State resources.
5. Required IT Review Prior to Purchase
5.1 General Requirement
Prior to initiating procurement or vendor engagement, IT-related acquisitions must undergo appropriate review by UM IT, UM System IT, or Distributed IT, as applicable, to assess:
- Technical compatibility and interoperability
- Support and maintenance requirements
- Licensing and lifecycle considerations
- Security and risk implications
5.2 Hardware Acquisitions
Review is required for:
- Hardware that connects to University networks
- Endpoints, servers, network equipment, and specialty devices with computing capability
Low-cost, single-user peripherals (e.g., keyboards, mice, monitors) may be exempt from pre-review unless otherwise specified.
5.3 Software and Application Acquisitions
Review is required for:
- Software installed on multiple devices
- Software that integrates with University systems (e.g., identity, ERP, learning platforms)
- Departmental or enterprise applications
This includes fee-based and zero-cost software.
5.4 Cloud-Based and Externally Hosted Services
All cloud-based or externally hosted services must be reviewed prior to acquisition to assess:
- Data handling and storage
- Security and privacy considerations
- Vendor support and contractual terms
Cloud services are subject to the Cloud Computing Security Standard and Vendor Risk Management Standard.
6. Relationship to Vendor Risk Management
- IT procurements involving third-party vendors must follow the Vendor Risk Management Standard
- Security and risk assessments must be completed prior to contract execution or service use
- Procurement activities must account for assessment outcomes and approval conditions
7. Post-Approval and Procurement Execution
Following IT and security review:
- Procurement must proceed in accordance with State of Montana and University procurement requirements
- Competitive bidding, RFPs, or other processes may be required based on purchase value and scope
- Approved solutions must be acquired through authorized procurement channels
8. Asset Management Integration
- Procured IT assets and services must be recorded in accordance with the IT Asset Management Standard
- Ownership and custodianship must be assigned prior to production use
9. Exceptions
Exceptions to this Standard must:
- Be documented with justification
- Identify compensating controls or operational mitigations
- Be approved by the CISO or designee
- Be reviewed periodically
10. Enforcement
Failure to comply with this Standard may result in:
- Requests for corrective action or retroactive review
- Delays or suspension of procurement activities
- Administrative action consistent with University and State policy
11. Review and Maintenance
This Standard must be reviewed at least annually and updated as necessary to reflect changes in State requirements, University operations, technology, or risk posture.
12. References
- UM Information Security Policy
- UM IT Asset Management Standard
- UM Cloud Computing Security Standard
- UM Vendor Risk Management Standard
- UM IT Data Security Standard
- UM IT Data Disposal & Media Sanitization Standard
- State of Montana Procurement Laws and Rules