Technology Acquisition and Purchasing Policy

Purpose 

This policy outlines the requirements for review & approval of all technology acquisitions at SUNY New Paltz. This policy is meant to ensure that all technologies operate effectively within the University's IT environment, meet University and SUNY security standards, legal and regulatory requirements, and establish clear expectations for the schedule of implementation, support, maintenance, network connectivity, and life cycle replacement. 

Information Technology Services staff are here to assist departments in reviewing their technology needs, participating in the selection of an appropriate solution, and ensuring that technology solutions are successfully implemented. 

This is meant to supplement, not replace, existing purchasing and procurement requirements of the State of New York, the State University of New York, SUNY New Paltz, or its departments. 

 

Scope 

This applies to all technology acquisitions (including, but not limited to, hardware, software, and cloud or externally hosted systems and services) by SUNY New Paltz (whether through the Purchasing office, via procurement cards, IFR accounts, or CAS agency account funding). It also includes purchases made through (or using funding from) the Research Foundation and the SUNY New Paltz Foundation. This includes zero-dollar acquisitions (provided for free) if they involve sensitive data (as defined in the Confidential Information Policy) or require ITS (Information Technology Services) support. 

Technology hardware includes but is not limited to: desktop and laptop computers, smartphones, tablets, printers, any device placed on the network (wireless or wired), and any device for credit/debit card processing. 

Software includes, but is not limited to, any software application that is installed on SUNY New Paltz desktops, laptops, or servers, or hosted off-premises in a SaaS (Software-as-a-Service) or cloud environment. 

The following are explicitly exempt from this policy: electronic media (flash memory, USB drives, CDs/DVDs), printer supplies (ink, toner, etc.), cables (network, USB, phone), and external input devices (mice and keyboards). 


Policy and Procedures 

Technology purchases via procurement cards (aside from those items listed as exempt in the Scope section) are explicitly prohibited. Exceptions to this can only be made via written approval by the director or assistant director of Procurement. 

New hardware or software for use in faculty/staff offices 

Requests for new desktop and laptop computers, printers, and any software to be installed on computers in faculty or staff offices should be made through our Desktop Support group. Requests can be made via the Office Technology Request page at the ITS site. Departments should review the University Owned Computing Device Policy, specifically, the Issuing Department Responsibilities section. If you are unsure of what hardware or software will be the best meets your needs - use the same form to schedule a consultation. 

Departmental/Enterprise/Cloud/SaaS Software Purchases 

Information Technology Services must be included in any review of departmental, enterprise, Cloud, or SaaS (Software as a Service) purchases or contracts, to ensure security and support standards, interfaces with other technologies, licensing compliance, and legal/regulatory/policy compliance. Any such purchase or contract requires the approval from the Chief Information Officer (CIO) or their designee. The purchasing department shall not process purchase orders for departmental, enterprise, cloud/SaaS (Software-as-a-Service) purchases without this approval.  

Information Technology Services will meet with the acquiring department before purchase. ITS may also need to correspond or meet (virtual or on-site) with the vendor to determine how the system will work, what internal IT resources are needed, and evaluate the security of the system. ITS will also evaluate whether the system meets any legal/regulatory/policy requirements including those with regards to accessibility. 

Information Technology Services will respond to any acquisition requests within three business days. Requests for purchase or consultation should be made via www.newpaltz.edu/techacquisition

If ITS is not consulted beforehand – Purchasing will contact ITS for feedback after a purchase requisition is submitted to them. 

The vendor for any externally or cloud hosted system that deals with user data must complete the HECVAT (Higher Education Community Assessment Toolkit) or provide a recent SOC 2 type 2 audit report. The HECVAT version, full or lite, depends on whether the service will be storing sensitive data as defined by the Confidential Information Policy

The application will need to have a VPAT (Voluntary Product Accessibility Template) completed. If a VPAT is unavailable or non-compliant, an exception may be sought. OIT (Office of Instructional Technology) will review any such requests. 

For requirements regarding SSO (Single Sign-On) see the “Requirements for internal and external services” section of the “Password and Authentication Policy”.