Information Technology (IT) Procurement Policy
What is it?
This new policy ensures that the procurement of IT hardware, software, and services follows established UNCG policies, standards, and guidelines and is centrally managed and approved by ITS prior to technology-related acquisitions or agreements.
Why are we doing it?
The recently completed FY 2021–FY 2022 Office of State Auditor’s General IT Controls Audit specifically requires UNCG to “establish central authority and structure that would enable development and implementation of a comprehensive IT governance” program for distributed IT. This requirement will govern centrally managed technology asset management, critical vulnerabilities remediation, software patching, and protection/monitoring/remediation/disposal of sensitive data.
The requirements in this policy are designed to mitigate some of the many risks associated with inadequate hardware and software inventory within ITS and distributed technology across the University. By centralizing IT procurement, the University prepares for future audit requirements that require comprehensive inventory of all technology assets that store, use, share, archive, or display University data. Lastly, centralizing IT procurement promotes the accurate registry of data classification and contractual documentation of IT-related services.
How will I be impacted?
Per FY 2021–FY 2022 Office of State Auditor’s General IT Controls Audit mandates, the requirements in this policy impact processes and procedures across the University. The policy requires faculty and staff to embrace ITS governance and oversight of technology asset management, critical vulnerabilities remediation, software patching, as well as the protection, monitoring, remediation, and disposal of sensitive data. Additionally…
- All Procurement of IT software, hardware, and services will require ITS authorization and approval.
- IT asset inventory must be submitted to ITS, must indicate data classification, and will require annual updates.
- IT Terms & Conditions, Business Associate Agreements (BAA), Service Level Agreements (SLA), and Memorandums of Understanding (MOU) must be submitted to the Procurement Office and will require annual updates.
- IT assets classified as High Risk or Moderate Risk or costing above $5k will require a Security Posture and Risk Assessment before purchase.
What do I need to do?
Review and become familiar with the new purchasing and inventory asset procedures. Keep information about asset inventory and data classifications current. Submit Terms & Conditions documents, BAAs, SLAs, and MOUs to the Procurement Office as described above.
When will this be implemented?
This new policy is expected to be implemented by October 1, 2022.
Major Milestones
Establishment of the new CHiP Purchase Portal
Creation of new and modified pre-purchase review forms in ServiceNow
Establishment of asset tracking for assets purchased prior to policy implementation
Implementation of DTS/DTC new work plans
Stay Up-To-Date
Subscribe to ITS News.
SEND US YOUR QUESTIONS
Help us make the FAQs better, more informative.
Data Classification Policy
What is it?
This revised policy serves as a foundation for the University’s information security policies and is consistent with the University’s data management and records management standards. The policy outlines the responsibilities required for securing data resources from risks associated with unauthorized destruction, modification, disclosure, access, use, and removal.
Why are we doing it?
In response to the FY 2021–FY 2022 Office of State Auditor’s General IT Controls Audit, ITS is implementing several corrective actions that rely on this revised Data Classification Policy. The revisions are not extensive. However, updated content within the policy provides improved consistency and understanding for the campus community.
Revising this policy ensures security sensitive data. Additionally, proper data classification makes protecting non-sensitive data more efficient and less costly.
How will I be impacted?
This policy does not require much change in your work. However, the primary changes include updated naming conventions for each data classification level, updated roles and definitions, and dedicated mention of classifying research data.
What do I need to do?
Read the revised policy to fully understand what is required to data from risks associated with unauthorized destruction, modification, disclosure, access, use, and removal.
When will this be implemented?
This policy revision is expected to be implemented by October 1, 2022.
Major Milestones
Release of a new data classification reference chart
Stay Up-To-Date
Subscribe to ITS News.
SEND US YOUR QUESTIONS
Help us make the FAQs better, more informative.
Data Governance Structure Policy
What is it?
This new policy makes strategic decisions regarding the University’s data and information assets. The bodies of data governance are charged with defining policies, standards, procedures, and guidelines, as well as developing and maintaining metadata and data quality programs that impact all users of institutional data and information assets. This policy also defines how data governance will be practiced at the University, the various committees, and their associated roles and responsibilities.
Why are we doing it?
Establishing data governance committees creates a central organization to oversee University data-management activities in both the IT and business sides of UNCG and reduces risk. Codifying the structure is the first step in embedding data governance the University’s day-to-day operations and ensuring everyone at all levels understand how our data is governed.
This policy is the starting point for a program that will…
- make uniform the ways in which the University interacts with data;
- formalize processes for requesting data or data-related process changes; and
- clearly define university-wide business terms.
Instituting uniformity in how we control our data gives everyone a common understanding of our assets and improves our ability to validate the information we report.
How will I be impacted?
The impact of this policy is enterprise-wide, but will be particularly critical to those areas of the University that regularly consume data and report information.
What do I need to do?
Comply with the controls and structures provided by the policy.
When will this be implemented?
This new policy is expected to be implemented by October 1, 2022.
Major Milestones
Establishment of structure for of data governance committees
Collection and maintenance of metadata
Stay Up-To-Date
Subscribe to ITS News.
SEND US YOUR QUESTIONS
Help us make the FAQs better, more informative.