App/Software, Cloud/Web Service Purchasing Guidelines

Guidelines for purchasing Applications or Software, as well as Cloud or Web Services for Use on University-Owned Devices

App/Software, Cloud/Web Service Purchasing Guidelines:

 

Any application or service with the intent of storing or using UW data must be reviewed and vetted by different University offices before receiving approval to purchase. This ensures that the software is safe to load on to University-owned devices; that it is secure enough to protect University-owned data; and that the terms and conditions agreed to by appropriate University staff are in compliance with University policies and State Statutes. L&S Business Office staff can help the department to follow up with the appropriate Campus offices.

These approvals are needed prior to using University funds to purchase software/apps/cloud services//web services.

1.     Provide a University Business reason, Institutional benefit to the University.

 

2.     Risk Review: Campus policy requires protection of university data and minimization of risk to that data. These requirements are found in the Cybersecurity Risk Management policy and the Institutional Data policy. Questions about risk reviews can be sent to Susan Weier at scweier@wisc.edu.

a.     The requestor should fill out the Risk Review Intake form at https://go.wisc.edu/zx8et7.

                                               i.     The intake form initiates a preliminary risk review. The form gathers information about the product or service, the intended usage, the type of data used, and the number and role of people using the product.

                                              ii.     The data may be shared with the Instructional Design Center staff if the product will be used for teaching and learning. Instructional tools typically incur more risk.  

b.     If the product or service is judged to be low risk, a statement describing the risk level is sent to the requestor and L&S Purchasing.

c.     If the product or service incurs moderate or high risk, it may be sent to the Office of Cybersecurity for a risk assessment. The risk assessment provides an estimate of risk and recommended methods to mitigate the risk. You can find more information about risk assessments at the Risk Management and Compliance website.

d.     The L&S Risk Executive, Dean Wilcots, must accept the risk as part of the purchase process.

 

 

 

 

3.     Instructional review: Is the Software/Apps/Cloud/Web service providing functionality that is already available through an existing software or service offering from a vendor with whom the UW already has a contractual relationship?

a.     Check the Campus Software Library for similar software:

b.     If the risk review intake form (above) is filled out for an instructional tool, the information will be shared with the consultants at the Instructional Design Center.

c.     Consult the staff at the Instructional Design Center at L&S Administration.

 

 

4.     Accessibility Review: The Digital Accessibility policy is expected to be approved and published sometime during Fall semester, 2021. At that time, an accessibility review may be required for certain products or services. The Center for User Experience conducts accessibility reviews on request.

Once the reviews have been completed, Purchasing Services needs to review Terms and Conditions of the vendor’s agreement to make sure they are in compliance with University policies and State Statutes. Most often, Purchasing has to negotiate some of Clauses of Terms and Conditions with the vendor. If an agreement or a contract is involved, it has to be reviewed and signed by Purchasing Services staff.

Purchasing Services can be reached at purch@bussvc.wisc.edu.

Other Items to Keep in Mind

 Approvals from Office of Cybersecurity, Purchasing Services and/or Legal Services needs to be attached to the purchase request.

      The purchase must be made by the Department.  Purchases made by individuals are considered a personal expense and are not payable/reimbursable.

      Apps/Software, Cloud/Web services needs to be loaded/used on a University owned equipment/device. Exceptions to this should be addressed through the risk review.