GW SON IT Software Acquisition Process

Policy Statement 

This process establishes the required actions set forth by the George Washington  University (hereinafter, “GW” or “the University”) School of Nursing (“Nursing” or  “SON”) for the acquisition of new Technology Assets (information technology (IT)  software and hardware). New Technology Assets can be understood within this context as any Technology Asset not listed in the SON Hardware and Software  Portfolio. 

All new acquisitions of Technology Assets at The George Washington University  School of Nursing must be acquired as outlined in this process. Not doing so may result in unacceptable security, privacy, or financial consequences to the school. 

This process provides a framework for Authorized Users to use when evaluating specific circumstances. This is in supplement and subordinate to university policy.

Reason for Policy

The acquisition of new Technology Assets can result in a number of benefits, however,  procurement of these assets can also create risk. More specifically, new Technology Assets may:

• Expose University Information (including Non-Public Information) to third parties

• Create additional legal obligations for University or school (terms of use, End  User License Agreements, Master Services Contracts, etc.) 

• Be duplicative, non-supportable, or not in conformity with overall IT strategy

This process ensures the contractual implications of agreements, terms of use, or  other related documents, as well as the data security of the asset are understood fully before purchase. It also provides business controls to ensure the proposed acquisition fits within the school’s portfolio.

Who is Governed by this Policy 

This process applies to all George Washington University School of Nursing  Authorized Users of university-owned and issued Technology Assets. For this  standard, Technology Assets include information technology hardware or software that is used in the acquisition, processing, storage, manipulation, management,  movement, control, display, switching, interchange, transmission, or disposal, of data.

Policy

SON Hardware and Software Portfolio

Technology Assets listed on the SON Hardware and Software Portfolio have been pre-reviewed from a contractual and security perspective and are often approved  for a specific information classification threshold. 

The SON Hardware and Software Portfolio can be found at: [SON HARDWARE AND SOFTWARE PORTFOLIO HERE].

SON IT OPS is responsible for hardware and software procurement (purchasing),  as well as ensuring the required reviews are conducted for all Technology Assets regardless of department. Departments are responsible for tracking Technology Assets listed under their applicable unit and may be responsible for provisioning, administering, and supporting these assets.

Hardware and Software Requests

All acquisitions of software or hardware not listed in the SON Hardware and Software Portfolio should be directed to SON IT OPS (son_it_opsgwu [dot] edu) as far in advance as possible. SON IT OPS will serve as the primary point of contact to business owners for all steps in this process.

SON IT OPS will provide the requester with a Hardware Acquisition Form or Software Acquisition Form, when applicable, in order to efficiently obtain details concerning the planned use of the asset. Upon receipt of the form a Contract Review and Security Review will be initiated.

Contract Review 

All software or hardware assets are required to undergo a Contract Review when agreements, contracts, or terms of use are:

1. Initially presented as part of a new purchase

2. Amended, revised, or updated by the vendor 

Notes:

1. A contract review is not necessary when a purchase does not have any associated terms, conditions, contracts, or other agreements. 

2. Trials for hardware and software are not exempt from review when associated terms, conditions, contracts, or other agreements require signature. 

Coordination

SON IT OPS will coordinate with SON Finance to assess the software or hardware from a contractual, legal, and financial perspective. SON Finance will work with the following departments: 

1. The Office of the General Counsel (OGC)
2. Risk and Compliance Office

3. Service and Contract Management Office (part of DIT)

4. Privacy Office (Part of Office of Ethics, Compliance, and Privacy) SON Finance may consult with other entities as needed.

SON Finance may consult with other entities as needed.

Authority

SON Finance is responsible for initially determining if a contract review is  necessary and assisting The Office of the General Council, Risk and Compliance Office, Service and Contract Management Office, and the Privacy Office in their  assessment should one be required. 

The Office of the General Council, Risk and Compliance Office, Service and  Contract Management Office, and the Privacy Office are responsible for providing  guidance and direction for topics under their respective expertise. Each office will  clearly accept or reject the contractual, legal, and financial documentation  associated with the software or hardware acquisition.  

Timeline

Contract Reviews can take upwards of four weeks to complete. Please allow adequate time for the reviews to be conducted.

Security Review

All hardware is required to undergo a Security Review when: 

1. Storing, manipulating, switching, controlling, or managing University Data

All software is required to undergo a Security Review when:

1. The application is installed outside of a single approved university laptop/desktop; or
2. University Data (including Public Information, Restricted Information and Regulated Information) will be stored, processed, or transmitted outside of the University
   • Includes the use of “cloud” enabled devices/services, web applications, network storage, and other third-party platforms); or
3. The application was provided an ATO (authority to operate) by GW Information Security and Compliance Services, but the ATO has expired or is otherwise no longer valid

Notes:

1. Trials for hardware and software are not exempt from review when Non-Public Information is being utilized.

Coordination

SON IT OPS will serve as the primary point of contact for requesters in assessing the software from an IT security perspective and will coordinate with the following departments:

1. Information Security and Compliance Services (part of DIT)

Authority

SON IT OPS is responsible for initially determining if a Security Review is necessary and assisting Information Security and Compliance Services in their assessment should one be required.

GW Information Security and Compliance Services is responsible for providing guidance and direction for topics under their expertise. GW ISCS will clearly accept or reject the software or hardware acquisition for use at SON. Security reviews
which are deemed necessary and result in approval by GW ISCS are typically granted an Authority to Operate (ATO). ATOs are are issued for three year periods, after which they require renewal.

Timeline

Security Reviews can take upwards of three months to complete. Please allow adequate time for the reviews to be conducted.

Exceptions

In non-standard cases, departures from this process may be made if in the best interest of the School of Nursing and/or university as a whole.

Security Review Exception

The SON Director of Operations may, at his or her discretion, overrule Security Review decisions made by GW ISCS, if the risk presented is found by GW ISCS to be low or medium. In doing so, the Director of Operations accepts risk on behalf of the School of Nursing. The signing of a Third Party Risk Acceptance Form prepared by GW ISCS will be required.

The SON Dean may, at his or her discretion, overrule Security Review decisions made by GW ISCS, if the risk presented is found by GW ISCS to be low, medium, or high. In doing so, The Dean accepts risk on behalf of the School of Nursing. The signing of a Third Party Risk Acceptance Form prepared by GW ISCS will be
required.

Contract Review Exception

The SON Director of Finance may, at his or her discretion, overrule Contract Review decisions made by The Office of the General Counsel, Risk and Compliance Office, and Service and Contract Management Office, or Privacy Office. The SON Director of Finance can also negate the requirement to conduct a Contract Review altogether. In doing either, the Director of Finance accepts risk on behalf of the School of Nursing. The signing of a Third Party Risk Acceptance Form will not be required.

Operational Necessity

In exigent circumstances where business critical Technology Assets must be acquired within a timeframe which does not allow for a required Security Review or Contract Review to take place, the School of Nursing Director of Operations may exercise an option to allow the acquisition to proceed in parallel to the
required reviews. In doing so, the Director of Operations accepts risk on behalf of the School of Nursing. The signing of a Third Party Risk Acceptance Document will not be required.

Client-side Only Exception

Software confirmed to be installed locally to an endpoint (laptop or desktop computer) and with which data is stored/processed/and transacted exclusively on the machine itself do not typically require a Security Review.* Contract Review is still required as outlined.

*Client-side Only Software do not transmit university data to any third-party, cloud component, web application, or other entity outside of the endpoint itself. Client-side only Software may require review under some circumstances, such as when application use will be wide-spread, or when Regulated Information will be handled. Confirmation that the software is client-side only should be obtained directly from the vendor in question.

Software Upgrade or Add-on Exception

Provided a Security Review was completed for the initial acquisition of the given product and the planned use of the software by the user base has not materially changed, the following does not typically require a Security Review:

• Upgrade to a new version of the same product
• “Add-on” or increase in features to the same product

Acquire

When all applicable reviews have been completed, SON IT OPS will notify the requester via email of acceptance or rejection.

Acceptance

In instances where the Contract Review and Security Review results in acceptance, SON IT OPS will add the Technology Asset to the SON Hardware and Software Portfolio to indicate the asset has undergone the required reviews and is approved for use at the school.

SON IT OPS will be solely responsible for the purchasing of any Technology Assets and will work with the requester to expense the purchase according to business requirements. Technology Assets should not be purchased outside of SON IT OPS by any other individual or department.

Rejection

In instances where the Contract Review and Security Review results in rejection the Technology Asset cannot be acquired or used at SON.

Note:
SON IT OPS may also reject requests for Technology Assets, remove Technology Assets from the portfolio, or otherwise prohibit the use of software or hardware at any point if it determines the asset is duplicative, non-supportable, or not in conformity with the overall IT strategies of the school.

Technology Assets that are rejected or removed from the SON Hardware and Software Portfolio cannot be acquired or utilized.

Definitions

Non-Public Information: Information that may only be disclosed to individuals outside the university in specific situations with appropriate technical safeguards and may include but is not limited to information that fits into one of the following categories: Regulated Information, Restricted Information.

• Regulated Information: Information that is protected by local, national, or international statute or regulation mandating certain restrictions. For example, student academic and financial records are regulated by the Family Educational Rights and Privacy Act (FERPA) and certain personal health information is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Other forms of Regulated Information include social security numbers, export controlled data and information (excluding technology or software that arises during, or results from, fundamental
  research under Section 734.8 of the EAR), and credit card information.

• Restricted Information: Information that must be limited to appropriate university faculty, staff, students, or other Authorized Users with a valid business need. This information must be protected from unauthorized access, use, or disclosure due to university policies, contract, or designation, or due to proprietary or privacy considerations. Examples of Restricted Information
  include payroll and tax information, performance appraisals, and internal
  directory information.

Public Information: Information with no restrictions on access, use, or disclosure under university policy, or contract, or local, national, or international statute or regulation. Public Information includes announcements and press releases, public event information, and public directories.

SON Hardware and Software Portfolio: Software or hardware assets that have been pre-reviewed from a contractual and security perspective or otherwise approved for use at SON. The SON Hardware and Software Portfolio can be found at: [SON HARDWARE AND SOFTWARE PORTFOLIO HERE]. Technology Assets that are removed from, or outside of the portfolio, cannot be used.

Technology Assets: Information technology hardware or software that is used in the acquisition, processing, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or disposal, of data.

University Data: Regulated, Restricted, and Public data produced or consumed for university business-related purposes.

Contacts

Contact	Telephone	Email
School of Nursing, IT OPS	N/A	son_it_opsgwu [dot] edu