Buying Software/IT Services

Information Technology (IT) services include electronic storage, processing or transmitting of data or information, as well as the data or information itself. IT services include, and are not limited to, software, cloud-based software, electronic mail, voice mail, cloud based fax services, databases, digitized information, platforms (mobile PaaS, open PaaS, integration platform as a service (iPaaS), web based subscriptions, website hosting, etc.).

IT services involves the supplier granting a license or subscription to use data, software, cloud-based solution, application, or access to a website for a set period of time.

When purchasing IT services, departments must address a few key issues prior to submission of the requisition such as competitive bidding, data security, privacy, and insurance requirements.

Click each drop down to determine how to coordinate a review with each subject matter area.

IT Service Purchases Process Steps

OIT has enterprise licenses of software available for download without a purchase (see Software and Hardware Resources).

UCOP has negotiated systemwide agreements that you can utilize for some purchases Systemwide IT Agreements. In addition, you can also review the UCI Contracted Supplier list. (Note that buying from a UCI or UCOP agreement satisfies competitive bidding requirements and the Small Business First policy. However, in certain instances a specific software may still require data security, privacy, and insurance reviews).

When purchasing IT services, it is critical to determine whether the supplier will store, transmit or create data on behalf of UCI, or whether the supplier will connect to or have access to UCI systems. Please see OIT's Data Protection Levels webpage for more information.

Suppliers that handle UCI data or have access to systems need to undergo a Supplier Security Review through the Office of Information Technology (OIT). To start that process, complete a Supplier Security Review Questionnaire with the assistance of your Unit Information Security Lead, and email it to securityreviews@uci.edu.

Procurement needs the OIT ticket response advising no special security terms are needed, or the completed Risk Assessment with OIT’s security findings and recommendations. Upload either document to the KFS requisition.

Each department in possession of private data/information has a responsibility to safeguard it. Please see Protect UCI Data and confer with the UCI Privacy Office as needed for privacy concerns. The privacy review is conducted together with the OIT Security Review. 

Most suppliers have their own agreements, order forms, or terms that govern their software/subscriptions. When you receive those documents from a supplier, it is important to alert the supplier that UCI as a state university is generally required to use UC system templates and terms. The agreement Procurement will prepare may not be their terms alone.

For IT software/cloud purchases that OIT has assessed as involving P3 or P4 data, please complete an Information Technology Purchase Agreement and upload it to your KFS requisition. 

Suppliers that handles UCI data, or have access to UCI systems, are required to maintain cyber liability insurance to cover the remediation costs of data breaches. If the OIT Risk Assessment determines the supplier will handle:

  • P1 level data, the supplier must maintain $500,000 in cyber liability coverage.
  • P2 level data, the supplier must maintain $1 million in cyber liability coverage.
  • P3 level data, the supplier must maintain $5 million in cyber liability coverage.
  • P4 level data, the supplier must maintain $10 million in cyber liability coverage.

If suppliers cannot meet the UC required insurance coverages, or insist on a limitation of liability, the purchase will require additional reviews by Risk Services and Campus Counsel. Please allow for additional time for review of these issues. The assigned Procurement team member will assist with the review process. 

Risk Services must review an up-to-date Certificates of Insurance (COI) from the supplier. Please contact Risk Services with questions regarding COI.

Most Information Technology Services require a KFS Requisition. (See PALCard drop-down for situations when PALCard is an option.)  In the requisition, please be sure to include pertinent information such as:

  • In the Explanation box, include the name of the Supplier, the product name, the term dates of the license/subscription, and how the software will be used.
  • Select the most accurate commodity code to ensure the PO routes correctly. IT Service purchases are not “Professional Services”. 

The following are the commonly used commodity codes, please use them accordingly:

  • 81112500  Computer software licensing, rental Software license - (locally hosted, excluding cloud)
  • 81162000  Cloud based software and services
  • 81112105  Website- World wide web WWW site operation host services
  • 81112103  Website- World wide web WWW site design services

 Attachments to upload to the requisition:

  1. A copy of OIT’s Risk Assessment from the Supplier Security Review, or the ServiceNow ticket response stating that a formal security review is not needed.
  2. The Order Form or other documentation you received from the Supplier that describes the license/subscription UCI is purchasing.
  3. All policy-based back-up documentation depending on what is applicable to your purchase (SSPR Form, Federal Fund Forms, Small Business First Forms, etc.).
  4. Certificate of Insurance, if required (see above).
  5. Completed Information Technology Purchase Agreement if required (see section above).

PALCard may be used for the purchase of Information Technology Services in limited circumstances:

  1. The software/solution/subscription is assessed by OIT as a low risk application (does not handle, transmit or store UCI sensitive data, or have access to UCI systems)
  2. does not require a signed agreement (click-through ok)
  3. supplier affirms its products/services conform to the accessibility requirements (for additional information, please contact accessibility@uci.edu) of WCAG 2.0AA and,
  4. the annual expense is less than $5,000.

Complete the Supplier Security Review Questionnaire and submit to securityreviews@uci.edu as described in the Data Security tab (see above). Please upload the approved low risk assessment to the PCDO scanning image tab in KFS. 

 

Need personalized assistance?