SaaS, Software, Cloud Hosting and Hardware Procurement Policy

I. Scope

This policy applies to all employees of Indiana Wesleyan University (IWU) and any services and/or products that can be purchased using Indiana Wesleyan University capital and/or operating funds to include:

• Software to be hosted on IWU owned equipment
• Computer Hardware utilized for IWU business purposes
• Cloud hosted infrastructure and platform solutions
• Software-as-a-service acquisitions (SaaS)

See the ‘Definitions’ section of this policy for a more detailed outline of in scope equipment and services.

II. Policy Statement

This policy outlines the requirements for acquiring and implementing new software and hardware assets at Indiana Wesleyan University as well as any cloud-based software or infrastructure hosting solutions. It aims to ensure that all SaaS, cloud hosting, software and hardware acquisitions align with the university’s strategic goals while safeguarding against potential cyber threats.

III. Reason for the Policy

This policy aims to strike a balance between meeting business requirements and maintaining robust cybersecurity measures. By adhering to this policy, Indiana Wesleyan University seeks to minimize potential risks associated with in scope products and services while maximizing the value and efficiency they bring to the organization.

A. Business Perspective

1. To procure SaaS, cloud-based infrastructure, software and hardware that enhances operational efficiency, productivity, standardization and supports the university’s business objectives.
2. To ensure all acquisitions undergo a thorough evaluation process, considering their long-term benefits and total cost of ownership.
3. To foster collaboration between the IWU IT department, the Information Security Office, the Enterprise Architect, and relevant business units in identifying software, cloud solutions and  hardware needs to ensure alignment with business processes.

B. Cybersecurity Perspective

1. To prioritize the security and privacy of data to meet the highest possible cybersecurity standards.
2. To conduct a comprehensive risk assessment and cybersecurity evaluation of potential vendors before procurement.
3. To ensure that all acquired services, software and hardware assets comply with relevant industry standards and regulatory requirements.
4. To promote regular updates and patch management to address potential vulnerabilities and minimize exposure to cyber threats.

IV. Policy Information

A. Procurement

1. Business Needs Assessment

 a. When there is an identified need for a product or service, please reference the following:

i. SaaS or Cloud hosted solution: Project Management Office – Email the Project Management Office: pmo@indwes.edu

ii. Computer Hardware or Software: IT Support Center – https://kb.indwes.edu/Computers/Employee/User_Guide/New_Employees/HardwareRequest

b. The IWU IT department and the Enterprise Architect, in collaboration with relevant business units, shall conduct a thorough assessment of any SaaS, cloud solution, software or hardware needs based on identified business requirements.

c. The assessment should consider factors such as scalability, functionality, user-friendliness, integration capabilities, standardization, and compatibility with existing systems.

2. Vendor Evaluation

a. The IWU IT department, Enterprise Architect and Information Security Office shall evaluate potential in scope vendors from both a business, integration, and cybersecurity standpoint.

b. Business considerations shall include product features, pricing, service level agreements, customer support, and vendor reputation.

c. Cybersecurity evaluation shall encompass an assessment of the vendor's security measures, data protection policies, access controls, and incident response capabilities.

d. Enterprise Architect reviews shall include assessing the compatibility with current application and infrastructure standards in order to align with or improve consistency across systems.

3. Risk Assessment

a. Prior to finalizing any procurement decision, a comprehensive risk assessment shall be conducted to identify potential cybersecurity risks associated with the software and hardware being considered.

b. Risks identified during the assessment should be addressed through appropriate risk mitigation strategies.

4. Compliance Verification

a. All SaaS, software and hardware acquisitions must comply with applicable industry and IWU standards as well as regulatory requirements. (i.e., Single sign on with IWU authentication systems with multifactor authentication)

b. The Information Security Office shall verify the compliance status of potential vendors and their data handling practices before procurement.

5. Contractual Agreements

a. All acquisitions shall be accompanied by clear and comprehensive contractual agreements.

b. Contracts should include provisions for data ownership, data access and encryption, service level commitments, incident response, and vendor responsibilities in the event of a security breach as applicable. All agreements must be reviewed by IWU legal counsel before an approved contract signee of the university signs off and finalizes the purchasing process

B. Lifecycle Management

1. Implementation and Testing

a. All applicable new SaaS, software and hardware shall undergo thorough testing in a controlled environment before deployment in production as applicable.

b. The IT department shall oversee the implementation process and ensure that configurations align with cybersecurity best practices.

2. User Training

a. End-users shall receive adequate training on the proper usage of the SaaS solution, data security best practices, and their roles in maintaining the security of company data.

3. Updates and Patch Management

a. Regular updates and patches for software and hardware shall be diligently applied to address known vulnerabilities.

b. A defined schedule and process for updates shall be established to minimize the risk of cyber incidents.

c. If updates are can only be completed by the vendor, then an agreed upon schedule of the application of updates must be contractually stated.

4. Disposal and Decommissioning

a. End-of-support software and hardware shall be decommissioned securely and following best practices to prevent data exposure.

b. All sensitive data must be securely erased or destroyed before disposing of hardware.

c. At the termination of any SaaS engagement all IWU owned data must be erased from SaaS systems within a maximum of 90 days and written verification provided to data owner and the Information Security Office.

C. Ongoing Operational Management, Monitoring and Compliance

1. Regular security monitoring and auditing of SaaS and hardware solutions shall be conducted to detect and respond to any potential security incidents promptly.
2. Any changes in the vendor's security posture or data handling practices, as it pertains to SaaS engagements, should be promptly communicated, and evaluated for compliance.
3. Management of any SaaS or cloud services may entail the tracking of costs based on consumption. Regularly analyzing costs associated with services and planning accordingly to match up with planned costs is required to meet university budget allocations.

V. Definitions

Software-as-a-Service (SaaS): A cloud-based software delivery model that allows end users to access any software applications over the internet. This would include example services such as file storage, collaboration tools and presentation tools. With a SaaS model, the software is hosted on remote servers, maintained, and updated by the service provider, and made available to customers via web browsers, mobile apps and APIs. Define any specialized terms used in the policy. It can be an ideal solution for large enterprises, small businesses, or individuals that:

• Do not want the responsibility of buying or maintaining infrastructure, platforms, and on-premises software.
• Prefers simpler cost management through operational expenses (OPEX), rather than capital expense investments (CAPEX).
• Have challenges that require minimal customization to solve.
• Favor software subscription models.

 

Example SaaS solutions utilized by IWU:

• Microsoft email and file storage
• Salesforce
• Slate
• Parchment

 

Cloud Hosting: Cloud hosting is the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the internet (“the cloud”) to offer faster innovation, flexible resources, and economies of scale.

Example Cloud hosted solutions utilized by IWU:

• Microsoft Azure (preferred)
• Amazon Web Services

 

Computer Hardware: For this document computer hardware refers to any device that attaches to the IWU network or running a software application or operating system.

• Desktops, laptops, mobile devices
• Servers
• Cameras
• Network Switches
• Network access points
• Security and environment control
• Lab equipment connection to the network
• Networked printing solutions

 

End-of-Support Software and Hardware: End-of-support (EOS) refers to the point at which software or hardware products reach the end of their lifecycle, and the manufacturer or vendor stops providing updates, security patches, technical support, and warranty services for the product. This means that the product is no longer actively maintained, and users are left with unsupported and potentially vulnerable systems.

 

Enterprise Architect: The role of an Enterprise Architect in IT is to provide strategic guidance and technical expertise to design and manage an organization's IT infrastructure, applications, and technology solutions in alignment with its business goals and objectives. Enterprise architects play a crucial role in ensuring that the IT landscape supports the overall business strategy, maximizes efficiency, and enables innovation.

 

Information Security Office: The Information Security Office helps an organization reduce its risk of data loss or compromise, ensures compliance and that its critical assets are protected.

 

Patch Management: Patch management is the process of acquiring, testing, and deploying software updates, known as patches, to computer systems, applications, and other software components to fix vulnerabilities, improve functionality, and address various issues. These patches are typically released by software vendors and developers to address security flaws, bugs, and performance-related problems that have been identified in their products after the initial release.

VI. Sanctions

Sanctions for violating this policy could include verbal or written warning, corrective action plan, loss of contract signing privileges, or termination of employment depending on the cybersecurity or financial risk of the purchase.