Technology Review Information

Technology Review Process Frequently Asked Questions (FAQs)

How much time does the review process take?

Please allow a minimum of several weeks for the review process. 

What do you need to speed up the process?

Provide the following when you submit the form:               

  • Quote
  • Agreement
  • Vendor contact name and email
  • VPAT (accessible)
  • SOC 2 Type II Report or similar security control documentation

Who should submit the form?

It is best if your technology staff submits the form. This implies consent from the department to purchase this tool.

When should you submit a new review?

  • Introduction of tool on campus
  • Upgrade
  • Renewal
  • Notification of new agreement/terms
  • Change in use (eg. you noted and licensed academic use and now you want to add research use)
  • Change in features (eg. the tool has added cloud features to an installed software)

Are there times where we do not need to submit a tool for review?

We may be able to bypass the review process if at least one of these are true:

  • Trial use/versions of tools, submit after trial if you are moving forward
  • Under $250.00 cost
  • Free or Open Source 

And if none of these risk factors are present:

  • Cloud based
  • Confidential information
  • Vendor will be on campus
  • Signature is required
  • Over 500 users or open to the public
  • Required tool (class or departmental work)

Free tool considerations/risks:

Some tools note free use, but when you get to the agreement, terms or web descriptions it is disclosed that it is free for personal (vs. enterprise) use, for one install/one user only, or other restrictions.  If in doubt, submit the review form.

Who is involved with the review process?

  • Requester
  • Departmental IT Persons
  • ITS Enterprise Services (its-software@uiowa.edu)
  • ITS Accessibility Office (Lead: Todd Weissenberger)
  • ITS Security and Policy Office (Lead: Warren Staal)
  • Office of the General Counsel (Lead: James Jorgensen)
  • UI Treasury Office (In app/cloud purchasing)
  • Purchasing (purchasing-contracts@uiowa.edu)
  • Vendor (quote, agreement/terms, security and accessibility feedback, revisions, addendums)
  • There may be others based on the risks and use

 

What happens if a vendor signature or revisions are needed?

If you are submitting a PO, Purchasing will take care of that. Otherwise the department is expected to obtain counter-signature or confirmation that they accept our revisions.

Do all software titles/technology tools have terms/agreements?

All software – including shrink-wrapped goods, shareware and free downloads – have a license agreement.

Agreements can come in the following forms:

  • Document signed by both parties
  • Click-through (clicking “I agree”)
  • Document in the box
  • Document in a manual
  • Text “read me” file on the disk
  • Terms on the website

These are all legally binding agreements.

Who has the authority to authorize the agreements on campus?

The only person who has delegated authority to sign or authorize these type of agreements is the UI Director of Purchasing. The Director of Purchasing consults with the Office of the General Counsel before signing these agreements to ensure the interests of the University of Iowa are covered. Generally, individuals, including managers, department heads or deans, do not have proper signature authority to sign and execute these type of agreements on behalf of the University.

To avoid institutional and/or personal liability, license agreements should be evaluated and reviewed from a legal perspective before acceptance. If you sign an agreement, click “I agree,” or agree to terms in any fashion, regardless of cost (including free web downloads), without this evaluation and proper signature process, you may be assuming personal and institutional liability. The potential ramifications include personal financial exposure, disciplinary action, and/or criminal liability.

What are the compliance risks?

  • Export To ensure the University does not violate any export regulations or expose the University to undue risk.
  • Usage Most vendors have different types of licenses for different use.  We review licenses to make sure we are licensing technology for the correct population, where they need access and how they need to use the software.
  • Signature Authority The only person who has delegated authority to sign or authorize these type of agreements is the UI Director of Purchasing. Generally, individuals, including managers, department heads or deans, do not have proper signature authority to sign and execute these type of agreements on behalf of the University. If you agree to terms outside of this process, you are accepting personal liability.
  • IP Rights/Risks As a higher education institution which has many patented and/or copyrighted products we need to respect the intellectual property (IP) rights of others. 
  • Accessibility The University of Iowa is committed to providing equal opportunities to all.
  • Cloud Tool Review of cloud services for storage, collaboration, office automation and general computing tasks.  The most important part to understand is that University data must be properly protected.
  • Risk of Safety or Property Damage In reference for medical and facility type tools.
  • Confidential Information Institutional data is information that supports the mission and operation of the University of Iowa. It is a vital asset and is owned by the University. It is likely that some institutional data will be distributed across multiple units of the University, as well as entities outside. Institutional data is considered essential, and its quality must be ensured to comply with legal, regulatory, and administrative requirements.
  • Vendor on campus Review agreement to cover the University of Iowa in the case of misconduct.

 

Helpful Links

IT Security & Policy https://itsecurity.uiowa.edu/university-it-policy

IT Best Practices https://itsecurity.uiowa.edu/university-it-policy/best-practices

Security Consulting and Compliance https://itsecurity.uiowa.edu/services/security-consulting-and-compliance

Compliance Check List: https://itsecurity.uiowa.edu/sites/itsecurity.uiowa.edu/files/wysiwyg_uploads/enduserselfmanaged-chklist.pdf

Using Cloud Services: https://its.uiowa.edu/support/article/101195

IT Accessibility @ Iowa https://itaccessibility.uiowa.edu/

Purchasing Policies and Procedures Guide https://uiowa.edu/ap-purchasing/sites/uiowa.edu.ap-purchasing/files/wysiwyg_uploads/Purchasing%20Policy%20and%20Procedure%20Guide.pdf, https://opsmanual.uiowa.edu/administrative-financial-and-facilities-policies/purchasing

 

Risk Analysis

As a higher education institution, the University of Iowa has a diverse population of students, faculty, and staff who are engaged in a myriad of academic and scientific endeavors. Due to this wide array of activities, the University of Iowa must address the potential risk of any technology or software when it is purchased. Therefore the following general categories have been developed to help departments and the ITS Campus Software Program understand the University’s legal risk when purchasing tools. These categories are general and for reference purposes only.

Risk Categories

Low Risk – Agreements may be determined to be low risk if:

  • the tool is low cost or free.
  • there is no foreseeable risk of litigation based on your usage of the tool.
  • there is no risk to human life or safety by using the tool.
  • there is no risk of property damage by using the tool.
  • the use of the tool does not involve processing, storing or compiling confidential information. (Information that may be proprietary to the University or a third party or information that is required to be held confidential for one of many reasons including contract provisions or federal regulations such as HIPAA or FERPA or Social Security Numbers or research data.)
  • the tool is not export controlled. (“Export Controlled” means U.S. Export Control regulations are mentioned in the Agreement. The ITS Campus Software Program will review this issue for the department/purchaser.)
  • the vendor will not have representatives physically present on campus at any time.

Some Risk – The concerns that are not in agreement in the Low Risk definition or any additional risks as determined by the department. These licenses will need to be negotiated to reduce the risk to the institution, the department and the individual.

Not Recommended – These will need to be discussed directly between the Office of General Counsel and Department Head.