Overview
SAIT and Student Affairs Procurement have partnered to clarify the technology acquisition process, and empower Student Affairs units with the knowledge needed to efficiently obtain the software tools and technology necessary for their staff to successfully serve the student population, while ensuring contractual protections for university, staff and student data.
Before Submitting an SA Technology Project or Technology Procurement Request
1. Review Existing Resources
Review both the Student Affairs Software Catalog and the IT Service Catalog first to try to identify an existing solution. The providers of the software and services listed in these catalogs have existing relationships with Student Affairs, UC Berkeley and/or the UC System. If an existing technology solution can meet at least 80% of your requirements, it should be the selected solution.
- IT Service Catalog
- Student Affairs Software Catalog
- Ordering new computers or other hardware
- Student Affairs staff may be eligible to receive funding from the Division of Student Affairs' New Device Program. Complete this form to apply for a new device. For any questions, email Hollyann Larson (hollyann@berkeley.edu)
- For hardware purchases not eligible for the Student Affairs New Device Program, follow the instructions on the ITCS Computer Hardware Purchasing webpage.
2. Understand Delegated Authority
While it is possible to procure some technology solutions by using a blucard with an online service provider, or bypass this procurement process directly in Bearbuy, very few staff are authorized to do so. Please engage your Buyer prior to finalizing any transaction to include agreement terms that are compliant with UC policies, etc.
- Only those with delegated authority may initiate sign supplier’s quotes or agree to their terms and conditions.
- No click through agreements should be initiated by departments, even if the supplier says they are “free.”
- “Click-through,” “shrink-wrap” and similar supplier terms/agreements may constitute legally binding agreements, binding UC to their terms. Acceptance of such terms as written could expose the University to unacceptable and costly risks, including but not limited to being liable for using infringing software; being liable for third party acts or omissions (i.e., a direct violation of a UC Standing Order); HIPAA violations; possible mishandling of sensitive data; intellectual property concerns; and non-compliance with laws/regulations/policies of Federal, State, UC, funding agency entities.
- Such "click-through" agreements for software or services available on the Internet are likely not approved by UCOP or UC Berkeley legal and procurement departments; moreover, only authorized individuals can enter into agreements for UC. Therefore, please avoid clicking-through on such agreements and instead please engage your Buyer prior to finalizing your transaction to include agreement terms that are compliant with UC policies, etc.
3. Confer with the Student Affairs Strategic Initiatives Director & Student Affairs Procurement
- The Strategic Initiatives Director (sait-sim@berkeley.edu) can be a thought partner to offer guidance and best practices as you explore solutions to your business challenges, as well as connect you with campus resources and other division partners that may have a similar technology need.
- Student Affairs Procurement can help you determine if a formal bid would benefit your situation. Typically, software and services that have been formally bid have better pricing, less risky contract terms, and are negotiated faster than contracts that have not been formally bid. This will help to ensure departments receive quality software as a service, competitive pricing, and suppliers who adhere to UC Regents’ policies.
- RSSP staff should confer with Ingrid Hunt (ijbhunt@berkeley.edu), Technology Planner for RSSP, who will provide guidance and coordinate with the Strategic Initiatives Director and Student Affairs Procurement.
- Hollyann Larson in the VCSA immediate office manages Student Affairs’ new computer requests and refreshes. Please reach out to her directly to initiate these kinds of requests. If you are a manager, communicate with Hollyann well in advance (i.e., 4-6 weeks) if you plan to hire new staff. This will help the equipment ordering process move along in a timely fashion. Berkeley IT regularly updates its estimated computer order turnaround time. Click here to submit a new device order request.
4. Document the business requirements
- What does the software/technology need to do? What problem is it being used to solve? What features are required? What vendors have been considered? Do any vendors present unique advantages or offerings? What is the approximate 1st year/implementation pricing? What are the annual costs?
- You may use this feature comparison template to define requirements and compare vendor products.
5. Ask potential vendors Security/Privacy and Accessibility questions
Ask questions of potential vendors to see if they seem prepared to meet the Security/Privacy and Accessibility needs of the procurement process.
- Security/Privacy
- Ask potential vendors if they have completed a HECVAT (Higher Education Community Vendor Assessment Toolkit). A vendor that has completed a HECVAT demonstrates attention to security and it is a good sign that they will be responsive during a vendor security assessment.
- If there is credit card data involved, ask potential vendors if they have a PCI DSS Attestation of Compliance from a Qualified Security Assessor (this is a third party attestation, not a self attestation).
- Ask potential vendors if they have a security plan they are able to share as part of a procurement process.
- Consider the business and/or data location of potential vendors. Vendors without a US presence can pose extra security risks and contractual challenges.
- Inquire with potential vendors and confirm that the data is not being used to generate income outside of the contracted services (data is not being sold or shared with third parties).
- Ask potential vendors if they support SSO/SAML2 and can integrate with CalNet (nice to have).
- Accessibility
- Ask potential vendors if their software meets the WCAG 2.0 level AA standards or if they have completed a VPAT.
- Ask potential vendors if they are willing to complete an Accessibility questionnaire as part of a procurement process.
- Ask potential vendors if they are willing to participate in a hands-on accessibility review. Would they be willing to commit resources to address any major accessibility issues identified?
- Check with the Web Access team for guidance and tips for identifying an accessible solution. You can contact them via email: webaccess@berkeley.edu
6. Determine if this needs to be an SAIT Project or if it is a non-project Technology Procurement
Some procurements are large and complex enough to be a Technology Project. Others can be treated as a non-project Technology Procurement. For help determining if your procurement is best handled as a project, contact the SAIT Strategic Initiatives Director (sait-sim@berkeley.edu). If the procurement leverages an existing solution, follow the procurement path indicated in the Student Affairs Software Catalog or on the IT Service Catalog/campus service website.
- It might be a Project if…
- It is multi-departmental/cross division.
- It requires hosting or programming resources from SAIT (i.e. it is not a cloud solution).
- It requires specialized hardware to connect to the campus network.
- It requires data from, or integration with another campus system.
-
It has an estimated project budget of $500,000 or more or an estimated annual operating expense of $250,000 or more (project required).
- It is probably NOT a Project if...
- It is an online service that will not require data from, or integration with another campus system.
- It would not require resources outside of your department to implement.
Student Affairs Technology Project Request
- If the technology need seems to qualify as an Technology Project (see item 6 above for guidance), make sure you have documented the business need and defined your requirements as outlined above. Get support from your Manager and/or Director, then initiate a conversation with the SAIT Strategic Initiatives Director (sait-sim@berkeley.edu). You will be asked to complete project request documentation for your portfolio head/executive to review and approve. RSSP staff should confer with Ingrid Hunt (ijbhunt@berkeley.edu), Technology Planner for RSSP, who will provide guidance and submit project requests. UHS staff should continue to follow their established internal processes.
- If the procurement leverages an existing solution, follow the procurement path indicated in the Student Affairs Software Catalog or on the Berkeley IT Catalog/campus service website.
New Technology Procurements (non-projects)
New technology procurements that are NOT projects can follow the steps outlined below.
1. Assign Main Point of Contact & start Department Checklist for Technology Procurements
- Create a copy of the Department Checklist for Technology Procurements. This checklist is a step-by-step guide of the process outlined in steps 2-6 below.
- The Main Point of Contact will be the coordinator for the requesting department throughout the procurement process. SAIT and Procurement will be available for consultation to assist the Main Point of Contact in fulfilling these responsibilities. This person will be responsible for doing or delegating the tasks detailed in the checklist. Ingrid Hunt (ijbhunt@berkeley.edu), Technology Planner for RSSP, who act as Main Point of Contact for most RSSP technology procurements.
- As a reminder, Hollyann Larson in the VCSA immediate office manages Student Affairs’ new computer requests and refreshes. Please reach out to her directly to initiate these kinds of requests. If you are a manager, communicate with Hollyann well in advance (i.e., 4-6 weeks) if you plan to hire new staff. This will help the equipment ordering process move along in a timely fashion. Berkeley IT regularly updates its estimated computer order turnaround time at https://technology.berkeley.edu/services/support-and-training-device-support/computer-hardware-purchasing
2. Complete Exhibit 1
Specify a Supplier’s cybersecurity and risk management responsibilities by identifying the protected data or IT Resources the vendor systems might receive, process, transmit or store as part of their contractual obligations. Exhibit 1 is a component of the Data Security Appendix (Appendix DS) and becomes part of the University’s contract with the vendor. It is also required by UCB’s Information Security Office (ISO) to initiate a Vendor Security Assessment.
- Complete Exhibit 1 (use this Exhibit 1 Job Aid for guidance.)
- Request a review of Exhibit 1 with the Unit Security Lead (sa-uisl@berkeley.edu)
3. Submit a Student Affairs Procurement Request
- Go to the Procurement Page
- Select Purchase Order Creation
- Fill in the requested information and upload Exhibit 1
4. Request Vendor Documents
- Ask the vendor for the following:
- A security plan, a completed HECVAT or have them complete the External Appendix DS Security Plan Template
- A completed Accessibility questionnaire
- A Certificate of Insurance
- Email the documents to the assigned Buyer and the Unit Security Lead.
5. Request Assessments (these two can be completed concurrently)
- Security: Request a Vendor Security Assessment when Exhibit 1 identifies the data classification as P3 or P4.
- Accessibility: Complete the DIY Accessibility Checklist, then request a Web Access Clinic.
6. Work with the assigned Buyer as they finalize the contract negotiations
- Suppliers will need to agree to complete security remediations and accessibility remediations within a defined and reasonable time frame. If “critical” or “major” issues have been identified, these will need to be remediated prior to contract start and prior to sharing data with the supplier.
- The department may need to change business requirements to exclude certain types of data or may need to identify another qualified vendor to perform the service
Handy Links
- Department Checklist for Technology Procurements
- Blank Exhibit 1
- Exhibit 1 Job Aid
- IT Service Catalog
- Student Affairs Software Catalog
FAQs
Can I just charge it on the department Blucard?
While it is possible to procure some technology solutions by using a blucard with an online service provider, or bypass this procurement process directly in Bearbuy, very few staff are authorized to do so. Only those with delegated authority may initiate sign supplier’s quotes or agree to their terms and conditions.
What about free services/accounts? Can I use those?
Only those with delegated authority may initiate sign supplier’s quotes or agree to their terms and conditions.
- No click through agreements should be initiated by departments, even if the supplier says they are “free.”
- “Click-through,” “shrink-wrap” and similar supplier terms/agreements may constitute legally binding agreements, binding UC to their terms. Acceptance of such terms as written could expose the University to unacceptable and costly risks, including but not limited to being liable for using infringing software; being liable for third party acts or omissions (i.e., a direct violation of a UC Standing Order); HIPAA violations; possible mishandling of sensitive data; intellectual property concerns; and non-compliance with laws/regulations/policies of Federal, State, UC, funding agency entities.
- "Click-through" agreements for software or services available on the Internet are likely not approved by UCOP or UC Berkeley legal and procurement departments; moreover, only authorized individuals can enter into agreements for UC. Therefore, please avoid clicking-through on such agreements and instead please engage your Buyer prior to finalizing your transaction to include agreement terms that are compliant with UC policies, etc.
How long does it typically take to procure a solution?
Completion of any new deal with data terms and no formal bid typically takes 3 months of negotiation with the supplier. If the supplier is willing to accept UC’s agreement and standard terms without modification, the process can be completed much more quickly. If the Protection Level of the data is P1 or P2 and the supplier is willing to accept a purchase order instead of signing the supplier’s paperwork the process can also be completed more quickly.
How long does a Vendor Security Assessment take?
It is best to allow at least 30 days for a vendor security assessment. This can vary greatly depending on the number assessments in ISO’s queue, as well as the cooperation of the vendor, and the preparation of the requesting department’s Main Point of Contact. When all parties are well prepared and collaborative, a vendor security assessment can be completed quickly.