This page describes compliance with applicable policies when purchasing software and cloud-based services. These commodities may utilize sensitive data, requiring additional review prior to purchase authorization.
- What is Sensitive Data?
- Consult With Your Computer Technical Staff FIRST.
- Locate an existing university software agreement whenever possible.
- Complete the Appropriate KFS Document and Approval Form If there is no existing software agreement.
There are many different types of sensitive data. If you are purchasing software or utilizing a cloud-based service that will utilize sensitive data, it is critical that you are aware of how that software will protect and secure that data.
We strongly advise that you review the UC Davis policy PPM 320-20, as well as the University of California Security Protection policy documentation to familiarize yourself with the applicable rules and regulations.
Make sure you understand the type(s) of software you need (quantity, licenses, compatibility with other equipment, etc.). Since some software purchases are non-returnable/non-refundable, it is important to ensure that you are purchasing the correct software for your specific needs.
With an existing agreement, the due diligence is already done! This means no supplier set-up and contract negotiation. Agreements are available in:
- Kuali Financial System (KFS): Use the Agreement Number Lookup; in the Description field, enter *SOFTWARE* (including the asterisks) to retrieve software agreements.
- CalUSource: This agreement lookup provides another way to locate software agreements; enter software in the search field. (NOTE: Google Chrome is the recommended Internet browser.)
To purchase against an existing software agreement:
- Complete a KFS Requisition, citing the software agreement in the Agreement # field.
- You can shop the AggieBuy computer software catalogs, including those from CDWG and SHI. Only items that are available from the AggieBuy stock catalogs can be purchased without additional required approvals.
- Conversely, you can use the Procurement Card, but only up to the dollar limit on the card, regardless of the agreement spending limit. Refer to the Using the Procurement Card page for detailed instructions on how to process a Procurement Card transaction against an agreement. NOTE: Only software on an existing purchase agreement may be purchased with the Procurement Card. When performing the P-Card reconciliation in AggieTravel, there is also an Agreement # field that should be used to enter the KFS Agreement Number whenever the P-Card has been used to purchase against an established university purchasing agreement.
With pre-existing agreements, the vendor will not generally require you to sign any additional terms and conditions. Departmental users are not authorized to sign on behalf of the university. If you are asked to accept and/or sign any terms and conditions, please contact firstname.lastname@example.org for assistance.
- If the request will be for a one-time software purchase, a KFS Requisition document should be completed. If the request will be for ongoing software service and support, a KFS Purchase Agreement should be completed.
- Determine the sensitivity of the data with which you will be working:
- For all data types, complete and sign the Approval Form for Software and Related Services. The form records the approvals of the departmental Technical Unit Information Security Lead (UISL), also known as the UISLs, and identifies how the proposed purchase will be used at UC Davis. This form must only be signed by the Technical UISLs on file with Information and Educational Technology (IET).* Attach the completed and signed Approval Form for Software and Related Services to the Notes and Attachments section of your KFS document.
- If you will be working with P3/P4 data, the Vendor Risk Assessment is required, in addition to the Approval Form for Software and Related Services. See the UC Electronic Information Security Policy for more information.
- The Vendor Risk Assessment process is managed by the UC Davis Information Security Office (ISO) at email@example.com.
1: Navigate to the UC Davis Service Hub.
2: In the Service Hub, in the Search bar at the top right, search “Vendor Risk Assessment.”
3: Under the “Software and Services” section, choose the result that says “Vendor Risk Assessment.”
4: After completing the Vendor Risk Assessment form, add a note to your KFS document that you have completed this process.
- *The Technical UISL signature responsibility for the Approval Form for Software and Related Services can be delegated to another individual if the department wishes to do so. To establish a Technical UISL delegate, an email from the Technical UISL or a member of the department/unit’s leadership naming the person as delegate must be attached to the KFS Purchase Agreement document for each request.
- The type of KFS document created determines what you do next:
- If you created a KFS Requisition, a Purchase Order will be automatically created once the Requisition is fully approved. The Purchase Order can then be used with the supplier.
- If you created a KFS Purchase Agreement, Once the KFS Purchase Agreement document is approved by Procurement and Contracting Services, follow the instructions above for processing purchases against it.
Please contact the Strategic Sourcing team at firstname.lastname@example.org.
NOTE: Additional information is also available on the Software at UC Davis website.