Effective July 1, 2025
Purpose
The Duquesne University Technology Purchase Service Requirement sets forth the standards by which all faculty, staff, and students (hereafter referred to collectively as “User(s)”) must follow pertaining to technology purchases at the University. The purpose is to ensure that the procurement of information technology hardware, software and services follow established standards and guidelines; that due diligence is performed to ensure compatibility with existing systems; that data is managed and protected according to policy and regulation; and that appropriate support plans including disaster recovery and business continuity are associated with the Technology purchased.
Scope
This Service Requirement applies to all technology resources and related services owned, used, or operated by the University, regardless of the source of funding, location, or intended purpose. This includes but is not limited to: computers and servers in any form factor; software and applications; information technology systems; cloud services including platform as a service (PAAS); infrastructure as a service (IAAS); and software as a service (SAAS); mobile devices such as phones or tablets; network devices; technology services such as consulting, maintenance contracts or subscriptions; peripheral equipment (e.g. printers, scanners, etc.); and information security systems.
Service Requirements
- Information Technology purchases require the review and approval of Computing and Technology Services (CTS).
- Information Technology purchases require a third-party risk review as required by the Vendor Risk Management Service Requirement.
- Information Technology purchases are to follow the University’s Procurement & Payment Services Policies and Procedures.
- University Data Stewards must approve the use of all Restricted Data as defined in the Data Governance Service Requirements for appropriate use and compliance in partnership with the Offices of CTS Information Security and the General Counsel.
- CTS will identify and publish approved technology and provide procedures for technology acquisition at Policies and Service Requirements.
Computer Equipment Standards
- All computer equipment must be purchased with department funds through Technology Sales at the TechHUB, including monitors, hard drives, and laptops.
- Other things, such as keyboards, mice, and other peripheral equipment, shouldbe purchased through Technology Sales at the TechHUB and funded by the department.
- Operating Systems must have maintenance and support from the vendor for security patches and updates or risk being denied/removed from access to the campus network.
- University managed devices must be able to support the current released Operating System to be connected to the university network.
- Standard computer models and configurations are required to maintain sustainability, supportability, compatibility, and manageability.
- Computer Equipment should be replaced on a 4 or 5 year replacement cycle as defined by the equipment warranty and in consultation with CTS.
- University-owned computers are required to be managed by CTS using enterprise management solutions to more efficiently deploy software, patches, updates, security settings, and to streamline imaging.
- Lost or stolen computer equipment must be reported to the University Police by calling them at (412) 396-2677 or going to Public Safety in person. A cybersecurity incident should be reported to CTS by submitting a request within 24 hours of discovery of loss.
- Exception requests for technology not contracted for and/or licensed by the University by the must be formally submitted and approved by CTS. Forms can be obtained by emailing%20IT%20Help.
Mobile Device Standards
- The purchase of a University mobile device must be purchased with departmental funds through the Services Portal Service: Cell Phone for University Business with the appropriate approvals. The department is also responsible for the recurring monthly cost associated with the device.
- Apple iOS devices are supported and maintained by CTS for University-owned devices. Support is currently not available for other devices such as Android, although services such as email may be available on those devices. Best-effort support will be provided for the setup of email on Android Devices.
- University-owned mobile Devices are required to be managed by CTS using an enterprise management solution to more efficiently deploy software, patches, updates, security settings, and to streamline imaging.
Information Technology Software Standards
- Software being purchased for use by the University must comply with the University’s Information Security Policies.
- Software must be compatible with other University software and not cause a conflict that may disrupt the operability of core information technology services and functions.
- Software must be properly licensed and have an approved End User License Agreement (EULA) by CTS and Business Services.
- Cloud Software must be compatible with the University’s Single Sign-On Authentication (SSO), support multi-factor authentication, and integrate with our directory services. Costs for these services should be factored into overall pricing for solutions and services.
- Cloud Software Vendors must provide a Service Organizational Control 2 (SOC2) Report and complete a Higher Education Community Vendor Assessment Questionnaire (HECVAT).
- Software that requires the use of institutional data (student, employee, etc..) must be reviewed for data compliance with stewards who are responsible for compliance, security and standards. The security of the data must comply with the CTS Data Governance Service requirements and will be reviewed by the CTS Information Security Office.
Data Type: | Data Steward: |
---|---|
Student Data | University Registrar’s Office |
Health Data | HIPAA Compliance Office |
Applicant Data | University Admissions Office |
Employee Data | Human Resources Office |
Research Data | Sponsored Research Office |
Credit Card Data | Treasurer’s Office |
Alumni Data | University Advancement Office |
Financial Data | University Controller’s Office |
- All software agreements (including click-through agreements) must follow the University’s contract review process and are to follow signatory authority requirements of the University Bylaws. These ByLaws restrict signatory approval to certain members of the University Cabinet.
Information Technology Consulting, Maintenance Agreements, and Services
- All contracts related to Information Technology-related services, such as consulting, maintenance agreements, and services, must follow the University’s contract review process and are to only be signed by the appropriate University Cabinet Member as outlined in the University ByLaws.
- Vendors are required to go through a risk assessment that evaluates cost, reliability, service agreement performance, and ongoing business concerns. This includes the review of a System and Organization Control Report (SOC) and a Higher Education Community Vendor Assessment Toolkit (HECVAT). High-Risk IT vendors may not be approved for use by CTS, Business Services, General Counsel, and/or the Vice President of Finance and Business.
Information Technology Asset Disposal/Resale
- All University-owned IT equipment purchased with university funds remains the property of the University until disposed of or resold.
- Failure to return University-owned equipment, software, or data upon leaving the University may result in legal action or obligate the employee to reimburse the University for the value of such items.
- CTS may re-sell the equipment as part of the monthly used computer sale or sell to outside agencies. Reclaimed equipment will be sanitized according to industry standards before resale.
- Coordination with CTS is required when disposing of IT equipment, to ensure disposal is handled properly in alignment with current regulations. Equipment cannot be “gifted” to university members unless approved by Finance and Business and CTS in writing. Coordination can be done by submitting a ticket using the Service Portal Service.
Procurement of Technology
- The procurement of all technology and software must first be consulted with CTS or Technology Sales at the TechHUB to ensure proper compatibility. You may request a new solution or technology via the Service Catalog.
- Funding for software solutions is the responsibility of the department, including ongoing annual maintenance costs, unless otherwise agreed to by CTS.
- All purchases are to adhere to the University’s procurement policies.
Technology Purchases for Non-Standard Equipment
- In rare circumstances, departments can be approved to purchase technology equipment that is not offered through Technology Sales at the TechHUB or through contracted solutions. All non-standard purchases must be submitted by request via the Service Portal Service: Request New Solution or Technology. Please note that all requests are subject to review and approval by CTS.
Technology Equipment provided for remote employees
- University equipment may be purchased for use of remote employees.
- Employees must return company-issued devices upon separation from the University or role change.
- Failure to return equipment may result in financial penalties.
Enforcement
The unauthorized or improper use of Duquesne University’s technology environment,
including the failure to comply with this service requirement, constitutes a violation
which may result in the loss of access, University disciplinary actions and/or legal
prosecution under federal, state and local laws, where applicable. Users are expected
to adhere to T.A.P. 26 – Acceptable Use of Computing Resources which can be found
at The Administrative Policies.
The University reserves the right to amend these service requirements at any time
without prior notice and to take such further actions as may be necessary or appropriate
to comply with other published policies and with applicable federal, state, and local
laws.