IT Policies and Procedures
IT Compliance Guidelines
What is IT Compliance?
IT Compliance is the act of adhering to established rules, standards, or specifications to align with university and government expectations. This may include adherence to laws and regulations, sponsor-imposed contract requirements, or internal policy and procedure.
For IT related purchases as well as changes to existing products and renewals, this service will review applicable requirements, identify steps for meeting obligations, and implement necessary safeguards and countermeasures.
Areas of IT Compliance
IT Compliance evaluates technology in the following compliance areas:
- Security
- Digital Accessibility
- Payment Card Industry (PCI) Data Security Standard
- Family Educational Rights and Privacy Act (FERPA)
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Gramm-Leach_Bliley Act (GLBA)
- Personal Identifiable Information (PII)
What must go through IT Compliance?
IT Compliance applies to both OneCard and Contractual IT related purchases, changes, or renewals.
- New purchases of IT related products
- Renewals for IT related products
- Solutions previously approved for another department (each department use case MUST be reviewed)
- When changes are made to existing IT related products (e., expansion of users, new integrations, additional data points, etc.)
- All software must be approved by IT prior to use, even if the software is free.
Before selecting an IT Solution
Coordination of IT related purchases is essential to maintaining an environment capable of supporting University activities. Significant cost savings are also possible by aggregating purchases of software and integrations and avoiding duplication.
- Contact your IT Professional (IT Pro) early in the selection process.
- Review the Software Technology Catalog to see if an existing solution can meet your needs.
IT Compliance Process
To receive approval from IT Compliance, complete these steps:
- Contact your IT Professional (IT Pro).
- Your IT Pro will submit IT Compliance Filter questions to capture the product details.
- This submission places the request into the IT compliance queue.
- IT Compliance reviews the request to determine the relevant areas of compliance and needed documentation.
- IT Compliance contacts the vendor to request documentation:
- Vendors may be required to complete and submit the IT Standards and Requirements Questionnaire (ITSRQ)
- Vendors may be required to provide other documentation as determined by compliance
- IT Compliance evaluates the completed ITSRQ and/or submitted documentation.
- IT Compliance will send a final review summary email to the IT Pro that submitted the filter questions, the departmental expert and the fiscal person entered in the filter questions.
- If approved, the IT Compliance approval must be attached to the requisition for purchase. *
* Please note “IT Pro approval” means “IT Compliance and IT Pro approval.”
After IT Compliance provides the Approval Summary, the department will need to work with UM System Procurement to purchase and perform the legal review.
How Long does the Compliance Review Take?
Depending on the documentation needed from the vendor and the vendor’s responsiveness, the process can take from 1 to 4 or more weeks. It is always good to communicate with IT Compliance if a request is time sensitive, but that does not mean the process can be rushed.
For example: The length of the process varies. A review of desktop software DCL1 or DCL2 with low number of users can take 1 to 2 days. Whereas a review of vendor hosted software DCL2 or higher can take weeks.
For additional assistance, email itcompliance@missouri.edu.
Business Policy Manual References and Other Applicable Policies
- UM Information Technology & Telecommunications Purchases
- MU Digital Accessibility of Communications and Information Technology
- UM Security Requirements for Information Technology Purchases
- UM Data Classification System
Frequently Asked Questions
Yes, filter questions must be completed and approved for each renewal. This helps compliance keep track of any changes in use, minimize risk to the Universities and check for any security or regulatory updates.
Yes, all software, hardware, and application purchases must be reviewed and approved by IT Compliance before purchase or renewal. The goals of this policy are to ensure IT and Telecom purchases, leases, leased purchases, deployments and consultations meet or exceed each academic and business unit’s objectives for standardization, supportability, sustainability, ADA accessibility, compatibility and information security requirements, and that they are the best solutions(s) at the best price. Please refer to UM Information Technology & Telecommunications Purchases.
Notification will be sent to the IT Professional that submitted the filter questions, the departmental expert and the fiscal person entered in the filter questions.
Your IT professional begins the IT compliance process by filling out the IT filter questions and submitting them on your behalf. This action signifies that the IT Professional approves.
Yes, because authentication via a username/password is most likely occurring and that may require further review.
Yes, because your business case may be different than previously approved and may require further review. For example; your department might be using for Student Data (FERPA) and another department might be using it to collect payments (PCI).
Yes, all pilot, new or trial software and application purchase or free versions must be reviewed and approved by IT Compliance before the pilot/trial begins. Additional documentation may be required from the vendor, such as the University’s FERPA Addendum if the pilot/trial will include FERPA data. Once a pilot project or trial has concluded and deemed successful, the software or application must be re submitted for a full IT compliance review.
Authentication via University credentials (SSO) may be evaluated as part of the IT Compliance process. The University requires Single Sign-On (SSO) for applications with over 50 users using the application if the vendor is able to support it. There may also be instances where it is required by the MU ISO with fewer users, depending on the type of data that is stored or accessed in the application. SSO may be implemented via Shibboleth/SAML or Azure AD, as determined by the UM Authentication Team. If SSO is required for an application, it will be stated in the IT Compliance approval summary you receive after the application has been reviewed. It is a requirement to implement this before the application is live for production and a consultation with your IT department and the vendor may be needed to confirm technical details during the implementation. In addition, some vendors charge a fee to implement SSO so please discuss this with them to add this as a line item to your quote.