IT Compliance Guidelines

What is IT Compliance?

IT Compliance is the act of adhering to established rules, standards, or specifications to align with university and government expectations. This may include adherence to laws and regulations, sponsor-imposed contract requirements, or internal policy and procedure.

For IT related purchases as well as changes to existing products and renewals, this service will review applicable requirements, identify steps for meeting obligations, and implement necessary safeguards and countermeasures.

Areas of IT Compliance

IT Compliance evaluates technology in the following compliance areas:

What must go through IT Compliance?

IT Compliance applies to both OneCard and Contractual IT related purchases, changes, or renewals.

  • New purchases of IT related products
  • Renewals for IT related products
  • Solutions previously approved for another department (each department use case MUST be reviewed)
  • When changes are made to existing IT related products (e., expansion of users, new integrations, additional data points, etc.)
  • All software must be approved by IT prior to use, even if the software is free.

Before selecting an IT Solution

Coordination of IT related purchases is essential to maintaining an environment capable of supporting University activities.  Significant cost savings are also possible by aggregating purchases of software and integrations and avoiding duplication.

IT Compliance Process

To receive approval from IT Compliance, complete these steps:

  1. Contact your IT Professional (IT Pro).
  2. Your IT Pro will submit IT Compliance Filter questions to capture the product details.
  3. This submission places the request into the IT compliance queue.
  4. IT Compliance reviews the request to determine the relevant areas of compliance and needed documentation.
  5. IT Compliance contacts the vendor to request documentation:
    1. Vendors may be required to complete and submit the IT Standards and Requirements Questionnaire (ITSRQ)
    2. Vendors may be required to provide other documentation as determined by compliance
  6. IT Compliance evaluates the completed ITSRQ and/or submitted documentation.
  7. IT Compliance will send a final review summary email to the IT Pro that submitted the filter questions, the departmental expert and the fiscal person entered in the filter questions.
  8. If approved, the IT Compliance approval must be attached to the requisition for purchase. *

* Please note “IT Pro approval” means “IT Compliance and IT Pro approval.”

After IT Compliance provides the Approval Summary, the department will need to work with UM System Procurement to purchase and perform the legal review.

How Long does the Compliance Review Take?

Depending on the documentation needed from the vendor and the vendor’s responsiveness, the process can take from 1 to 4 or more weeks. It is always good to communicate with IT Compliance if a request is time sensitive, but that does not mean the process can be rushed.

For example: The length of the process varies. A review of desktop software DCL1 or DCL2 with low number of users can take 1 to 2 days. Whereas a review of vendor hosted software DCL2 or higher can take weeks.

For additional assistance, email itcompliance@missouri.edu.

Business Policy Manual References and Other Applicable Policies

FAQ’s

1.  If the software was approved last year, do I need to get it approved again this year?

Yes, filter questions must be completed and approved for each renewal. This helps compliance keep track of any changes in use, minimize risk to the Universities and check for any security or regulatory updates.

2. Do we need approval for zero-cost or small software purchases such as SnagIT or Textpad?

Yes, all software, hardware, and application purchases must be reviewed and approved by IT Compliance before purchase or renewal. The goals of this policy are to ensure IT and Telecom purchases, leases, lease       purchases, deployments and consultations meet or exceed each academic and business unit’s objectives for standardization, supportability, sustainability, ADA accessibility, compatibility and information security requirements, and that they are the best solutions(s) at the best price.  Please refer to UM Information Technology & Telecommunications Purchases.

3. Who will be notified once the IT Compliance team approves the purchase?

Notification will be sent to the IT Professional that submitted the filter questions, the departmental expert and the fiscal person entered in the filter questions.

4. If I have the IT Compliance approval, do I still need my IT Pro to approve the purchase?

Your IT professional begins the IT compliance process by filling out the IT filter questions and submitting them on your behalf.  This action signifies that the IT Professional approves.

5. If I am only purchasing access to a subscription service that will not contain University data, do I need to send it through for approval? 

Yes, because authentication via a username/password is most likely occurring and that may require further review.

6. If the solution has already been approved for another department, do I need to send it through IT Compliance?

Yes, because your business case may be different than previously approved and may require further review. For example; your department might be using for Student Data (FERPA) and another department might be using it to collect payments (PCI).

7. If my department is conducting a software pilot project or using a trial version of software, do I need to send it through IT Compliance?

Yes, all pilot, new or trial software and application purchase or free versions must be reviewed and approved by IT Compliance before the pilot/trial begins. Additional documentation may be required from the vendor, such as  the University’s FERPA Addendum if the pilot/trial will include FERPA data. Once a pilot project or trial has concluded and deemed successful, the software or application must be re submitted for a full IT compliance review.

8. Will Single Sign-On (SSO) authentication be required for the requested application?

Authentication via University credentials (SSO) may be evaluated as part of the IT Compliance process.  The University requires Single Sign-On (SSO) for applications with over 50 users using the application if the vendor is able to support it.  There may also be instances where it is required by the MU ISO with fewer users, depending on the type of data that is stored or accessed in the application.  SSO may be implemented via Shibboleth/SAML or Azure AD, as determined by the UM Authentication Team.  If SSO is required for an application, it will be stated in the IT Compliance approval summary you receive after the application has been reviewed.  It is a requirement to implement this before the application is live for production and a consultation with your IT department and the vendor may be needed to confirm technical details during the implementation.  In addition, some vendors charge a fee to implement SSO so please discuss this with them to add this as a line item to your quote.