IT Procurement

UPDATED March 2022 - please read carefully. 

As outlined in the February 16, 2022, memo emailed to Management Center Leadership, the University has returned to its management center specific processes for spending reviews and approvals of all capital and non-capital expenditures, except for the IT pre-approval process for IT systems and services that

1. will be used for sensitive data as defined in the Data Classification Standard, or
2. involves a contractual commitment on behalf of Duke University, regardless of cost.  These include:

• Software Licenses beyond individual consumer license purchases (purchases from Duke Software Licensing do not need central review)
• Web / Application or Software Development
• External vendor contracts such as AV Integration and IT Consulting

 

The IT purchases outlined above must be reviewed and approved by the Office of Information Technology. The IT Procurement form must be completed prior to purchasing. If you'd like a preview before you start the online form, you can download one here.  You will not have to answer all the questions in this form. The questions are specific based on the product or service you want to purchase. Please note, you cannot submit the PDF, you must complete the IT Procurement form online.

IMPORTANT: The only approved services for cloud storage of Duke data classified as sensitive or restricted as per Duke Data Classification Standard are those listed here: Duke Services and Data Classification.  All other services that will involve cloud storage, or the transit of Duke data from campus to other locations require that a Duke IT Security Office Vendor Risk Assessment be performed.  If there are questions about this process, contact security@duke.edu.

IT Procurement Process to follow

• Step 1: Follow your departmental / unit internal financial and IT approval process
• Step 2: Complete the necessary reviews (see below) before submitting the IT Procurement form
• Step 3: Complete the IT Procurement form
• Step 4: Attach OIT’s approval email to your requisition or send to Procurement representative

The IT Procurement request form must be completed to receive approval. In addition to completing this survey, you must follow your department's internal purchasing processes. You will receive an email when the review process is completed. For additional information and/or questions please send email to it-procurement@duke.edu. 

Preparation

Below is the information you will need to complete the IT Procurement form. You must complete the necessary reviews (see below for links to forms) before submitting the IT Procurement form. 

IMPORTANT: If the service you would like to use stores Duke sensitive and restricted data in a cloud environment, it may not be used unless explicitly listed here.

• Software Licenses beyond individual consumer license purchases (purchases from Duke Software Licensing do not need central review)
• Web / Application or Software Development
• External vendor contracts such as AV Integration and IT Consulting

Software Licensing

• Cost - purchase amount, annual cost, term of license/lease
• Reviews:
  • Information Technology Security Office (ITSO) security review and approval date
  • Security Agreement must be added to contract (this is an output from the ITSO security review)
  • Shibboleth integration form (Sign-on / Security Assertion Markup Language (SAML))
  • If Credit Card integration is needed - eCommerce review and approval date

Web / Application or Software Development

• Cost - one-time, ongoing maintenance, and service level agreement (if needed)
• Departmental proposal
• If URL / Domain exists who is hosting site
• Service Level Information (SLA)
• Where the website will be hosted
• Vendor review / approval data (conducted by University Communications)
• Reviews:
  • Information Technology Security Office (ITSO) security review and approval date
  • Security Agreement must be added to contract (this is an output from the ITSO security review)
  • Shibboleth integration form (Sign-on / Security Assertion Markup Language (SAML))
  • OARC (Office of Audit, Risk & Compliance) review if student data or PII is involved
  • If Credit Card integration is needed - eCommerce review and approval date

Audio Visual

• Cost for integration, consultation, and Design costs; hardware costs (if any), and annual support costs
• Competitive bids from at least 3 vendors
• Reviews:
  • Information Technology Security Office (ITSO) security review and approval date
  • Security Agreement must be added to contract (this is an output from the ITSO security review)
  • Shibboleth integration form (Sign-on / Security Assertion Markup Language (SAML))
  • OARC (Office of Audit, Risk & Compliance) review if student data or PII is involved
• Data - if data is being stored provide the type of data to be stored

 IT Consulting

• Cost of engagement
• Reviews:
  • Information Technology Security Office (ITSO) security review and approval date
  • Security Agreement must be added to contract (this is an output from the ITSO security review)
  • Shibboleth integration form (Sign-on / Security Assertion Markup Language (SAML))
  • OARC (Office of Audit, Risk & Compliance) review if student data or PII is involved
  • If Credit Card integration is needed - eCommerce review and approval date
• Data - if data is being stored provide the type of data to be stored