Information Technology (IT) services include electronic storage, processing or transmitting of data or information, as well as the data or information itself. IT services include, and are not limited to, software, cloud-based software, electronic mail, voice mail, cloud based fax services, databases, digitized information, platforms (mobile PaaS, open PaaS, integration platform as a service (iPaaS), web based subscriptions, website hosting, etc.).
IT services (as compared to general services) involves the supplier’s work or deliverable being the granting of a license or subscription to use a data, software or cloud solution, application, or access a website for a set period of time. When the primary objective of a purchase is to obtain labor from a supplier, that is most likely a general service and not an IT service, even if the labor involves technology or computing.
For example, purchasing a new cloud software/solution/app is IT services. If you hire that same company to provide implementation services, it would still be an IT service because the primary purpose is acquisition of the software.
However, hiring a separate company for implementation services alone would be a general service purchase since the main deliverable of that purchase is their labor.
When purchasing IT services, departments must address a few key issues prior to submission of the requisition such as competitive bidding, data security, privacy, and insurance requirements.
Click each drop down to determine how to coordinate a review with each subject matter area.
IT Service Purchases Process Steps
OIT has enterprise licenses of software available for download without a purchase (see Software and Hardware Resources).
UCOP has negotiated systemwide agreements that you can utilize for some purchases Systemwide IT Agreements. In addition, you can also review the UCI Contracted Supplier list. (Note that buying from a UCI or UCOP agreement satisfies competitive bidding requirements and the Small Business First policy. However, in certain instances a specific software may still require data security, privacy, and insurance reviews).
When purchasing IT services, it is critical to determine whether the supplier will store, transmit or create data on behalf of UCI, or whether the supplier will connect to or have access to UCI systems. Please see OIT's Data Protection Levels webpage for more information.
Suppliers that handle UCI data or have access to systems need to undergo a Supplier Security Review through the Office of Information Technology (OIT). To start that process, complete a Supplier Security Review Questionnaire with the assistance of your Unit Information Security Lead, and email it to email@example.com.
Procurement needs the OIT ticket response advising no special security terms are needed, or the completed Risk Assessment with OIT’s security findings and recommendations. Upload either document to the KFS requisition.
Most suppliers have their own agreements, order forms, or terms that govern their software/subscriptions. When you receive those documents from a supplier, it is important to alert the supplier that UCI as a state university is generally required to use UC system templates and terms. The agreement Procurement will prepare may not be their terms alone.
Suppliers that handles UCI data, or have access to UCI systems, are required to maintain cyber liability insurance to cover the remediation costs of data breaches. If the OIT Risk Assessment determines the supplier will handle:
- P1 level data, the supplier must maintain $500,000 in cyber liability coverage.
- P2 level data, the supplier must maintain $1 million in cyber liability coverage.
- P3 level data, the supplier must maintain $5 million in cyber liability coverage.
- P4 level data, the supplier must maintain $10 million in cyber liability coverage.
If suppliers cannot meet the UC required insurance coverages, or insist on a limitation of liability, the purchase will require additional reviews by Risk Services and Campus Counsel. Please allow for additional time for review of these issues. The assigned Procurement team member will assist with the review process.
Risk Services must review an up-to-date Certificates of Insurance (COI) from the supplier. Please contact Risk Services with questions regarding COI.
Most Information Technology Services require a KFS Requisition. (See PALCard drop-down for situations when PALCard is an option.) In the requisition, please be sure to include pertinent information such as:
- In the Explanation box, include the name of the Supplier, the product name, the term dates of the license/subscription, and how the software will be used.
- Select the most accurate commodity code to ensure the PO routes correctly. IT Service purchases are not “Professional Services”.
The following are the commonly used commodity codes, please use them accordingly:
- 81112500 Computer software licensing, rental Software license - (locally hosted, excluding cloud)
- 81162000 Cloud based software and services
- 81112105 Website- World wide web WWW site operation host services
- 81112103 Website- World wide web WWW site design services
Attachments to upload to the requisition:
- A copy of OIT’s Risk Assessment from the Supplier Security Review, or the ServiceNow ticket response stating that a formal security review is not needed.
- The Order Form or other documentation you received from the Supplier that describes the license/subscription UCI is purchasing.
- All policy-based back-up documentation depending on what is applicable to your purchase (SSPR Form, Federal Fund Forms, Small Business First Forms, etc.).
- Certificate of Insurance, if required (see above).
- Completed Information Technology Purchase Agreement if required (see section above).
PALCard may be used for the purchase of Information Technology Services in limited circumstances:
- The software/solution/subscription is assessed by OIT as a low risk application (does not handle, transmit or store UCI sensitive data, or have access to UCI systems)
- does not require a signed agreement (click-through ok)
- supplier affirms its products/services conform to the accessibility requirements (for additional information, please contact firstname.lastname@example.org) of WCAG 2.0AA and,
- the annual expense is less than $5,000.
Complete the Supplier Security Review Questionnaire and submit to email@example.com as described in the Data Security tab (see above). Please upload the approved low risk assessment to the PCDO scanning image tab in KFS.