Overview

In order to ensure adherence to university-wide, external, and departmental information security and compliance policies, Provost IT requires that users and departments we support comply with technology purchasing and procurement guidelines. Compliance with these guidelines helps ensure that hardware and software are adequately and properly tracked for audit, security, and warranty purposes. It also ensures that Provost IT can provide quality services while appropriately reducing risk for the university and the departments we support.

Purpose

These guidelines help departments understand the correct procedures for ordering new technology hardware, software, and services in compliance with USC and Provost IT standards. They also help departments understand the reasoning and methodology behind such procedures.

Guidelines

All purchases of technology hardware, software, and labor (i.e. IT contractor, web designer, or similar) must be approved, in advance, by Provost IT. Departments covered under the scope of this policy may not procure their own IT-related hardware, software, or technology professional services (labor) without either a) the purchase being made directly through Provost IT, or b) the quote or purchase being approved, in the form of a documented helpdesk ticket or email, by a staff member from Provost IT before being made.

Types of purchases covered by this policy include, but are not limited to, the following:

  • Desktops laptop computers
  • Tablets, cell phones/smartphones, and hotspot devices
  • Storage devices, including hard drives, solid state drives, and flash drives/portable storage drives
  • Printers with wireless/network capability
  • Purchases of downloadable software, such as Adobe Creative Cloud, AutoCAD, or others
  • Subscriptions to cloud applications, platforms, software, and services of any kind or type, whether free or paid, including but not limited to:
    • Artificial intelligence tools and services
    • Productivity and project management applications
    • Scheduling or calendaring applications other than Office 365 provided by USC/Provost IT
    • Password managers other than 1Password provided directly by Provost IT
    • Todo/task tracking applications
    • Graphic design applications
    • Newsletter platforms
    • Ticketing systems
    • Storage/hosting services or platforms
    • Web design tools and apps
    • Any online services designed to accomplish a business function or purpose
  • Labor or professional services performing any technology-related work, including IT or technology professional services vendors, external web design or development companies, and implementation partners for software or cloud applications
  • Network devices, servers, or IT infrastructure devices

Our criteria for approval includes, but is not limited to, the following characteristics:

  • Security standards: does the company or person providing the service meet Provost IT and university standards for protecting university information? Have they undergone a risk assessment and supplemental evaluation by Provost IT?
  • Encryption capability (for hardware): does the device have the necessary configuration and components to allow for modern hardware-based data encryption? Per USC policy, devices purchased with university funds must have this capability.
  • Alignment with department and university recommendations: does the software, hardware, or vendor meet characteristics and best practices recommended by the university and Provost IT? What type of support is offered?
  • Compatibility with central and department information systems: is the device compatible with existing USC systems, networks and applications? If the item is a service or cloud platform, does it integrate with existing platforms, data systems, and security platforms at USC?
  • Manufacturer reputation and relationship: does the device come from a reputable manufacturer? Does that manufacturer (or an appropriate channel partner) have an existing relationship with USC?

Compliance, Auditing, Violations, and Remediation

It is important to note that even if an item still meets the characteristics above, it may still be prohibited for other reasons. Provost IT will always provide guidance and work with departments to make purchases which comply with these standards and meet departmental technology needs.

Compliance with these guidelines is not optional. Technology purchased in violation of these guidelines may be restricted from being used on or with Provost IT-supported devices and networks. Additionally, such technology will not be allowed to connect or transfer data to and from Provost IT and USC systems.

Scope

This policy applies to all users and departments supported by Provost IT, and to departments, divisions, offices, or teams which receive any level of technology support from Provost IT. More specifically, it applies to any technology hardware or software purchases within these departments made with university funds, including research funds, grants, or funds spent on personal cards with the intent of seeking reimbursement. It also applies to the gifting of information technology hardware, software, or labor of any value.