Last Revision Date: January 19, 2019
Approval Date: DRAFT for Review
Approval Authority: CWRU VP and Chief Information Officer
The purpose of this policy is to define the process by which IT hardware products are reviewed, purchased and maintained, with respect to data security, operational integrity, and long-term sustainability, at Case Western Reserve University.
Coordination with Other Policies and Procedures
In 2016, CWRU published "[Re] Imagining IT, Case Western Reserve University’s Information Technology Strategic Plan" where overall strategy for a centralized IT organization was laid out. The university then created a single IT organization, named University Technology, or [U]Tech for short and began to combine organizational personnel to operate as a single organization within the university.
The [U]Tech organization is responsible for acquiring and maintaining all computer IT hardware and software products purchased by and on behalf of the university, with university funds. Through normative operational planning and budgets, [U]Tech manages IT hardware and software lifecycles on a regular basis, assuring architectural and technical compatibility with existing IT tools and services.
- All computer and IT hardware, acquired with university funds, must be approved through CWRU Procurement purchase order process, in advance of purchase and must be procured, maintained, and disposed of in accordance with [U]Tech standards.
- CWRU will neither install nor support computer and IT hardware that has not been approved in advance of purchase by [U]Tech. This includes the delivery of network services.
- [U]Tech can assist in determining if a school or department already owns hardware and software that meets local needs.
Computer and IT hardware includes two classes of equipment:
- IT Infrastructure: server-class equipment, networked storage, routers, switches, and special purpose equipment supporting multiple users, including audio-visual (classroom displays) and teleconferencing equipment. [U]Tech is the sole source for acquisition and maintenance of such equipment.
- User-centric IT: desktop computers and displays, laptop/notebook computers, tablet computers, printers, scanners, university-purchased smart phones, and other computing and peripheral devices. In both UGEN and schools, many user workstation/computers are replaced as part of the computer refresh cycle.
All offices and departments should contact the [U]Tech Help Desk for any user-centric hardware purchases that do not fall under a computer replacement cycle. Offices and departments purchasing equipment not covered under the replacement cycle must identify funding in advance of the purchase. [U]Tech will request quotes from CWRU primary suppliers, manage the equipment purchase using standard software images, and then install and support the new hardware for both licensing and security controls.
In some cases, and depending on the intended use, [U]Tech may have suitable refurbished hardware on hand that will meet the current need. Please consult with the [U]Tech Help Desk for additional information.
Computer and IT hardware that is not acquired through [U]Tech will not be supported. In order to adhere to licensing and warranty restrictions, [U]Tech will not install university owned software on a non-approved device, nor will[U]Tech perform physical repairs to the device.
Any exceptions for research-centric computing and IT hardware will be reviewed by the [U]Tech Research Computing and Cyber Infrastructure team for approval recommendations to the [U]Tech IT Contracts Team.
University Technology IT Contracts Team: Review hardware purchase contracts for compatibility with strategic plans for IT infrastructure.
University Procurement Office: Enforce this policy at the point of acquisition by university personnel.
IT Infrastructure: IT equipment which supports IT commodity services, such as file servers, application servers, networking equipment
University Funds: Funds budgeted and allotted for IT support, including research funds.
Standards Review Cycle
This standard will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.