Procurement and/or Development of Administrative Systems/Applications

I. SCOPE

This policy applies to all George Mason University faculty and staff who may authorize the acquisition of information services and applications on behalf of the university.

II. POLICY STATEMENT

All procurement and/or development of software applications, or information services that will use Mason data or integrate with Mason’s administrative systems must be reviewed and approved by the Purchasing Department and Architecture Standards Review Board (ASRB) in advance of purchase or development. This review is required for all new services, or significant changes to existing services; depth of the review is based upon financial and technical thresholds. The intent is to verify compliance with federal, state, and university policies; reduce duplication of services; validate that appropriate implementation and support resources are available; and ensure compatibility with existing systems. Research applications that will not use Mason data or integrate with Mason systems must comply with all applicable policies, but are exempt from ASRB review.

Policy 2106 delegates purchasing authority for dollar amounts of $5,000 or less to certain employees at the department level. Purchases of $5,000 or less are not routed to the Purchasing Department for approval. Departments are responsible for ensuring that all purchases comply with Mason’s purchasing policies and regulations, and may not accept, sign, or approve terms of use that may include purchasing and/or legal terms and conditions that are not acceptable to the University (such as indemnification of a vendor, governing law of another state, payment of attorney’s fees, waiver of sovereign immunity, etc.). If a Department requires assistance with a purchase, including negotiations of terms and conditions, they are responsible for contacting the Purchasing Department at purch1@gmu.edu.

Proposed additions of services and software applications that are not deemed appropriate by the ASRB will not be approved for purchase, development, or implementation by any university unit.

III. DEFINITIONS

Architecture Standards Review BoardA committee of University employees charged with the responsibility of reviewing and approving proposed acquisitions of software applications and information services. The Board includes representatives from Information Technology Services, Purchasing, and the Assistive Technology Initiative.

Data Steward: A university employee responsible for stewardship of protected data as defined in University Policy 1114 Data Stewardship.

Department Representative: Any university employee, contractor, affiliate, or duly authorized member of the community with the authority to request the procurement or development of information services or software applications.

Information Service: In this context, refers to any vendor-provided service employing a combination of information technology and people to store, process, and/or transmit Mason data.

Protected Data: Highly Sensitive Data or Restricted Data, as defined by University Policy 1114 Data Stewardship.

Software Applications: Computing software designed to carry out a specific task, or tasks, other than those related to the operation of the computer itself.

IV. RESPONSIBILITIES

Architecture Standards Review Board: The ASRB is responsible for the review and approval of software applications and information services in advance of purchase or development, regardless of cost or purchase price.  This review will encompass the following items: a) ensure compatibility with the current technology architecture; b) verify compliance with accessibility and security standards; c) verify compliance with federal, state and university policies; d) ensure the proposed solution does not duplicate existing services and applications; and e) validate that appropriate implementation and support resources are available.

Data StewardThe data steward works in conjunction with the ASRB to ensure the project complies with applicable data stewardship policies, procedures, and regulations in place at the federal, state or university level.

Department RepresentativeEvaluates and documents the business or academic needs to be addressed by the proposed service or application. The department representative is responsible for preparing required documentation and submitting an ASRB service request.

Purchasing Department: Administers all university purchases greater than $5,000. The Purchasing Department will assist the ASRB by confirming with the Department that applicable purchases that exceed $5,000 have received appropriate review and approval by the ASRB prior to procurement. If approval has not been granted, the Purchasing Department will not process the purchase requisition until proper review has taken place. The Department is ultimately responsible for confirming that their purchase complies with the ASRB requirements.

Vice President/Chief Information Officer: Reviews ASRB recommendations for requests involving high risk and complexity, and issues a decision factoring in resource availability, risk, and the university’s strategic direction. Serves as an escalation point for requests initially rejected by the ASRB.

V. COMPLIANCE

Information services and software applications found to be installed and operating without the approval of the ASRB are in violation of this policy and will be subject to appropriate corrective action, including deactivation and potential removal from the university’s systems and network.

VI. EFFECTIVE DATE AND APPROVAL

The policies herein are effective July 21, 2008. This Administrative Policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.

Approved:

__/S_____________________
Carol D. Kissal
Senior Vice President, Administration and Finance

__/S___________________
Mark R. Ginsberg
Provost and Executive Vice President

Date approved: July 21, 2008
Revised: May 18, 2021