IT Compliance

What is IT Compliance?

IT Compliance is the act of adhering to established rules, standards, and regulations or specifications to align with university and government expectations. This may include adherence to laws and regulations, sponsor-imposed contract requirements, or internal policy and procedure.

For IT related purchases, as well as changes to existing products and renewals, this service will review applicable requirements, identify steps for meeting obligations, and implement necessary safeguards and countermeasures.

Getting Started
Get Started

Learn about the methods you can use to start an IT compliance and the information you will need upfront.
Quick Tips to Speed Up Your Review
Quick Tips

View quick tips that you can use to speed up your review process.
The Purpose of IT Compliance
What's the Purpose?

Learn why the IT Compliance Review process is essential for ensuring that we don't compromise research or teaching efforts.
IT Compliance Process
The Process

Learn the detailed process that occurs when you submit your software or hardware for compliance review.

What must go through IT Compliance?

IT Compliance applies to both OneCard and contractual IT related purchases, changes, or renewals.

  • New purchases of IT related products
  • Renewals for IT related products
  • Solutions previously approved for another department
    • Each department use case MUST be reviewed
  • When use cases change or data classification uses change
  • When changes are made to existing IT related products
    • Expansion of users
    • New integrations
    • Additional data points
    • Etc.
  • All software must be approved by IT prior to use - even if the software is free

Areas of IT Compliance

An IT Compliance review evaluates technology in the following compliance areas:

How long does the compliance review take?

Depending on the documentation needed from the vendor and the vendor’s responsiveness, the process can take six or more weeks. It is always good to communicate with IT if a request is time sensitive, but that does not mean the process can be rushed. 

For example: The length of the process varies. A review of a desktop software DCL1 or DCL2 with low number of users can take 4 to 5 days. Whereas a review of a vendor hosted software DCL2 or high can take six weeks or more. 

Before selecting an IT Solution

Coordination of IT related purchases is essential to maintaining an environment capable of supporting University activities.  Significant cost savings are also possible by aggregating purchases of software and integrations and avoiding duplication.

Business Policy Manual (BPM) References and Other Applicable Policies

Frequently Asked Questions

Yes, filter questions must be completed and approved for each renewal. This helps IT keep track of any changes in use, minimize risk to the University and check for any security or regulatory updates.

Yes, all software, hardware, and application purchases must be reviewed and approved by IT Compliance before purchase or renewal. The goals of this policy are to ensure IT and Telecom purchases, leases, leased purchases, deployments and consultations meet or exceed each academic and business unit’s objectives for standardization, supportability, sustainability, ADA accessibility, compatibility and information security requirements, and that they are the best solutions(s) at the best price. In addition, free software often has hidden operating costs.  Please refer to UM Information Technology & Telecommunications Purchases.

Notification will be sent to the requestor that submitted the request.

Yes, because authentication via a username/password is most likely occurring and that may require further review.

Yes, because your business case may be different than previously approved and may require further review. For example, your department might be using Student Data (FERPA) and another department might be using it to collect payments (PCI).

Yes, all pilot, new, or trial software and application purchases or free versions must be reviewed and approved by IT Compliance before the pilot/trial begins. Additional documentation may be required from the vendor, such as the University’s FERPA Addendum if the pilot/trial will include FERPA data. Once a pilot project or trial has concluded and deemed successful, the software or application must be re submitted for a full IT compliance review.

Authentication via University credentials (SSO) may be evaluated as part of the IT Compliance process.  The University requires Single Sign-On (SSO) for applications with over 50 users using the application if the vendor can support it.  There may also be instances where it is required by the S&T ISO with fewer users, depending on the type of data that is stored or accessed in the application.  SSO may be implemented via Shibboleth/SAML or Azure AD, as determined by the UM Authentication Team.  If SSO is required for an application, it will be stated in the IT Compliance approval summary you receive after the application has been reviewed.  It is a requirement to implement this before the application is live for production and a consultation with your IT department and the vendor may be needed to confirm technical details during the implementation.  In addition, some vendors charge a fee to implement SSO so please discuss this with them to add this as a line item to your quote. 

If UM Procurement has asked you if you have received IT approval prior to purchasing instrumentation, it is because they have identified an item in your order that is classified as an IT related purchase.