How to Process Software Agreements at Penn State

Transcription

1 How to Process Software Agreements at Penn State SEPTEMBER 3, 2015 PRESENTED BY: DANNA BRESSLER, PURCHASING AGENT RICHEL PERRETTI, CONTRACT MANAGER, RISK MANAGEMENT Overview Important Policies Contract Signature Authority Data Categorization Policy Determine where to Route Software Agreements Purchasing Software Agreement Process Risk Management Electronic Software Agreement Process Coming Soon FNG02 Changes for Software Electronic Agreements Software Agreement Decision Tool 1

2 Contract Signature Authority As outlined in Policy FN11, only nine Corporate Officers for Penn State are authorized to sign contracts for the University: Board President Board Vice President Secretary (the University's President) Treasurer (the University's Senior Vice President for Finance and Business) the three Assistant Treasurers Corporate Controller for Hershey, the Controller of the College of Medicine Contract Signature Authority Policy Guideline FNG02 outlines specific delegated signature authority. Office of Sponsored Programs Office of Technology Management Purchasing Other individuals or titles Electronic Agreements 2

3 Excerpt from FNG02 as of 9/3/15: E. Electronic Agreements Any agreements that are required to be accepted online must be reviewed by the Office of Risk Management and submitted to the Corporate Controller for the signature process. The Corporate Controller or Assistant Treasurer will approve acceptance of the agreement and instruct the appropriate individual to accept the agreement electronically on behalf of the University. This one time approval from the Office of the Corporate Controller to electronically accept the agreement must be made in writing and will be maintained in the contract file as evidence of the University s acceptance of the agreement. Coming Soon new language to specifically address electronic Software agreements. Policy AD71 Data Categorization Public: Public data are intended for distribution to the general public, both internal and external to the University. The release of the data would have no or minimal damage to the institution. Internal/Controlled: Internal/controlled data is intended for distribution within the University only, generally to defined subsets of the user population. The release of the data has the potential to create moderate damage to the institution. Restricted: Restricted data are those which the University has legal, regulatory, policy or contractual obligations to protect. Access to restricted data must be strictly and individually controlled and logged. The release of such data has the potential to create major damage to the institution. 3

4 ADG07 Provides examples of data that fall under the data categories in Policy AD71, Data Categorization Where to Route Software Agreements Purchasing or Risk Management? Purchasing handles ALL Software/SaaS agreements regardless of payment method or even if it is free, UNLESS it is an electronic click through agreement and then Risk Management will process. NOTE: Once FNG02 is updated you should complete the Software Agreement Decision Tool referenced in the updated policy for Electronic Agreements to determine this. 4

5 PSU Software Agreement Process Goal: Authorized Contract Necessary Steps Determine what data category(ies) is involved (AD71), is vendor hosting software (or PSU) and who will use the Software (employees, students etc.) Inquire about the vendor s willingness to negotiate their standard terms and conditions If Yes Obtain vendor terms and conditions If No Obtain vendor terms and conditions, adjust expectations accordingly and work toward potential Plan B Are there other University approved services that meet the need? Determine where to route contract: Purchasing or Risk Management Complete appropriate Cover Sheet and route according to Purchasing or Risk Management Process Purchasing and Risk Management involve other offices as needed as part of contract review. IMPORTANT Supply accurate information on Cover Sheet Timing / Plan Ahead Critical to understand what you can/can t do (restrictions) How will this be communicated to end users Contract Process for Purchasing Process to submit to Purchasing for review and negotiation: Determine payment method (ebuy PO, SRFC, P card) If ebuy PO attach all agreement documents and Software Agreement Cover Sheet to the requisition If SRFC, P card or other method agreement and Software Agreement Cover Sheet to purchasesoftware@psu.edu 5

6 Purchasing: Software Agreement Cover Sheet Access Cover Sheet and instructions on how to complete Cover Sheet at: staff/forms/index.cfm VIP Areas to be handled with extra attention Payment Method Agreement Type (provides background for Purchasing) End Users of Product Data Access/Data Security Data Categorization/Detailed Description of Data Credit Card Processing Ability Integration with existing University Systems Acknowledgement Section Purchasing Review/Negotiation Process Purchasing will review the agreement and determine the next steps. Contract Negotiation with the Supplier Consultation of PSU Internal Departments Negotiation of appropriate language Financial Signoff Internal controls Active engagement in mitigating the risks associated with the product/service (what can the department do to lower the risks?) After the contract is signed by Purchasing and Vendor Green light for the use case indicated by the initiating department (Data specific and Unit specific based on completed Software Agreement Cover Sheet) Does not open the door to University wide usage unless reviewed under that context Changes on how product/service will be used requires additional review (possible contract amendment) 6

7 Hosted Sensitive Data Addendum Hosted Sensitive Data Addendum (HSDA): University developed document outlining University minimum requirements for security, liability, insurance, e discovery issues etc. and serves as baseline document when vendor hosts, stores or has access to sensitive University data Implemented in 2013; last updated May 2015 Many offices involved: SOS, Privacy, OGC, Purchasing, Internal Audit, and Risk Management Vendor may propose changes to be considered by University HSDA is always required when Restricted data is hosted by vendor. Examples of Sensitive Data: Credit Card Processing data, FERPA, HIPPA, or SSN RFPs and Bid responses HSDA Addresses: Data Security Ensure appropriate administrative, technical and physical security measures Location of servers must be located in U.S. Penetration testing Encrypted backups Compliance FERPA, HIPAA (PHI), PCI, SSN (PII) Data breach notification to University Privacy Office Protection for University Related to Breaches and Claims Insurance Requirements including Cyber/Privacy Indemnification, Limitation of Liability and E Discovery 7

8 Risk Management: Electronic Agreement Process Identify electronic Software Agreement Terms End User License Agreement (EULA) and/or Terms of Service; Terms and Conditions Complete Risk Management Electronic Agreement Cover Sheet Be sure to include: Brief description of Software Is Vendor Hosting Software or is Software locally loaded on PSU device? What data category(ies) is involved? Highest risks is related to functionality of Vendor Hosted Software and when vendor hosts Restricted data completed cover sheet and electronic Software Agreement Terms to central Excerpt from FNG02 as of 9/3/15 outlining current process: E. Electronic Agreements Any agreements that are required to be accepted online must be reviewed by the Office of Risk Management and submitted to the Corporate Controller for the signature process. The Corporate Controller or Assistant Treasurer will approve acceptance of the agreement and instruct the appropriate individual to accept the agreement electronically on behalf of the University. This one time approval from the Office of the Corporate Controller to electronically accept the agreement must be made in writing and will be maintained in the contract file as evidence of the University s acceptance of the agreement. 8

9 Coming Soon new FNG02 language for Electronic Software Agreements Subject to the exceptions below, employees are hereby delegated the authority to accept electronic terms and conditions of software/software-as-a-service and application (referred to as Software ) agreements, whether free or procured through use of the Purchasing Card or otherwise where, as defined within University Policy AD71, to the extent that only Public or Internal/Controlled data will be used or stored within the Software. If an employee accepts such terms, and there is a breach of data or other claim/damages which cause expense to the University, all such resulting expenses shall be borne by the unit whose employee accepted the software/application s terms. EXCEPTIONS: Employees are not permitted to accept such electronic terms and conditions without a full review by the Risk Management Office pursuant to the requirements of paragraph E.1 above if any of the following situations will occur: Cont. Coming Soon new language for Electronic Software Agreements a. If the Software or related support documentation or files are expressly identified by the vendor/provider as controlled under U.S. or foreign export laws or regulations; b. If the Software, support documentation and/or associated data files will be installed or reside on any portable electronic device, such as a laptop or tablet computer, which will be taken on trips outside of the United States or such Software, support documentation and/or associated data files will be accessed remotely by the user while outside of the United States; c. If foreign nationals will require access to the software for more than mere operational use of the Software (such as access to installation files and/or source code); d. If the user intends to use the Software to manipulate, store or manage Restricted data (per University Policy AD71); e. If the use of the Software will generate revenue, regardless of method, for the University; or, f. If the Software will exchange data with or integrate into any other existing University Information Technology resources or systems. In order to assist faculty and staff in determining how Software Agreements should be processed, a Software Agreement Decision Tool has been developed which includes questions to determine if any of the above exceptions apply to the Software Agreement. The Software Agreement Decision Tool may be found at (insert link location). 9

10 Coming Soon 10

11 DECISION ROUTE TO PURCHASING Answering No triggers a series of additional questions that link directly with the changes being made to Policy FNG02 to determine whether: 1. The employee will be delegated signature authority to accept terms electronically on behalf of the University; or 2. if Risk Management review is required. The additional questions identify if any of the exceptions listed in the new FNG02 language applies to the Software use: Determining if any identified Export Control issues apply Determining if Restricted data (as defined in Policy AD71) is involved Determine if Software integrates with any existing IT systems Determine if use of Software will generate any revenue 11

12 If based on the additional questions any of the Exceptions outlined in the updated FNG02 language for Electronic Agreements apply, then the following Decision will be displayed. DECISION ROUTE TO RISK MANAGEMENT If none of the Exceptions outlined in the updated FNG02 language for Electronic Agreements apply, then the following Decision will be displayed. DECISION CLICK AWAY! 12

13 Software Agreement Decision Tool Also addresses Student Use of Software in Courses: Some key questions in the Software Agreement Decision Tool will ask about Software intended for use by Penn State students due to the Software being a required part of a University course. The decision tool will also provide a Decision on whether it is acceptable for students to accept these terms without further University review or if further review is required. Will be available once FNG02 Electronic Agreement language is updated, but should be used for ALL software agreements and not just electronic software agreements. Expected to be available via GURU Takeaways Become familiar with related policies and procedures Do your best to give as much detailed and correct information when submitting cover sheets to Purchasing or Risk Management. Once available use the Software Agreement Decision Tool Why is an Authorized Agreement important? Compliance with University Policy Actively manage risks associated with Software Protection for University and its employees Internal Audit 13

14 Questions? PURCHASING Danna Bressler Purchasing Agent RISK MANAGEMENT Richel Perretti Contract Manager