How
to
Process
Software
Agreements
at
Penn
State
SEPTEMBER
3,
2015
PRESENTED
BY:
DANNA
BRESSLER,
PURCHASING
AGENT
RI CHEL PERRET TI,
CONTRACT
MANAGER,
RI SK
MANAGEMENT
Overview
Important
Policies
◦
Contract
Signature
Authority
◦
Data
Categorization
Policy
Determine
where
to
Route
Software
Agreements
•
Purchasing
Software
Agreement
Process
•
Risk
Management
Electronic
Software
Agreement
Process
Coming
Soon
◦
FNG02
Changes
for
Software
Electronic
Agreements
Contract
Signature
Authority
As
outlined
in
Policy
FN11
,
only
nine
Corporate
Officers
for
Penn
State
are
authorized
to
sign
contracts
for
the
University:
◦ Board President◦ Board Vice President
◦ Secretary (the University's President)
◦ Treasurer (the University's Senior Vice President for Finance and Business)
◦ the three Assistant Treasurers
◦ Corporate Controller
◦ for Hershey, the Controller of the College of Medicine
Contract
Signature
Authority
Policy
Guideline
FNG02
outlines
specific
delegated
signature
authority.
◦ Office of Sponsored Programs◦ Office of Technology Management
◦ Purchasing
◦ Other individuals or titles
Excerpt
from
FNG02
as
of
9/3/15:
E. Electronic Agreements• Any agreements that are required to be accepted online must be reviewed by the
Office of Risk Management and submitted to the Corporate Controller for the
signature process.
• The Corporate Controller or Assistant Treasurer will approve acceptance of the
agreement and instruct the appropriate individual to accept the agreement
electronically on behalf of the University.
• This one‐time approval from the Office of the Corporate Controller to
electronically accept the agreement must be made in writing and will be
maintained in the contract file as evidence of the University’s acceptance of the
agreement.
• Coming Soon‐new language to specifically address electronic Software
agreements.
Policy
AD71
‐
Data
Categorization
Public:
Public
data
are
intended
for
distribution
to
the
general
public,
both
internal
and
external
to
the
University.
The
release
of
the
data
would
have
no
or
minimal
damage
to
the
institution.
Internal/Controlled:
Internal/controlled
data
is
intended
for
distribution
within
the
University
only,
generally
to
defined
subsets
of
the
user
population.
The
release
of
the
data
has
the
potential
to
create
moderate
damage
to
the
institution.
Restricted:
Restricted
data
are
those
which
the
University
has
legal,
regulatory,
policy
or
contractual
obligations
to
protect.
Access
to
restricted
data
must
be
strictly
and
individually
controlled
and
logged.
The
release
of
such
data
has
the
ADG07
Provides
examples
of
data
that
fall
under
the
data
categories
in
Policy
AD71,
Data
Categorization
https://guru.psu.edu/policies/ADG07.html
Where
to
Route
Software
Agreements
Purchasing
handles
ALL
Software/SaaS
agreements
regardless
of
payment
method
or
even
if
it
is
free,
UNLESS
it
is
an
electronic
click
‐
through
agreement
and
then
Risk
Management
will
process.
◦
NOTE:
Once
FNG02
is
updated
you
should
complete
the
Software
Agreement
Decision
Tool
referenced
in
the
updated
policy
for
Electronic
Agreements
to
determine
this.
PSU
Software
Agreement
Process
Goal:
Authorized
Contract
Necessary
Steps
◦ Determine what data category(ies) is involved (AD71), is vendor hosting software (or PSU)
and who will use the Software (employees, students etc.)
◦ Inquire about the vendor’s willingness to negotiate their standard terms and conditions ◦ If Yes ‐Obtain vendor terms and conditions
◦ If No ‐Obtain vendor terms and conditions, adjust expectations accordingly and work toward potential Plan B
◦ Are there other University approved services that meet the need?
◦ Determine where to route contract: Purchasing or Risk Management
◦ Complete appropriate Cover Sheet and route according to Purchasing or Risk Management Process
◦ Purchasing and Risk Management involve other offices as needed as part of contract review.
◦ IMPORTANT‐Supply accurate information on Cover Sheet
◦ Timing / Plan Ahead
◦ Critical to understand what you can/can’t do (restrictions) ◦ How will this be communicated to end users
Contract
Process
for
Purchasing
Process
to
submit
to
Purchasing
for
review
and
negotiation:
Determine payment method (eBuy PO, SRFC, P‐card)
◦ If eBuy PO‐attach all agreement documents and Software Agreement Cover Sheet to the requisition
◦ If SRFC, P‐card or other method‐email agreement and Software Agreement Cover Sheet to purchasesoftware@psu.edu
Purchasing:
Software
Agreement
Cover
Sheet
◦ Access Cover Sheet and instructions on how to complete Cover Sheet at:
http://www.purchasing.psu.edu/Purchasing/faculty‐staff/forms/index.cfm
VIP
Areas
to
be
handled
with
extra
attention
◦ Payment Method◦ Agreement Type (provides background for Purchasing)
◦ End Users of Product
◦ Data Access/Data Security
◦ Data Categorization/Detailed Description of Data
◦ Credit Card Processing Ability
◦ Integration with existing University Systems
◦ Acknowledgement Section
Purchasing
Review/Negotiation
Process
•
Purchasing
will
review
the
agreement
and
determine
the
next
steps.
• Contract Negotiation with the Supplier • Consultation of PSU Internal Departments
•
Negotiation
of
appropriate
language
•
Financial
Signoff
◦ Internal controls‐Active engagement in mitigating the risks associated with the product/service (what can the department do to lower the risks?)
After
the
contract
is
signed
by
Purchasing
and
Vendor
◦ Green light for the use case indicated by the initiating department (Data specific and Unit specific based on completed Software Agreement Cover Sheet)
◦ Does not open the door to University‐wide usage unless reviewed under that context
◦ Changes on how product/service will be used requires additional review (possible contract amendment)
Hosted
Sensitive
Data
Addendum
Hosted
Sensitive
Data
Addendum
(HSDA):
• University developed document outlining University minimum requirements for security, liability, insurance, e‐discovery issues etc. and serves as baseline document when vendor hosts, stores or has access to sensitive University data • Implemented in 2013; last updated May 2015
• Many offices involved: SOS, Privacy, OGC, Purchasing, Internal Audit, and Risk Management
• Vendor may propose changes to be considered by University • HSDA is always required when Restricted data is hosted by vendor.
Examples
of
Sensitive
Data:
◦ Credit Card Processing data, FERPA, HIPPA, or SSN
◦ RFPs and Bid responses
HSDA
Addresses:
Data
Security
◦ Ensure appropriate administrative, technical and physical security measures
◦ Location of servers must be located in U.S.
◦ Penetration testing
◦ Encrypted backups
Compliance
◦ FERPA, HIPAA (PHI), PCI, SSN (PII)
◦ Data breach notification to University Privacy Office
Protection
for
University
Related
to
Breaches
and
Claims
◦ Insurance Requirements including Cyber/PrivacyRisk
Management:
Electronic
Agreement
Process
Identify
electronic
Software
Agreement
Terms
• End User License Agreement (EULA) and/or • Terms of Service; Terms and Conditions
Complete
Risk
Management
Electronic
Agreement
Cover
Sheet
http://controller.psu.edu/sites/default/files/users/risk/docs/Electroniccoversheet.pdf
Be
sure
to
include:
◦ Brief description of Software
◦ Is Vendor Hosting Software or is Software locally loaded on PSU device?
◦ What data category(ies) is involved?
◦ Highest risks‐is related to functionality of Vendor Hosted Software and when vendor hosts Restricted data
completed
cover
sheet
and
electronic
Software
Agreement
Terms
to
central
email:
riskcontracts@psu.edu
Excerpt
from
FNG02
as
of
9/3/15
outlining
current
process:
E. Electronic Agreements
• Any agreements that are required to be accepted online must be reviewed by the
Office of Risk Management and submitted to the Corporate Controller for the
signature process.
• The Corporate Controller or Assistant Treasurer will approve acceptance of
the agreement and instruct the appropriate individual to accept the
agreement electronically on behalf of the University.
• This one‐time approval from the Office of the Corporate Controller to
electronically accept the agreement must be made in writing and will be
maintained in the contract file as evidence of the University’s acceptance of the
for
Electronic
Software
Agreements
Subject to the exceptions below, employees are hereby delegated the authority to accept electronic terms and conditions of software/software-as-a-service and application (referred to as “Software”) agreements, whether free or procured through use of the Purchasing Card or otherwise where, as defined within University Policy AD71, to the extent that only “Public” or “Internal/Controlled” data will be used or stored within the Software. If an employee accepts such terms, and there is a breach of data or other claim/damages which cause expense to the University, all such resulting expenses shall be borne by the unit whose employee accepted the software/application’s terms.EXCEPTIONS: Employees are not permitted to accept such electronic terms
and conditions without a full review by the Risk Management Office pursuant to the requirements of paragraph E.1 above if any of the following situations will occur:
Cont.
Coming
Soon
‐
new
language
for
Electronic
Software
Agreements
a. If the Software or related support documentation or files are expressly identified by the vendor/provider as controlled under U.S. or foreign export laws or regulations;
b. If the Software, support documentation and/or associated data files will be installed or reside on any portable electronic device, such as a laptop or tablet computer, which will be taken on trips outside of the United States or such Software, support documentation and/or associated data files will be accessed remotely by the user while outside of the United States;
c. If foreign nationals will require access to the software for more than mere operational use of the Software (such as access to installation files and/or source code);
d. If the user intends to use the Software to manipulate, store or manage “Restricted” data (per University Policy AD71);
e. If the use of the Software will generate revenue, regardless of method, for the University; or,
f. If the Software will exchange data with or integrate into any other existing University Information Technology resources or systems.
In order to assist faculty and staff in determining how Software Agreements should be processed, a Software Agreement Decision Tool has been developed which includes questions to determine if any of the above exceptions apply to the Software Agreement. The Software Agreement Decision Tool may be found at (insert link location).
DECISION
‐
ROUTE
TO
PURCHASING
Answering “No” triggers a series of additional questions that link directly with
the changes being made to Policy FNG02 to determine whether:
1. The employee will be delegated signature authority to accept terms
electronically on behalf of the University; or
2. if Risk Management review is required.
The additional questions identify if any of the exceptions listed in the new
FNG02 language applies to the Software use:
If
based
on
the
additional
questions
any
of
the
“Exceptions”
outlined
in
the
updated
FNG02
language
for
Electronic
Agreements
apply,
then
the
following
“Decision”
will
be
displayed.
DECISION
‐
ROUTE
TO
RISK
MANAGEMENT
If
none
of
the
“Exceptions”
outlined
in
the
updated
FNG02
language
for
Electronic
Agreements
apply,
then
the
following
Software
Agreement
Decision
Tool
•
Also
addresses
Student
Use
of
Software
in
Courses:
•Some key questions in the Software Agreement Decision Tool will ask about Software intended for use by Penn State students due to the Software being a required part of a University course. The decision tool will also provide a “Decision” on whether it is acceptable for students to accept these terms without further University review or if further review is required.
•
Will
be
available
once
FNG02
Electronic
Agreement
language
is
updated,
but
should
be
used
for
ALL
software
agreements
and
not
just
electronic
software
agreements.
•
Expected
to
be
available
via
GURU
Takeaways
‐
Become
familiar
with
related
policies
and
procedures
Do
your
best
to
give
as
much
detailed
and
correct
information
when
submitting
cover
sheets
to
Purchasing
or
Risk
Management.
Once
available
use
the
Software
Agreement
Decision
Tool
Why
is
an
Authorized
Agreement
important?
◦ Compliance with University Policy
◦ Actively manage risks associated with Software
◦ Protection for University and its employees
PURCHASING
Danna
Bressler
Purchasing
Agent
dnr2@psu.edu
814
‐
863
‐
2641
RISK
MANAGEMENT
Richel
Perretti
Contract
Manager
rap126@psu.edu
814
‐
863
‐
5538
Questions?