• No results found

How to Process Software Agreements at Penn State

N/A
N/A
Protected

Academic year: 2021

Share "How to Process Software Agreements at Penn State"

Copied!
14
0
0

Loading.... (view fulltext now)

Full text

(1)

How

 

to

 

Process

 

Software

 

Agreements

 

at

 

Penn

 

State

SEPTEMBER

 

3,

 

2015

PRESENTED

 

BY:

DANNA

 

BRESSLER,

 

PURCHASING

 

AGENT

RI CHEL PERRET TI,

 

CONTRACT

 

MANAGER,

 

RI SK

 

MANAGEMENT

Overview

Important

 

Policies

 

Contract

 

Signature

 

Authority

Data

 

Categorization

 

Policy

Determine

 

where

 

to

 

Route

 

Software

 

Agreements

Purchasing

 

Software

 

Agreement

 

Process

Risk

 

Management

 

Electronic

 

Software

 

Agreement

 

Process

Coming

 

Soon

FNG02

 

Changes

 

for

 

Software

 

Electronic

 

Agreements

(2)

Contract

 

Signature

 

Authority

As

 

outlined

 

in

 

Policy

 

FN11

,

 

only

 

nine

 

Corporate

 

Officers

 

for

 

Penn

 

State

 

are

 

authorized

 

to

 

sign

 

contracts

 

for

 

the

 

University:

◦ Board President 

◦ Board Vice President 

◦ Secretary (the University's President) 

◦ Treasurer (the University's Senior Vice President for Finance and Business) 

◦ the three Assistant Treasurers 

◦ Corporate Controller 

◦ for Hershey, the Controller of the College of Medicine 

Contract

 

Signature

 

Authority

Policy

 

Guideline

 

FNG02

 

outlines

 

specific

 

delegated

 

signature

 

authority.

◦ Office of Sponsored Programs

◦ Office of Technology Management

◦ Purchasing

◦ Other individuals or titles 

(3)

Excerpt

 

from

 

FNG02

 

as

 

of

 

9/3/15:

E. Electronic Agreements

• Any agreements that are required to be accepted online must be reviewed by the 

Office of Risk Management and submitted to the Corporate Controller for the 

signature process. 

• The Corporate Controller or Assistant Treasurer will approve acceptance of the 

agreement and instruct the appropriate individual to accept the agreement 

electronically on behalf of the University. 

• This one‐time approval from the Office of the Corporate Controller to 

electronically accept the agreement must be made in writing and will be 

maintained in the contract file as evidence of the University’s acceptance of the 

agreement.

• Coming Soon‐new language to specifically address electronic Software 

agreements.

Policy

 

AD71

Data

 

Categorization

Public:

  Public

 

data

 

are

 

intended

 

for

 

distribution

 

to

 

the

 

general

 

public,

 

both

 

internal

 

and

 

external

 

to

 

the

 

University.

 

The

 

release

 

of

 

the

 

data

 

would

 

have

 

no

 

or

 

minimal

 

damage

 

to

 

the

 

institution.

Internal/Controlled:

Internal/controlled

 

data

 

is

 

intended

 

for

 

distribution

 

within

 

the

 

University

 

only,

 

generally

 

to

 

defined

 

subsets

 

of

 

the

 

user

 

population.

 

The

 

release

 

of

 

the

 

data

 

has

 

the

 

potential

 

to

 

create

 

moderate

 

damage

 

to

 

the

 

institution.

 

Restricted:

  Restricted

 

data

 

are

 

those

 

which

 

the

 

University

 

has

 

legal,

 

regulatory,

 

policy

 

or

 

contractual

 

obligations

 

to

 

protect.

 

Access

 

to

 

restricted

 

data

 

must

 

be

 

strictly

 

and

 

individually

 

controlled

 

and

 

logged.

 

The

 

release

 

of

 

such

 

data

 

has

 

the

 

(4)

ADG07

Provides

 

examples

 

of

 

data

 

that

 

fall

 

under

 

the

 

data

 

categories

 

in

 

Policy

 

AD71,

 

Data

 

Categorization

https://guru.psu.edu/policies/ADG07.html

Where

 

to

 

Route

 

Software

 

Agreements

Purchasing

 

handles

 

ALL

Software/SaaS

 

agreements

 

regardless

 

of

 

payment

 

method

 

or

 

even

 

if

 

it

 

is

 

free,

 

UNLESS

it

 

is

 

an

 

electronic

 

click

through

 

agreement

 

and

 

then

 

Risk

 

Management

 

will

 

process.

NOTE:

 Once

 

FNG02

 

is

 

updated

 

you

 

should

 

complete

 

the

 

Software

 

Agreement

 

Decision

 

Tool

 

referenced

 

in

 

the

 

updated

 

policy

 

for

 

Electronic

 

Agreements

 

to

 

determine

 

this.

(5)

PSU

 

Software

 

Agreement

 

Process

Goal:

 

Authorized

 

Contract

 

Necessary

 

Steps

◦ Determine what data category(ies) is involved (AD71), is vendor hosting software (or PSU) 

and who will use the Software (employees, students etc.)

◦ Inquire about the vendor’s willingness to negotiate their standard terms and conditions ◦ If Yes ‐Obtain vendor terms and conditions

◦ If No ‐Obtain vendor terms and conditions, adjust expectations accordingly and work toward  potential Plan B

◦ Are there other University approved services that meet the need?

◦ Determine where to route contract: Purchasing or Risk Management 

◦ Complete appropriate Cover Sheet and route according to Purchasing or Risk Management Process

◦ Purchasing and Risk Management involve other offices as needed as part of contract review.

◦ IMPORTANT‐Supply accurate information on Cover Sheet

◦ Timing / Plan Ahead

◦ Critical to understand what you can/can’t do (restrictions) ◦ How will this be communicated to end users

Contract

 

Process

 

for

 

Purchasing

Process

 

to

 

submit

 

to

 

Purchasing

 

for

 

review

 

and

 

negotiation:

Determine payment method (eBuy PO, SRFC, P‐card)

◦ If eBuy PO‐attach all agreement documents and Software Agreement Cover  Sheet to the requisition

◦ If SRFC, P‐card or other method‐email agreement and Software Agreement  Cover Sheet to purchasesoftware@psu.edu

(6)

Purchasing:

Software

 

Agreement

 

Cover

 

Sheet

◦ Access Cover Sheet and instructions on how to complete Cover Sheet at: 

http://www.purchasing.psu.edu/Purchasing/faculty‐staff/forms/index.cfm

VIP

 

Areas

 

to

 

be

 

handled

 

with

 

extra

 

attention

◦ Payment Method

◦ Agreement Type (provides background for Purchasing)

◦ End Users of Product

◦ Data Access/Data Security

◦ Data Categorization/Detailed Description of Data

◦ Credit Card Processing Ability

◦ Integration with existing University Systems

◦ Acknowledgement Section

Purchasing

 

Review/Negotiation

 

Process

Purchasing

 

will

 

review

 

the

 

agreement

 

and

 

determine

 

the

 

next

 

steps.

• Contract Negotiation with the Supplier  • Consultation of PSU Internal Departments

Negotiation

 

of

 

appropriate

 

language

Financial

 

Signoff

◦ Internal controls‐Active engagement in mitigating the risks associated with the  product/service (what can the department do to lower the risks?)

After

 

the

 

contract

 

is

 

signed

 

by

 

Purchasing

 

and

 

Vendor

◦ Green light for the use case indicated by the initiating department (Data specific and  Unit specific based on completed Software Agreement Cover Sheet)

◦ Does not open the door to University‐wide usage unless reviewed under that context

◦ Changes on how product/service will be used requires additional review (possible  contract amendment)

(7)

Hosted

 

Sensitive

 

Data

 

Addendum

Hosted

 

Sensitive

 

Data

 

Addendum

 

(HSDA):

 

• University developed document outlining University minimum requirements for  security, liability, insurance, e‐discovery issues etc. and serves as baseline  document when vendor hosts, stores or has access to sensitive University data  • Implemented in 2013; last updated May 2015

• Many offices involved: SOS, Privacy, OGC, Purchasing, Internal Audit, and Risk  Management

• Vendor may propose changes to be considered by University  • HSDA is always required when Restricted data is hosted by vendor.

Examples

 

of

 

Sensitive

 

Data:

◦ Credit Card Processing data, FERPA, HIPPA, or SSN

◦ RFPs and Bid responses

HSDA

 

Addresses:

Data

 

Security

 

◦ Ensure appropriate administrative, technical and physical security measures

◦ Location of servers must be located in U.S.

◦ Penetration testing

◦ Encrypted backups

Compliance

◦ FERPA, HIPAA (PHI), PCI, SSN (PII)

◦ Data breach notification to University Privacy Office

Protection

 

for

 

University

 

Related

 

to

 

Breaches

 

and

 

Claims

◦ Insurance Requirements including Cyber/Privacy
(8)

Risk

 

Management:

Electronic

 

Agreement

 

Process

Identify

 

electronic

 

Software

 

Agreement

 

Terms

 

• End User License Agreement (EULA)  and/or • Terms of Service; Terms and Conditions

Complete

 

Risk

 

Management

 

Electronic

 

Agreement

 

Cover

 

Sheet

       

http://controller.psu.edu/sites/default/files/users/risk/docs/Electroniccoversheet.pdf

Be

 

sure

 

to

 

include:

◦ Brief description of Software

◦ Is Vendor Hosting Software or is Software locally loaded on PSU device?

◦ What data category(ies) is involved?

◦ Highest risks‐is related to functionality of Vendor Hosted Software and  when vendor hosts Restricted data

Email

 

completed

 

cover

 

sheet

 

and

 

electronic

 

Software

 

Agreement

 

Terms

 

to

 

central

 

email:

 

riskcontracts@psu.edu

Excerpt

 

from

 

FNG02

 

as

 

of

 

9/3/15

 

outlining

 

current

 

process:

E. Electronic Agreements

• Any agreements that are required to be accepted online must be reviewed by the 

Office of Risk Management and submitted to the Corporate Controller for the 

signature process. 

The Corporate Controller or Assistant Treasurer will approve acceptance of 

the agreement and instruct the appropriate individual to accept the 

agreement electronically on behalf of the University. 

• This one‐time approval from the Office of the Corporate Controller to 

electronically accept the agreement must be made in writing and will be 

maintained in the contract file as evidence of the University’s acceptance of the 

(9)

for

 

Electronic

 

Software

Agreements

Subject to the exceptions below, employees are hereby delegated the authority to accept electronic terms and conditions of software/software-as-a-service and application (referred to as “Software”) agreements, whether free or procured through use of the Purchasing Card or otherwise where, as defined within University Policy AD71, to the extent that only “Public” or “Internal/Controlled” data will be used or stored within the Software. If an employee accepts such terms, and there is a breach of data or other claim/damages which cause expense to the University, all such resulting expenses shall be borne by the unit whose employee accepted the software/application’s terms.

EXCEPTIONS: Employees are not permitted to accept such electronic terms

and conditions without a full review by the Risk Management Office pursuant to the requirements of paragraph E.1 above if any of the following situations will occur:

Cont.

 

Coming

 

Soon

new

 

language

 

for

 

Electronic

 

Software

Agreements

a. If the Software or related support documentation or files are expressly identified by the vendor/provider as controlled under U.S. or foreign export laws or regulations;

b. If the Software, support documentation and/or associated data files will be installed or reside on any portable electronic device, such as a laptop or tablet computer, which will be taken on trips outside of the United States or such Software, support documentation and/or associated data files will be accessed remotely by the user while outside of the United States;

c. If foreign nationals will require access to the software for more than mere operational use of the Software (such as access to installation files and/or source code);

d. If the user intends to use the Software to manipulate, store or manage “Restricted” data (per University Policy AD71);

e. If the use of the Software will generate revenue, regardless of method, for the University; or,

f. If the Software will exchange data with or integrate into any other existing University Information Technology resources or systems.

In order to assist faculty and staff in determining how Software Agreements should be processed, a Software Agreement Decision Tool has been developed which includes questions to determine if any of the above exceptions apply to the Software Agreement. The Software Agreement Decision Tool may be found at (insert link location).

(10)
(11)

DECISION

ROUTE

 

TO

 

PURCHASING

Answering “No” triggers a series of additional questions that link directly with 

the changes being made to Policy FNG02 to determine whether:

1. The employee will be delegated signature authority to accept terms 

electronically on behalf of the University; or 

2. if Risk Management review is required.

The additional questions identify if any of the exceptions listed in the new 

FNG02 language applies to the Software use:

(12)

If

 

based

 

on

 

the

 

additional

 

questions

 

any

 

of

 

the

 

“Exceptions”

 

outlined

 

in

 

the

 

updated

 

FNG02

 

language

 

for

 

Electronic

 

Agreements

 

apply,

 

then

 

the

 

following

 

“Decision”

 

will

 

be

 

displayed.

 

DECISION

ROUTE

 

TO

 

RISK

 

MANAGEMENT

If

 

none

 

of

 

the

 

“Exceptions”

 

outlined

 

in

 

the

 

updated

 

FNG02

 

language

 

for

 

Electronic

 

Agreements

 

apply,

 

then

 

the

 

following

 

(13)

Software

 

Agreement

 

Decision

 

Tool

Also

 

addresses

 

Student

 

Use

 

of

 

Software

 

in

 

Courses:

•Some key questions in the Software Agreement Decision Tool will ask about  Software intended for use by Penn State students due to the Software being  a required part of a University course.  The decision tool will also provide a  “Decision” on whether it is acceptable for students to accept these terms  without further University review or if further review is required.

Will

 

be

 

available

 

once

 

FNG02

 

Electronic

 

Agreement

 

language

 

is

 

updated,

 

but

 

should

 

be

 

used

 

for

 

ALL

 

software

 

agreements

 

and

 

not

 

just

 

electronic

 

software

 

agreements.

Expected

 

to

 

be

 

available

 

via

 

GURU

Takeaways

Become

 

familiar

 

with

 

related

 

policies

 

and

 

procedures

Do

 

your

 

best

 

to

 

give

 

as

 

much

 

detailed

 

and

 

correct

 

information

 

when

 

submitting

 

cover

 

sheets

 

to

 

Purchasing

 

or

 

Risk

 

Management.

Once

 

available

 

use

 

the

 

Software

 

Agreement

 

Decision

 

Tool

Why

 

is

 

an

 

Authorized

 

Agreement

 

important?

◦ Compliance with University Policy

◦ Actively manage risks associated with Software

◦ Protection for University and its employees

(14)

PURCHASING

Danna

 

Bressler

Purchasing

 

Agent

dnr2@psu.edu

814

863

2641

RISK

 

MANAGEMENT

Richel

 

Perretti

Contract

 

Manager

rap126@psu.edu

814

863

5538

Questions?

References

Related documents

(The Terms, Privacy Policy, and any additional terms that you agree to, as discussed in the Entire Agreement section, are referred to together as the “Agreements”.) If you wish

Its sections are: (1) issues in the construction and recalibration of the merged optical catalogue used for the background, and its attributes; (2) description of the

Covering the Period from January 27, 2010 to January 20, 2011 Station Comprising Station Employment Unit: Millennium Radio Shore (WJLK (FM)/WBUD (AM)/WOBM

Tendència a Mallorca: l’absència d’un cens complet anterior impossibilita la comparació dels resultats totals, si bé algunes dades parcials disponibles per- meten treure

Remove the six 8mm bolts holding down the HVAC air filter (shown in orange) and pull off the filter. Place it on the ground out of the way. Remove the two 8mm machine bolts shown

(b) When we receive a Transfer Instruction from you, you authorize us to debit your Transaction Account and remit funds on your behalf to the Recipient Account designated by you

We are four agreements is to gossip can change my posts by agreement sounds simple rules went to create love.. The mastery of who have also easy prey for this book changed my name

The FS evaluates an operation to produce 20,000tpa of lithium carbonate equivalent (‘LCE’) battery  grade  lithium  hydroxide  and  lithium  carbonate