Policy 4-050: University Software Policy

Purpose and Scope

1. Purpose: The purpose of this Policy is to establish a framework for the definition, scope and purpose of governance of University Software (as defined in this Policy) for the University of Utah (including University of Utah Health). This Policy defines what software is considered to be University Software. In addition, this Policy and associated Rules govern certain specified aspects of how University Software is to be used by the various units at the University.

   1. It is important to understand the scope of University Software in order to calculate accurate costs associated with acquiring the software. Scope is determined by the number of University units that will utilize the software and the number of students, faculty, staff, and guests who will utilize the software.

   2. Understanding the purpose of the University Software will help to ensure the University does not currently own the same or similar software, and to ensure that the intrinsic “delivered functionality” of currently-owned software is investigated before purchasing new software. This will help ensure that University resources are not wasted by repurchasing or developing functionality already owned.

2. Scope: This Policy applies to all University of Utah units, including all administrative, academic and health care units. This Policy applies to all University Software, whether purchased, developed, leased or rented, including both on-premises software as well as cloud-based software. Neither this Policy nor its associated Regulations are intended to apply to restrict the acquisition or use, by individual members of the University community, of software that is not University Software (as defined herein).

Definitions

These definitions apply for the limited purposes of this Policy and any associated University Rules and other types of University Regulations.

1. Software, and specific types of software, are defined as follows:

   1. Software —

      1. can be executed on a local workstation or server as well as on either a public or private cloud; and

      2. can access, delete or create public, restricted, or sensitive data as well as PHI (Protected Health Information) and HIPAA (Health Insurance Portability and Accountability Act) and University IP (Intellectual Property) data.

   2. System software — serves as a base for application software. System software includes device drivers, operating systems (OSs), compilers, disk formatters, text editors and utilities helping the computer to operate more efficiently. It is also responsible for managing hardware components and providing basic non-task-specific functions.

   3. Programming software — is a set of tools to aid developers in writing programs. The various tools available include compilers, linkers, debuggers, interpreters and text editors.

   4. Application software — is intended to perform certain tasks. Examples of application software include office suites, gaming applications, database systems and educational software. Application software can be a single program or a collection of small programs. This type of software is what consumers most typically think of as "software."

2. University Software — is any software that is purchased, leased, or developed, or otherwise acquired by a University of Utah administrative or academic unit, for use by that University unit. It does not include software that is developed or acquired by an individual member of the University community (including any student, employee, or volunteer) without use of University funds or resources, for such individual person’s private use.

3. University Enterprise Software — is a type of University Software defined further in University Rule 4-050A University Enterprise Software.

4. Total Cost of Ownership (TCO) of software — includes the costs involved for the purchase, lease, development, or other form of acquisition of software; costs for installation, and/or support of the software throughout the expected period of use by the University; and costs associated with integration of the software to other University IT systems.

Policy

1. It is in the best interests of the University to appropriately manage the acquisition or development of University Software, its use, and its replacement.

   This Policy and associated Rules and Guidelines are intended to guide University units and administrators in managing University Software so as to ensure that software resources of the University are acquired or developed, deployed and used, and replaced, in accordance with best practices, to effectively and efficiently carry out the functions of the University’s various academic and administrative units to best serve the overall missions of the University.

2. [Reserved]

   [User Note: The original version of this Policy, adopted in 2019, is intended to serve as a foundation for development of University Regulations regarding management of University Software. Initially, the Policy will serve as a foundation for new University Rule 4-050A regarding University Enterprise Software. It is anticipated that additional Rules and Guidelines will be developed as needed, and that this Policy will itself be further expanded and otherwise revised, as needed. For further information, contact the office of the Chief Information Officer.]

   1. Refer to Policy 4-004 University of Utah Information Security Policy regarding the safeguarding of all data and applications purchased, leased, or developed (written).

   2. Refer to guideline G4-004D regarding the use and approval of all cloud- based services.

[Note: Parts IV-VII of this Regulation (and all other University Regulations) are Regulations Resource Information – the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1-001.]

Rules, Procedures, Guidelines, Forms, and other related resources.

1. Rule 4-050A University Enterprise Software

2. Rule 4-050B University Software

References

1. See Policy 4-004 — University of Utah Information Security Policy, regarding the safeguarding of all data and applications purchased, leased, or developed (written).

2. See University Guideline G4-004D regarding the use and approval of all cloud- based services.

Contacts

The designated contact officials for this Policy are:

1. Policy Owners (primary contact person for questions and advice): University Deputy Chief Information Officer (DCIO)

2. Policy Officers: University CIO

   These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provided in University Rule 1-001:

   “The ‘Policy Officer’ will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases…”

   “The Policy Officer will identify an ‘Owner’ for each policy. The policy owner is an expert on the policy topic who may respond to questions about, and provide interpretation of the policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to who the President or a Vice President has delegated such authority for a specified area of University operations. The owner has primary responsibility for maintaining the relevant portions of the regulations library… [and] bears the responsibility for determining which reference material are helpful in understanding the meaning and requirements of particular policies.

   University Rule 1-001-III-B & E

History

1. Current version-- Revision 1.0.

   1. Approved by Academic Senate April 29, 2019

   2. Approved by Board of Trustees June 11, 2019

   3. Effective date July 1, 2019