Office of the Chief Information Officer Enterprise Policy
CIO-050: Enterprise Procurement of Information Technology Assets Policy
Effective Date: 12/15/2014
Revision Date: 02/04/2019
Review Date: 03/09/2021
Policy Statement: The purpose of this policy is to describe responsibilities and processes regarding the procurement, ownership and tracking of information technology (IT) assets.
Asset: Any piece of software or hardware in the information technology environment that can be identified by an IT-related commodity code in the Commonwealth’s accounting system, or that interfaces directly with the enterprise data network. This includes, but is not limited to hardware, software, and service offerings. Kentucky Information Technology Standards (KITS): The KITS is comprised of formalized IT standards covering the broad spectrum of technology environments to include software, hardware, networks, applications, data, security, access, communications, project management and other relevant architecture disciplines.
Policy: This policy governs the procurement and inventory processes used to manage the lifecycle of IT assets, at both the strategic and operational levels.
IT Services Requests:
Requests for new IT services or enhancements to existing services shall be submitted by an authorized Agency IT Services Contact to COT via the Commonwealth Service Desk. Upon receipt of the request, the CSD will engage the appropriate COT team of subject matter experts for review. During the review process, COT reserves the right to request additional information, and/or suggest alternatives to the request. In cases where COT offers a rated service that reasonably meets the agency’s requirements, this is the preferred solution. If COT determines that procurement of additional IT assets is necessary in order to deliver the desired outcome under a rated service, the procurement process shall be followed.
Agencies requesting products or services outside the parameters of the Kentucky Information Technology Standards (KITS) must, regardless of cost, submit a Request for Exception/Addition/Modification outlining the business case supporting the purchase. This process is described in detail at http://technology.ky.gov/Governance/Pages/ExceptionstoArch.aspx .
The procurement process shall be followed for purchases that provide an agency-specific function, or that are outside the scope of COT rated services. Requests for IT hardware assets with a cost of $1,000 or greater, and all software assets regardless of cost, must go through the Strategic Procurement Request (SPR1) review process prior to purchase.
Ownership and Tracking:
IT assets that have been purchased by COT and provisioned by a COT rated service will be owned by the Finance and Administration Cabinet and tracked as inventory by COT. In addition, COT will track, as inventory, any asset procured by the Agency prior to subscribing to the associated COT service. Examples include, but are not limited to, telephone systems and computers purchased for a specific use case.
IT assets that have been purchased by COT for an agency-specific function and are not provisioned by a COT rated service will be owned and tracked as inventory by the agency that initiated the purchase.
IT assets procured by an agency under delegated, one-time procurement authority from COT will be owned and tracked by the agency that initiated the purchase.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government.
Applicability: All executive branch agencies and non-executive branch agencies using COT-managed infrastructure or services must adhere to this policy. This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance: Each agency must ensure that staff within their organizational authority are made aware of and comply with this policy. The agency is responsible for enforcing it. Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal. COT may require additional service charges for remediation efforts due to non-compliance with this policy.
Maintenance: COT is responsible for maintaining this policy. Organizations may modify this policy to fulfill their responsibilities, but must obtain approval through an exception request. Staff should refer to their internal policy, which may have additional information or clarification.
Review Cycle: COT’s Office of the Chief Compliance Officer will review this policy at least every two years.