Policy Statement: The purpose of this policy is to describe
responsibilities and processes regarding the procurement, ownership and
tracking of information technology (IT) assets.
Definitions:
Asset: Any piece of
software or hardware in the information technology environment that can be
identified by an IT-related commodity code in the Commonwealth’s accounting
system, or that interfaces directly with the enterprise data network.
This includes, but is not limited to hardware, software, and service offerings.
Kentucky Information
Technology Standards (KITS): The
KITS is comprised of formalized IT standards covering the broad spectrum of
technology environments to include software, hardware, networks, applications,
data, security, access, communications, project management and other relevant
architecture disciplines.
Policy: This policy governs the procurement and
inventory processes used to manage the lifecycle of IT assets, at both the
strategic and operational levels.
IT Services Requests:
Requests for new IT
services or enhancements to existing services shall be submitted by an authorized Agency IT Services
Contact to COT via the Commonwealth Service Desk.
Upon receipt of the request, the CSD will engage the appropriate COT team of
subject matter experts for review. During the review process, COT
reserves the right to request additional information, and/or suggest
alternatives to the request. In cases where COT offers a rated service
that reasonably meets the agency’s requirements, this is the preferred
solution. If COT determines that procurement of additional IT assets is
necessary in order to deliver the desired outcome under a rated service, the
procurement process shall be followed.
Agencies
requesting products or services outside the parameters of the Kentucky Information Technology Standards (KITS) must, regardless of cost, submit a Request for
Exception/Addition/Modification outlining the
business case supporting the purchase. This process is described
in detail at http://technology.ky.gov/Governance/Pages/ExceptionstoArch.aspx.
Procurement:
The procurement process
shall be followed for purchases that provide an agency-specific function, or
that are outside the scope of COT rated
services. Requests for IT assets with a cost of $1,000 or
greater must go through the Strategic Procurement Request (SPR1) review process
prior to purchase.
Ownership and Tracking:
IT assets that have been
purchased by COT and provisioned by a COT rated service will be owned by the
Finance and Administration Cabinet and tracked as inventory by COT. In
addition, COT will track as inventory any asset procured by the Agency prior to
subscribing to the associated COT service. Examples include, but are not
limited to telephone systems and computers purchased for a specific use case.
IT assets that have been
purchased by COT for an agency-specific function and are not provisioned by a
COT rated service will be owned and tracked as inventory by the agency that
initiated the purchase.
IT assets procured by an
agency under delegated, one-time procurement authority from COT will be owned
and tracked by the agency that initiated the purchase.
Authority: KRS 42.726 authorizes the Commonwealth Office
of Technology (COT) to develop policies and compliance processes to support and
promote the effective applications of information technology within the
executive branch of state government.
Applicability: All executive branch agencies and
non-executive branch agencies using COT-managed infrastructure or services must
adhere to this policy. This includes
employees, contractors, consultants, temporaries, volunteers, and other workers
within state government.
Responsibility for Compliance: Each agency must ensure
that staff within their organizational authority are made aware of and comply
with this policy. The agency is responsible for enforcing it. Unauthorized and/or neglectful actions
regarding this policy may result in disciplinary action up to and including
dismissal. COT may require additional
service charges for remediation efforts due to non-compliance with this policy.
Maintenance: COT is responsible for maintaining this
policy. Organizations may modify this
policy to fulfill their responsibilities, but must obtain approval through an
exception request. Staff should refer to
their internal policy, which may have additional information or clarification.
Review Cycle: COT’s Office of the Chief Compliance Officer
will review this policy at least every two years.