On April 4, 2022, the University of Utah Academic Senate approved University Software Rule 4-050B. The new rule applies to all University of Utah entities, including all main campus, Health Sciences and University of Utah Health organizations.

The rule is in effect as of April 4, 2022. U organizations must ensure that software purchased, leased or developed by the university is reviewed for compliance with IT security requirements and accessibility requirements for persons with disabilities.

Covered by the policy/rule

• Units in University of Utah Health Hospitals and Clinics
• Units in the University of Utah
• Software of any cost that is requested for purchase, lease, development or other forms of acquisition
  • And that accesses, manipulates, creates or stores restricted data
• Note: Adherence to Rule 4-050B is recommended, but not required, for software that accesses, manipulates, creates or stores sensitive data as outlined in Rule 4-004C

Not covered by the policy/rule

• Software that resides in a protected environment (PE)
  • E.g., the Center for High Performance Computing’s (CHPC) PE, which provides HIPAA-compliant space for researchers at the University of Utah. CHPC provides hardware, software, tools and support.
• Software approved by the Chief Information Security Officer (CISO) as an exception
• Software that does not contain restricted data
• Software on a device that is not connected to the university network  

Updated software acquisition process

Prior to purchase, lease, development or other forms of software acquisition, university organizations must work with vendors to:

• Complete the Educause Higher Education Vendor Assessment Tool (HECVAT)
• Complete the appropriate questionnaire:
  • On Site Hosted Prospective Supplier Technical Questionnaire
  • Cloud Hosted Prospective Supplier Technical Questionnaire

UIT will assist organizations and vendors as needed. For additional details on the software acquisition process, please visit this IT Knowledge Base article.

Goals of the policy and rule

• Establish a framework for identifying the scope and purpose associated with university software
• Provide the university the opportunity to review the security and accessibility of all software purchased, leased or developed by the university to ensure it meets current information security and accessibility standards
• Promote appropriate collaboration among university administrative, academic and
  U of U Health units on:
  • The purchase, lease, development or other form of acquisition of university software
  • Data and services associated with such software
  • Costs for the proposed software

The rule has been reviewed and approved by the Institutional Policy Committee and Academic Senate.

If you have any questions, please contact UIT Deputy Chief Information Officer Ken Pink at ken.pink@utah.edu or 801-581-3875.