Software Acquisition
- SUBJECT: Software Acquisition
- EFFECTIVE DATE: March 23, 2026
- BOARD POLICY REFERENCE: CS, CR, CT
- RESPONSIBLE DEPARTMENT: Academic Technology Services / Purchasing / Office of General Counsel
PURPOSE
Establish a standardized, secure, and compliant process for the evaluation, procurement, approval, implementation, and lifecycle management of all software used by the Blinn College District (“College District”). This Regulation ensures alignment with College District purchasing requirements and Information Security Administrative Regulations that govern data protection, system integrity, cybersecurity controls, and acceptable use.
SCOPE
This Regulation applies to all College District employees, contractors, vendors, and organizational units involved in the acquisition, installation, or use of software, including but not limited to:
- On premises software systems
- Cloud hosted or Software as a Service (SaaS) solutions
- Subscription based or licensed locally installed software
- Desktop, mobile, or web-based applications
- Any system requiring authentication, network connectivity, or handling protected College District data
No software may be acquired, installed, or used on College District information systems without full compliance with this Regulation.
DEFINITIONS
- Software
- Any application, system, platform, cloud service, or executable code used to support instructional, administrative, operational, or technical functions.
- Information System Owner (ISOw)
- The employee responsible for the functional area and business purpose supported by the software.
- Academic Technology Services (ATS)
- The department responsible for infrastructure, information security, system integrations, and technical support.
- TX-RAMP
- Texas Risk and Authorization Management Program governing security standards for cloud computing services.
4. REGULATION
4.1 Initiation of Request
- Departments must identify the operational needs for new or replacement software.
- A Software Acquisition Intake Form shall be completed and must include:
- Description of functional need
- User groups and estimated user count
- Data elements stored, processed, or transmitted
- Hosting model (on premise, SaaS, cloud, hybrid)
- Integration requirements
- Accessibility/ADA documentation such as VPAT
- The completed Intake Form must be submitted to the department head and ATS.
4.2 Information Security Review
ATS shall complete a security assessment prior to any procurement activity.
4.2.1 Risk Assessment (RA-01)
- Evaluate data classification and applicable compliance requirements.
- Assess confidentiality, integrity, and availability impacts.
- Document risks and required mitigations.
4.2.2 TX-RAMP Applicability
- All cloud systems must undergo TX-RAMP Level 1 or Level 2 review unless exempt.
- A TX-RAMP Questionnaire must be completed in coordination with the Information Security Officer before acquiring a cloud system.
4.2.3 Information Security Program Compliance (PM-01)
- Verify administrative, physical, and technical safeguards.
- Verify defined security roles, responsibilities, and oversight.
4.2.4 System & Information Integrity (SI-01)
- Review vendor vulnerability management, flaw remediation, monitoring, and alerting.
- Verify patch management processes.
4.2.5 Acceptable Use & Data Protection Compliance
- Ensure compliance with the Information Resources Acceptable Use, Security, and Copyright Infringement Regulation.
- Confirm data is encrypted at rest and in transit.
- Confirm acceptable retention, backup, and disposal practices.
4.3 ADA / Accessibility Requirements
- Software must comply with ADA and accessibility standards.
4.4 Procurement Requirements
4.4.1 Budget Authorization
- All software purchases must follow the College District budget and financial processes.
- Departments must confirm available budget funds.
4.4.2 Purchase Requisition
- After ATS approval, the requestor must submit a Banner Purchase Requisition.
- Required attachments:
- ATS Security Review outcome
- Vendor quote
- TX-RAMP documentation
- Accessibility documentation
- Legal agreements or contracts
- All purchases must be processed through Banner Purchasing, an Academic Technology or Purchasing P-card.
- Unauthorized or direct pay purchases are prohibited.
4.4.3 Purchasing Review
- Verify compliance with procurement law, state cooperative contracts (DIR, TIPS), and internal purchasing regulations.
4.5 Legal Review
- All agreements, licenses, EULAs, terms of service, data-processing addenda, or related contractual documents must be reviewed by the Legal Department.
- Legal review must be completed prior to issuing a purchase order or approving software use.
- No employee may accept vendor terms on behalf of the College District without authorized approval.
4.6 Implementation
- ATS or Administrative Computing coordinates installation, configuration, and security hardening.
- Access must follow least-privilege principles and Personnel Security controls.
- Information System Owners must ensure the creation and maintenance of documentation, training materials, and operational procedures.
4.7 Ongoing Monitoring & Lifecycle Management
4.7.1 Continuous Monitoring (CA-07)
- Systems must be monitored in accordance with College District cybersecurity monitoring practices.
- Security incidents or anomalies must be reported through established procedures.
4.7.2 Annual and Renewal Review
- Prior to renewal, ATS and ISOw must review the system’s continued compliance and security posture.
- Renewals follow the same approval process as initial acquisitions.
4.7.3 System Retirement / Decommissioning
- Decommissioning must be coordinated with ATS.
- Data and media must be sanitized following MP-01, MP-06, and College District retention schedules.
- Accounts, licenses, and integrations must be disabled or removed.
ROLES AND RESPONSIBILITIES
- Requesting Department
-
- Identify need and complete required documentation
- Ensure funding availability
- Maintain operational oversight
- Academic Technology Services
-
- Conduct security and compliance review
- Assess integration, compatibility, and infrastructure impact
- Support implementation and lifecycle management
- Purchasing
-
- Validate procurement method and requisition
- Issue purchase orders
- Legal Department
-
- Review legal and contractual documents
- Ensure regulatory and contractual compliance
- Information System Owners
-
- Maintain compliance with security controls
- Support monitoring, audits, and incident response
COMPLIANCE AND ENFORCEMENT
Failure to comply with this Regulation may result in:
- Removal or disabling of unauthorized software
- Suspension of system or network access
- Administrative corrective action
- Mandatory reporting to supervisory or regulatory authorities
All software must comply with applicable state and federal laws, College District Board Policy, and Administrative Regulations.