mobile-logo

Previous

< Incident Management  Security Policy

Resources / Security Policy Templates / IT Purchasing

IT purchasing policy template

Sample IT Purchasing Policy Template

 

Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.

Author: Rich Selvidge, CISSP / Last Updated: 12/31/22

Reviewed ByMichael Swanagan, CISSP, CISA, CISM

View OurEditorial Process

Overview

 

Information Technology purchasing at {COMPANY-NAME} must be managed to ensure compatibility and to control costs of the technology and services requested.

Download Template

cyber security policy templates for 2023

Purpose

 

The purpose of an IT purchasing policy is to define standards, procedures, and restrictions for the purchase of all IT hardware, software, computer-related components, and technical services purchased with {COMPANY-NAME} funds.

 

Purchases of technology and technical services for {COMPANY-NAME} must be approved and coordinated through the IT Department.

Scope

 

The scope of this policy includes, but is not limited to, the following {COMPANY-NAME} technology resources:

 

  • Desktops, laptops, smartphones/PDAs, cell phones, tablets, TCDs, TCRs, and servers
  • Software running on the devices mentioned above
  • Peripheral equipment, such as printers and scanners
  • Cables or connectivity-related devices
  • Audio-visual equipment, such as projectors and cameras

 

This policy extends to technical services, such as off-site disaster recovery solutions and Internet Service Providers (ISPs), as well as professional services, such as consultants and legal professionals hired through the IT Department.

 

These include, but are not limited to, the following:

 

  • Professionals or firms contracted for application development and maintenance
  • Web services provided by a third party
  • Consulting professionals
  • Recruiting services
  • Training services
  • Disaster recovery services
  • Hosted telephone services
  • Telephone network services
    Data network services

Policy Detail

 

All hardware, software, or components purchased with {COMPANY-NAME} funds are the property of {COMPANY-NAME}. This also includes all items purchased using a personal credit card, for which the employee is later reimbursed.

 

All purchase requests for hardware, software, computer-related components, internet services, or third-party electronic services must be submitted to the IT Department, via the Service Desk, for final purchase approval. If the requested item is already in inventory, then it will be made available to the requestor, assuming that it meets organizational unit goals.

 

For Purchases Within IT

 

A procurement procedure is maintained by the VP of IT. Purchasing within the IT Department falls under four general categories.

 

  • Standard Items
    • Purchase of items, which have been pre-approved by IT management, that require only a Service Desk request.
    • The standard items list, located in the IT procedure documentation, contains preapproved vendors and products which {COMPANY-NAME} has standardized. Standard items have been proven to be both supportable by the IT Department, as well as cost effective.
  •  Non-Standard Items
    • Purchase of non-standard items/services, which are not classified as capital expenses, such as non-standard hardware/software that is expensed or contracted services.
    • Non-standard purchases should be minimized as much as reasonably possible. Requests for non-standard items will go through a formal selection process that will involve thorough vendor sourcing. IT will review non-standard purchases for viability of support and compatibility.
    • The selection process may vary depending on the type, cost, and other purchase significance factors. Before approval will be granted, employees or departments requesting non-emergency specialized software, or components, must submit a plan detailing how this item will be supported. Support options include assigning a staff member to maintain and/or support the component, arranging for external vendor support, or arranging for a service-level agreement with the IT Department.
    • Individuals requesting non-standard items for purchase can suggest a potential vendor, if a pre-existing relationship exists between that vendor and {COMPANY-NAME}.
  • Capital Expenses
    • Purchase of non-standard capitalized hardware, software, or equipment.
    • Capitalized expenditures, defined as hardware, software, or equipment above $2,500.00 or as specified in the {COMPANY-NAME} Fixed Asset Policy, which are capitalized by {COMPANY-NAME}, must go through the CFO and CEO for approval. These purchases may only be requisitioned by department managers. The purchase selection process for these expenditures will be evaluated by Senior Management.
  • Employee Purchasing
    • Items that do not require any purchase approval.

 

System Replacement

 

Major technology purchases are approved through the budgetary process. Equipment replaced during the course of any period shall be based on a minimum annual review of the asset management program and hardware replenishment schedule, hardware inventory, and fixed asset budget schedules.

 

Asset Management Program

 

Certain classes of {COMPANY-NAME} assets, as defined below (“Qualified Assets” or “Asset”), procured or curated by the {COMPANY-NAME} Information Technology department shall be duly managed with the objective of protecting them from misappropriation and unplanned obsolescence. Methods shall be devised and followed to allow for asset identification, assignment, tracking, lifecycle management, reporting, and disposition.

 

Included asset classes are as follows: Technology equipment, computer hardware, peripherals, and other items purchased by {COMPANY-NAME} IT or managed by same that are:

 

  • semi-permanent in their end-user assignment (example: specific person, department) or purpose (example: loaner laptop, projector) AND
  • are valued at greater than $300 AND
  • are not high-turnover or frequently moved devices (example: small peripherals such as mice and ID scanners)

 

Reimbursable Expenses

 

Paying for and/or reimbursing employees will be handled with a completed Expense Report submitted to the VP of IT.

 

{COMPANY-NAME} will also include expenses incurred by employees and will reimburse the following, in addition to standard travel expenses, as indicated in the Employee Reimbursement Policy:

 

  • Standard item peripheral hardware
  • Business related shipping/courier expenses

security policy writing services cta

Richard Selvidge, CISSP, ITIL - Cyber Security Expert

Rich Selvidge

Rich Selvidge is the Chief Information Security Officer at PurpleSec, providing singular accountability for all information security controls in the company. He brings over 21 years of information technology and security risk management experience.

Previous

Incident Management Security Policy

Next

Internet Usage Policy

Explore Our Security Services

managed it security services - purplesec

Managed Security

Learn More >

penetration testing services - purplesec

Penetration Testing

Learn More >

vulnerability patch management services - purplesec

Vulnerability Mgmt

Learn More >

security gap assessment services - purplesec

Risk Assessment

Learn More >