Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.
Author: Rich Selvidge, CISSP / Last Updated: 12/31/22
Reviewed By: Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Information Technology purchasing at {COMPANY-NAME} must be managed to ensure compatibility and to control costs of the technology and services requested.
The purpose of an IT purchasing policy is to define standards, procedures, and restrictions for the purchase of all IT hardware, software, computer-related components, and technical services purchased with {COMPANY-NAME} funds.
Purchases of technology and technical services for {COMPANY-NAME} must be approved and coordinated through the IT Department.
The scope of this policy includes, but is not limited to, the following {COMPANY-NAME} technology resources:
This policy extends to technical services, such as off-site disaster recovery solutions and Internet Service Providers (ISPs), as well as professional services, such as consultants and legal professionals hired through the IT Department.
These include, but are not limited to, the following:
All hardware, software, or components purchased with {COMPANY-NAME} funds are the property of {COMPANY-NAME}. This also includes all items purchased using a personal credit card, for which the employee is later reimbursed.
All purchase requests for hardware, software, computer-related components, internet services, or third-party electronic services must be submitted to the IT Department, via the Service Desk, for final purchase approval. If the requested item is already in inventory, then it will be made available to the requestor, assuming that it meets organizational unit goals.
A procurement procedure is maintained by the VP of IT. Purchasing within the IT Department falls under four general categories.
Major technology purchases are approved through the budgetary process. Equipment replaced during the course of any period shall be based on a minimum annual review of the asset management program and hardware replenishment schedule, hardware inventory, and fixed asset budget schedules.
Certain classes of {COMPANY-NAME} assets, as defined below (“Qualified Assets” or “Asset”), procured or curated by the {COMPANY-NAME} Information Technology department shall be duly managed with the objective of protecting them from misappropriation and unplanned obsolescence. Methods shall be devised and followed to allow for asset identification, assignment, tracking, lifecycle management, reporting, and disposition.
Included asset classes are as follows: Technology equipment, computer hardware, peripherals, and other items purchased by {COMPANY-NAME} IT or managed by same that are:
Paying for and/or reimbursing employees will be handled with a completed Expense Report submitted to the VP of IT.
{COMPANY-NAME} will also include expenses incurred by employees and will reimburse the following, in addition to standard travel expenses, as indicated in the Employee Reimbursement Policy:
Rich Selvidge is the Chief Information Security Officer at PurpleSec, providing singular accountability for all information security controls in the company. He brings over 21 years of information technology and security risk management experience.
Security Policies
Security Resources
Popular Articles