IT hardware procurement policy
May 17, 2020
A strong hardware procurement policy will ensure that requirements are followed and that all purchases are subject to the same screening and approval processes. This comprehensive policy covers the essential aspects of the purchasing process.
From the policy:
There are many similarities between purchasing software and hardware—evaluations, vetting vendors, conducting RFPs, developing proofs of concept, and handling contract details. However, there are a few noteworthy differences, since hardware is an asset that involves physical elements, wear and tear, maintenance and repair, different upgrade paths, and often the need for security.
Establishing a purchasing authority and approval chain
A purchasing authority (PA) should be established for hardware procurement. The PA can be either an individual or a group (the finance department, for instance). The PA will be responsible for fulfilling the purchasing of hardware, establishing vendors, developing vendor relationships, utilizing discounts/company credit cards, tracking and documenting orders, performing risk analysis, and monitoring for fraud. This will be achieved by recording all purchases and assets and ensuring that physical property is documented and tracked.
The PA should utilize as few vendors as possible to establish consistency and consolidate purchasing power (a preferred vendor can offer better prices or discounts, for example). Similarly, the PA should establish with the IT department a “standard technology” list of preferred servers, desktops, mobile devices, etc., to provide a consistent environment and reduce complexity. The procurement of “nonstandard technology” should be avoided where possible.
Purchases over a set amount (e.g., $500) must be approved by management. Designated management approvers may consist of the finance head, the IT director, or the departmental VP. At least three approvers should sign off on purchases over this set amount. The legal department (if applicable) should also review contract information.
Where applicable, the security office should be consulted to ensure that the product is appropriate for use in your environment and that there are no vulnerability or exposure concerns.
If approved by the IT department, the request should be sent to the PA. IT staff should not directly purchase hardware, with the exceptions of emergencies on site or at a remote location.
If the hardware request is declined or changed (whether by IT or the PA), the IT department will notify the requestor of the details and reasoning behind this decision.