SaaS: The Software Risk Assessment process

What does it involve?

The Software Risk Assessment (SRA) is the University's process for reviewing software to ensure it meets Cyber Essentials security requirements and upholds the University's IT and data standards.

Colleagues with expertise in IT Security, Systems Architecture, Data Governance, and Procurement, will assess your request and provide guidance to ensure the solution you purchase does not put you and the University at any undue risk.

The process involves five stages and can take anywhere from a few weeks to several months to complete.

Please note: The timescales listed below will differ depending on how responsive the vendor is when working with LU colleagues, and the requesters availability to answer follow-up questions.

The Software Risk Assessment is not applicable on lab computers and desktop applications.

Stage 1: Review

Timescales from submission: Approx one day to one week. 

Complete and submit the SaaS request form. 

Business Partnering (BP) will assess your request and guide you to ensure the solution you purchase does not put you and the University at any undue risk. This will also include validating if you require the assistance of the Change Team to review your business processes. 

If your software requires integration with existing systems, this is likely to be an IT Services project and may require resource from various teams. This will need to be prioritised against our portfolio of projects. BP will help you build the business case to obtain approval for any additional IT resources required via the IT Portfolio Board.

The review is conducted by the Business Partnering team

SaaS request form SaaS request form guidance Change Team

Stage 2: Data assessment 

Timescales from submission: Approx two weeks to one month+ 

Do I need to do a Data Protection Impact Assessment (DPIA)? Answer: if you’re sharing data, chances are YES.

Review data sharing requirements with your appropriate Data Co-ordinator and undertake a data risk assessment for approval from the appropriate Data Steward.

Consider what data will you be sharing with the software supplier:

  • Are you sharing any personal data with the supplier?
  • Why are you sharing this data?
  • Do you have consent to share this data? 

Please refer to the DPIA process below for further guidance and template forms.  

The data assessment is conducted by Data Stewards in HR (staff data) and Academic Registry (student data).

Please note: The Data Co-ordinators page link is on internal access and sign-in will be required. If accessing from off-campus, VPN access is also required

How to complete a DPIA Data Co-ordinators for Schools and Services

Stage 3: IT security and integration assessment 

Timescales from submission: Approx one week to one month+  

The assessment will be done at the same time as the data assessment.

Business Partnering will work with IT Services colleagues to review the security and architecture elements of the proposed solution. We will contact the supplier of the SaaS and ask them a list of questions. 

This will include a review of their Multi-Factor Authentication (MFA) or Single Sign On (SSO) capabilities. 

This stage will also include sign-off with Procurement (purchasing), where applicable.

The security and integration assessments are conducted by the IT Security, Enterprise Architecture and Middleware teams, within IT Services, and Procurement. 

Should the software use SSO or MFA?

Stage 4: Approval 

Timescales from submission: Approx one week to one month+ 

Following the assessments in stage 3, the approval stage will summarise identified risks and capture these in the Risk Advisory Document for the business approver (Head of Department or Operations Manager) for acceptance and sign-off. This document will also list the responsibilities of the Business owner and any support arrangements that need to be in place for the SaaS.

The approval stage is conducted by the Business Approver.

Stage 5: Implementation - Go live 

Timescales from submission: Approx two weeks to one month+ 

Once you have approval to use the software, you will be able to work with Procurement to purchase the SaaS. However, please first set up Single Sign On (SSO) before you sign any contract with the vendor.

The requester will be required to liaise with the vendor and IT Services to implement the service ready for the service to go live. 

Please note this will require significant time from the requester to set this up.

The implementation stage is coordinated by the requester, vendor, and IT Services.

 

Stage 6 - Ongoing Management

Once you have implemented a solution, you will need to work with the Cloud Application Manager in IT Services on ongoing management of the software, to ensure that any of the following situations are appropriately managed:

  1. Changes of use, including by new or different users of the software,
  2. Contract renewals,
  3. Support issues (where there is a support plan with IT Services),
  4. Changes or issues to the security and technical implementation,
  5. Ending the use of the software when no longer required.

The business approver will need to liaise with IT Services at least annually, as well as when any of the above situations occur.

For any software applications covered, unless there are specific agreements made that specify otherwise, the responsibilities are as follows:

The Business Owner, or an individual specifically delegated to act on their behalf, is responsible for:

  1. Ensuring that there is always an agreed Business Owner, and that IT Services are notified if this changes at any time,
  2. Ensuring there is an ongoing business need to use the software, and that it continues to represent value for money for the university,
  3. Ensuring appropriate communication with the supplier regarding performance, reliability, changes of software functionality, changing business requirements and contract management,
  4. Ensuring appropriate communication with the users of the software within the university to enable them to use the software within the agreed purposes, and to ensure these users do not cause data or security breaches,
  5. Ensuring any data or security breaches are reported as per the requirements of the Management of Information Security Incidents and Review of Policies (IG Policy 9 - Mgmt of Information Security Incidents and Review of Policies | Data protection, information security and data privacy | º¬Ðß²ÝÊÓƵ (lboro.ac.uk)).
  6. Ensuring appropriate User Acceptance Testing is undertaken when changes are made to the use or functions with the software,
  7. Engaging with IT Services, specifically the Cloud Applications Manager, over changes to requirements, use of the system, security and data protection/use, technical changes, terminating the software agreement and timely notification of any expansion of the use of the software including for different purposes, new groups of users or continued use beyond the current contracted duration.  This includes completing or updating the SRA documentation when requested,
  8. Quality and management of data, including reporting and use of data, and processing of personal data,
  9. Controlling user access to data, including ensuring that only appropriate users have access to the data through creating and removing access to the SaaS, and ensuring that any privileged or system administrative access is controlled and secure,
  10. Making appropriate arrangements for business continuity planning in the event of any incident that stops the software working as expected,
  11. Managing the risks associated with the use of the software.

The Business Owner agrees to undertake these responsibilities when they provide the approval under Stage 4.

IT Services are responsible for:

  1. Advising on technical or security risks with the product, both initially and on an ongoing basis when notified of any changes by the Business Owner, supplier or user community, this includes the authority to disable the use of the software if the risks are deemed unacceptable,
  2. Communication with the Business Owner at least annually checking whether there have been any changes which would fall under Business Owner responsibilities number 3 above,
  3. Monitoring the software at least annually or when notified under IT Services Responsibility 1, and regularly reviewing the risks resulting from the use of the software to ensure these are assessed and managed on an ongoing basis,
  4. Reporting the risks from software to the IT Risk Committee, and taking any actions directed from that committee,
  5. Building, supporting, developing and technical testing of any technical Single Sign On, Multi Factor Authentication and Data Integration agreed for the software, other than that provided by the supplier,
  6. Providing advice and guidance to the Business Owner to respond to queries, with regard to undertaking their responsibilities for software, to ensure that the Business Owner understands these and the consequences from failing to act on these,
  7. Where agreed within the Support Plan, provide the agreed level of support and service management to the software, this is more typical with larger business application software or where the software is tightly integrated into staff or student personal data.

Once the software risk assessment has been approved and the software implemented, the Cloud Applications Manager is the point of contact in IT Services for the Business Owner.

 

Quick links

Definition of a SaaS
Approved SaaS applications