SaaS: The Software Risk Assessment process
What does it involve?
The Software Risk Assessment (SRA) is the University's process for reviewing software to ensure it meets Cyber Essentials security requirements and upholds the University's IT and data standards.
Colleagues with expertise in IT Security, Systems Architecture, Data Governance, and Procurement, will assess your request and provide guidance to ensure the solution you purchase does not put you and the University at any undue risk.
The process involves five stages and can take anywhere from a few weeks to several months to complete.
Please note: The timescales listed below will differ depending on how responsive the vendor is when working with LU colleagues, and the requestors' availability to answer follow-up questions.
The Software Risk Assessment is not applicable on lab computers and desktop applications.
Stage 1: Review
Timescales from submission: Approx one day to one week.
Complete and submit the SaaS request form.
Business Partnering (BP) will assess your request and guide you to ensure the solution you purchase does not put you and the University at any undue risk. This will also include validating if you require the assistance of the Change Team to review your business processes.
If your software requires integration with existing systems, this is likely to be an IT Services project and may require resource from various teams. This will need to be prioritised against our portfolio of projects. BP will help you build the business case to obtain approval for any additional IT resources required via the IT Portfolio Board.
The review is conducted by the Business Partnering team
Stage 2: Data assessment
Timescales from submission: Approx two weeks to one month+
Do I need to do a Data Protection Impact Assessment (DPIA)? Answer: if you’re sharing data, chances are YES.
Review data sharing requirements with your appropriate Data Co-ordinator and undertake a data risk assessment for approval from the appropriate Data Steward.
Consider what data will you be sharing with the software supplier:
- Are you sharing any personal data with the supplier?
- Why are you sharing this data?
- Do you have consent to share this data?
Please refer to the DPIA process below for further guidance and template forms.
The data assessment is conducted by Data Stewards in HR (staff data) and Academic Registry (student data).
Please note: The Data Co-ordinators page link is on internal access and sign-in will be required. If accessing from off-campus, VPN access is also required.
Stage 3: IT security and integration assessment
Timescales from submission: Approx one week to one month+
The assessment will be done at the same time as the data assessment.
Business Partnering will work with IT Services colleagues to review the security and architecture elements of the proposed solution. We will contact the supplier of the SaaS and ask them a list of questions.
This will include a review of their Multi-Factor Authentication (MFA) or Single Sign On (SSO) capabilities.
This stage will also include sign-off with Procurement (purchasing), where applicable.
The security and integration assessments are conducted by the IT Security, Enterprise Architecture and Middleware teams, within IT Services, and Procurement.
Stage 4: Approval
Timescales from submission: Approx one week to one month+
Following the assessments in stage 3, the approval stage will summarise identified risks and capture these in the Risk Advisory Document for the business approver - Head of department or Operations Manager for acceptance and sign-off. This document will also list the responsibilities of the Business owner and any support arrangements that need to be in place for the SaaS.
The approval stage is conducted by the Business Approver.
Stage 5: Implementation - Go live
Timescales from submission: Approx two weeks to one month+
Once approved, Single Sign On (SSO) will now need to be setup. The requester will be required to liaise with the vendor and IT Services to implement the service ready for the service to go live.
The implementation stage is coordinated by the requester, vendor, and IT Services.