Software as a Service Checklist V2.3 (01/09/2017)
IT Service – Business Partnering and IT Security Teams
Software as a Service Checklist
Introduction
This checklist must be completed and approved by the relevant IT and Information Governance staff before a new Software as a Service (SaaS) contract is procured, or development commissioned by a School or Professional Service.
Purpose
The purpose of this checklist is to prevent unnecessary proliferation and financial expense of multiple systems and services by checking whether the requirement can be fulfilled by an existing system, or service.
If there is a requirement for a new service, this checklist will ensure that the proposed service meets requirements, and is secure and supportable, and is procured in a compliant fashion that ensures value for money is achieved.
Operation
Once the requirement for a new service has been identified, it must be notified to the Business Partnering Team within IT Services who will ensure that the checklist is completed and appraised (drawing in the IT Category Manager from the Procurement Team, where necessary). As part of the initial assessment, Business Partnering will identify any additional stakeholders to be included, and will ensure the proposer has followed the Change Projects ‘Process Review’ procedure, where appropriate.
No SaaS contract can be procured, launched or supported by IT Services, nor will any enabling work to be undertaken without this checklist being satisfactorily completed. The initial assessment required is whether any existing system, or service can be used. If it is deemed that a new service contract is required then the responses to the subsequent questions will be used to inform the procurement exercise to be undertaken (incl. minimum requirements, specification and evaluation criteria), or effectively provide the rationale for a waiver[1] from the University’s Procurement Rules.
If appropriate assurance has been given for the service to be purchased and deployed; it will be progressed in line with the standard IT Services transition and change management processes and Procurement Rules..
Information Governance Policies
A comprehensive set of Information Security sub-policies (approved by University Council in June 2016), provide a framework for handling data in a manner that is legally compliant and also ensures that the sensitive data of our students, colleagues and partners is secure. This checklist is aligned with these policies.
http://www.lboro.ac.uk/services/registry/information-governance/
Procurement Rules
The University’s Procurement Rules, as well as procurement forms and templates (including Procurement Strategy Checklist, Contract Award Approval Form and Request for Quotation template) and Category Manager/Specialist contact details, can be fould on the Procurement section of the intranet:
https://internal.lboro.ac.uk/info/finance/staff/procurement/
Section A – Requirements & Assessment (Internal Questions)A.1. What are the high-level requirements of the system?
Business Case for the System:
Who will be using the system?
Details of possible supplier:
A.2. Is there potential for an existing system(s) to meet these requirements?
List options:
A.3. What is the justification for not using an existing system?
A.4. Will the system need to integrate with any other IT Systems?
A.5. Will the system be storing personal or sensitive data? Please provide information classification as per “Policy 3 – Information Categories and Controls”.
http://www.lboro.ac.uk/services/registry/information-governance/policy3/
A.6. What is (a) the total estimated contract value and (b) the strategy for purchasing the system? The value should include any extension options, and where the contract is indeterminate, should be based on a 4 year period. Contracts over £10k should be competed in line with the University’s Procurement Rules or have a fully approved waiver. The tender exercise for contracts over £50k is managed by the IT Category Manager. The IT Category Manager can advise on any options to call-off an existing framework agreement. It is important that contracts are based on the University’s Terms & Conditions or those relating to any framework agreement used, or have been vetted by the The IT Category Manager.
a)
b)
Section B – Information Governance (External Questions)
Question / Answer / Satisfactory
Yes/No
B.1. Is the company providing the service ISO 27001 certified?
Note: Certificate must be supplied in PDF format and must show the name of the SaaS supplier, not the hosting company, and must be from an accredited certification body.
B.2. Is the company providing the service on the Data Protection Register? Note: Provide registration number in response.
B.3. How can the company providing the service demonstrate compliance with the Data Protection Act 1998?
B.4. In what region will the University’s data be stored for this service? / .
B.5. What is the data retention period for this service?
B.6. What are the data deletion timescales and policies when ending the contract?
B.7. If any form of electronic payment is to be accepted and/or processed, is the company providing the service PCI DSS compliant?
B.8. Will data be shared, collected, or analysed with or by third parties?
NOTE: If the company providing the service is ISO 27001 certified by an accredited certification body, and has provided evidence of a current certificate which has been verified against the certificate body website, Section C of this document can be skipped.
Section C – For Non ISO 27001 Companies Only! (External Questions)Question / Answer / Satisfactory
Yes/No
C.1. Please provide a copy of the Information Security Policies for the company providing the service.
C.2. Is the company providing the service subject to external Information Governance audits? When was the last one completed? What was the accreditation held by the auditor? Are there any outstanding risks which have not be addressed?
C.3. Is the company providing the service subject to external Penetration tests? When was the last one completed? What was the accreditation held by the auditor? Are there any outstanding risks which have not be addressed?
C.4. As part of acceptance testing, we will require permission to perform a penetration test against the software onsite, or application hosted remotely, can this be facilitated?
C.5. Please provide detailed documentation highlighting the application development process, patch management process and update process.
C.6. Has code generated by the company providing the service been checked and certified by an external body?
C.7. Highlight any tools, which are used to ensure secure coding during development and vulnerability scanning once complete.
C.8. Does the software or application in question follow and/or implement Information Security principals such as AAA or AAAA?
C.9. Are all web services HTTPS enabled with weak ciphers disabled?
C.10. Web applications should not be vulnerable to attack; such as the ones highlighted by OWASP Top Ten. Please provide documentation of tests to ensure vulnerabilities have been mitigated.
C.11. Applications should not be vulnerable to attacks; such as the ones highlighted by: http://cwe.mitre.org/top25/. Please provide documentation of tests to ensure vulnerabilities have been mitigated.
Section D – General Technical IT (External Questions)
Question / Answer / Satisfactory
Yes/No
D.1. What versions, of which browsers, does your product support?
D.2. Does your product require Java or any additional browser plugins to have full functionality and if so what are they and the versions you support?
D.3. Please provide details of the Recovery Time Objective in the event of an incident for the service being procured.
NOTE: If the service requires University users to login using a username and password; it should support the University's existing Single Sign-On (SSO) SAML 2.0 implementation.
Question / Answer / Satisfactory
Yes/No
D.4. Does your product support SAML2?
D.5. Is your company a member of the UK Access Management Federation and/or eduGain?
D.6. If you support SAML2 and are not a member of the UK Access Management Federation, can you provide us with a copy of the metadata for your Service Provider?
D.7. Which attributes do you require us to release
D.8. Do you require any additional data feeds external to the SAML2 transaction?
Section E – Software Integration (External Questions)
Question / Answer / Satisfactory
Yes/No
E.1. If middleware is required to import and/or export data between systems please state the secure protocols used to make the transfer.
E.2. Is the company providing the service able to provide a specific IP address which can be whitelisted to allow data transfers?
E.3. Please provide the details of any supported data exchange format or API in use by the company providing the service.
E.4. Please provide the cost and process involved in Loughborough University withdrawing from the service and recovering data held by the company providing the service.
Section F – IT Services Support and Maintenance (Internal Decisions)
Question / Answer/Decision/Confirmation
F.1. Who will be the ITS Technical Service Owner?
F.2. Who will be the Business Service Owner?
F.3. What are the support requirements?
F.4. What support will be required internally and what will be provided by the supplier?
F.5. Who will be responsible for maintaining the system?
F.6. Has suitable budget been allocated for upgrades and service improvements?
F.7. Has this proposal had Enterprise TDA Authorisation?
F.8. Please confirm that the relevant license agreement and/or EULA has been received and reviewed. Please list any limitations.
F.9. Does the contract include model clauses for Data Protection adequacy?
F.10 If staff or student data is going to be: shared, transferred or accessed from outside of the University; has Chris Carpenter reviewed the proposal (for Master Data Management; and has HR (Anne Lamb) and/or the Academic Registry (Mark Lister) approved the Data Mapping and Information Flow proposals?
[1] If it is felt that there is a robust rationale for not competing a requirement/contract with a total estimated value of over £10k, as required by the Procurement Rules, then this needs to be approved by the Procurement Team by completing/submitting the Contract Award Approval Form to the IT Category Manager, before making a direct contract award.