SaaS Checklist v3-5
SaaS Checklist v3-5
SaaS Checklist v3-5
Yes
No
If it is a non-managed SaaS service then the person who put forward the proposal
to SLT, will have to enter it on the list of non-managed SaaS service
The following correspondants please sign and date the relevant sections
SLT
HR (Sam Hutchings)
Approval Comment
Date
Software as a Service Checklist V3 (06/07/2018)
IT Service – Business Partnering and IT Security Teams
Introduction
This checklist must be completed and approved by the relevant IT and Information Governance staff before a ne
Software as a Service (SaaS) contract is procured, or development commissioned by a School or Professional S
Purpose
The purpose of this checklist is to prevent unnecessary proliferation and financial expense of multiple systems an
services by checking whether the requirement can be fulfilled by an existing system, or service.
If there is a requirement for a new service, this checklist will ensure that the proposed service meets requiremen
secure and supportable, and is procured in a compliant fashion that ensures value for money is achieved.
Operation
Once the requirement for a new service has been identified, it must be notified to the Business Partnering Team
Services who will ensure that the checklist is completed and appraised (drawing in the IT Category Manager from
Procurement Team, where necessary). As part of the initial assessment, Business Partnering will identify any ad
stakeholders to be included, and will ensure the proposer has followed the Change Projects ‘Process Review’ pr
where appropriate.
No SaaS contract can be procured, launched or supported by IT Services, nor will any enabling work to be unde
without this checklist being satisfactorily completed. The initial assessment required is whether any existing syste
service can be used. If it is deemed that a new service contract is required then the responses to the subsequen
questions will be used to inform the procurement exercise to be undertaken (incl. minimum requirements, specifi
and evaluation criteria), or effectively provide the rationale for a waiver[1] from the University’s Procurement Rule
If appropriate assurance has been given for the service to be purchased and deployed; it will be progressed in lin
the standard IT Services transition and change management processes and Procurement Rules.
[1] If it is felt that there is a robust rationale for not competing a requirement/contract with a total estimated value
£10k, as required by the Procurement Rules, then this needs to be approved by the Procurement Team by
completing/submitting the Contract Award Approval Form to the IT Category Manager, before making a direct co
award.
http://www.lboro.ac.uk/services/registry/information-governance/
Procurement Rules
The University’s Procurement Rules, as well as procurement forms and templates (including Procurement Strate
Checklist, Contract Award Approval Form and Request for Quotation template) and Category Manager/Specialis
details, can be fould on the Procurement section of the intranet: https://internal.lboro.ac.uk/info/finance/staff/proc
ernance staff before a new
School or Professional Service.
A.2 Is there potential for an existing system(s) to meet these requirements? List options:
A.4 Will the system need to integrate with any other IT Systems?
A.5. Will the system be storing personal or sensitive data? Please provide information classification as per “Policy 3
http://www.lboro.ac.uk/services/registry/information-governance/policy3/
A.6. What is (a) the total estimated contract value and (b) the strategy for purchasing the system? The value should
Contracts over £10k should be competed in line with the University’s Procurement Rules or have a fully approved w
Manager can advise on any options to call-off an existing framework agreement. It is important that contracts are ba
vetted by the The IT Category Manager.
a) Based on the information category identified in A5, does a DPIA need to be completed and has one been
completed?
Note: Data which is categorised as confidential or highly confidential MUST have a completed DPIA. Further
information can be found at: https://www.lboro.ac.uk/data-privacy/resources/dpia/
F.4 What support will be required internally and what will be provided by the supplier?
F.6 Has suitable budget beed allocated for upgrades and service improvements?
F.8 Does the contract include model clauses for Data Protection adequacy?
F.9 If staff or student data is going to be: shared, transferred or accessed from outside of the University; has Chr
proposal (for Master Data Management); and has HR (Sam Hutchings ) and/or the Academic Registry (Mark List
and Information Flow proposals?
of the University; has Chris Carpenter reviewed the
demic Registry (Mark Lister) approved the Data Mapping
Supplier:
B.1 Note: Certificate must be supplied in PDF format and must show the
name of the SaaS supplier, not the hosting company, and must be
from an accredited certification body.
In what region will the University’s data be stored for this service and
B.4
will data only stay in this region?
What are the data deletion timescales and policies when ending the
B.7
contract?
If any form of electronic payment is to be accepted and/or processed,
B.8
is the company providing the service PCI DSS compliant?
C.9 Are all web services HTTPS enabled with weak ciphers disabled?
Response to comments
Response to comments
Response to comments
Scoring Sheet
Scoring Sc
Evaluator Name
Date
1
Project / Software Details
Data Classification
2
Section Final Score
Section B 0
Section C 0
Section D 0 3
Total: 0
Decision
4
Scoring Scheme
Unacceptable Response
The evaluator believes the question has
not been correctly answered or no
answer has been provided.
Excellent Response
The evaluator believes the question
was answered correctly with full details
and evidence provided