SaaS Checklist v3-5

Download as xlsx, pdf, or txt
Download as xlsx, pdf, or txt
You are on page 1of 30

Is it a 'Full Service'?

Yes

No

Non Managed Services:

If it is a non-managed SaaS service then the person who put forward the proposal
to SLT, will have to enter it on the list of non-managed SaaS service

The following correspondants please sign and date the relevant sections
SLT

Security (Niraj Kacha and Anil Parmar

Enterprise Architecture (Steve Mottram) 

HR (Sam Hutchings)

Data Governance (Mark Lister) 

Academic Registry (Chris Carpenter)


If it is Full Service who is the Service Owner?

Approval Comment
Date
Software as a Service Checklist V3 (06/07/2018)
IT Service – Business Partnering and IT Security Teams

Introduction
This checklist must be completed and approved by the relevant IT and Information Governance staff before a ne
Software as a Service (SaaS) contract is procured, or development commissioned by a School or Professional S

Purpose
The purpose of this checklist is to prevent unnecessary proliferation and financial expense of multiple systems an
services by checking whether the requirement can be fulfilled by an existing system, or service.

If there is a requirement for a new service, this checklist will ensure that the proposed service meets requiremen
secure and supportable, and is procured in a compliant fashion that ensures value for money is achieved.

Operation

Once the requirement for a new service has been identified, it must be notified to the Business Partnering Team
Services who will ensure that the checklist is completed and appraised (drawing in the IT Category Manager from
Procurement Team, where necessary). As part of the initial assessment, Business Partnering will identify any ad
stakeholders to be included, and will ensure the proposer has followed the Change Projects ‘Process Review’ pr
where appropriate.

No SaaS contract can be procured, launched or supported by IT Services, nor will any enabling work to be unde
without this checklist being satisfactorily completed. The initial assessment required is whether any existing syste
service can be used. If it is deemed that a new service contract is required then the responses to the subsequen
questions will be used to inform the procurement exercise to be undertaken (incl. minimum requirements, specifi
and evaluation criteria), or effectively provide the rationale for a waiver[1] from the University’s Procurement Rule

If appropriate assurance has been given for the service to be purchased and deployed; it will be progressed in lin
the standard IT Services transition and change management processes and Procurement Rules.

[1] If it is felt that there is a robust rationale for not competing a requirement/contract with a total estimated value
£10k, as required by the Procurement Rules, then this needs to be approved by the Procurement Team by
completing/submitting the Contract Award Approval Form to the IT Category Manager, before making a direct co
award.

Information Governance Policies


A comprehensive set of Information Security sub-policies (approved by University Council in June 2016), provide
framework for handling data in a manner that is legally compliant and also ensures that the sensitive data of our
colleagues and partners is secure. This checklist is aligned with these policies.

http://www.lboro.ac.uk/services/registry/information-governance/

Procurement Rules

The University’s Procurement Rules, as well as procurement forms and templates (including Procurement Strate
Checklist, Contract Award Approval Form and Request for Quotation template) and Category Manager/Specialis
details, can be fould on the Procurement section of the intranet: https://internal.lboro.ac.uk/info/finance/staff/proc
ernance staff before a new
School or Professional Service.

se of multiple systems and


service.

ervice meets requirements, and is


money is achieved.

usiness Partnering Team within IT


T Category Manager from the
nering will identify any additional
ects ‘Process Review’ procedure,

enabling work to be undertaken


whether any existing system, or
ponses to the subsequent
um requirements, specification
ersity’s Procurement Rules.

it will be progressed in line with


nt Rules.

h a total estimated value of over


curement Team by
before making a direct contract

cil in June 2016), provide a


the sensitive data of our students,

ding Procurement Strategy


egory Manager/Specialist contact
uk/info/finance/staff/procurement/
Section A - Requirements & Assessment (To be completed Internally)
A.1 What are the high-level requirements of the system?

Business Case for the System:

Who will be using the system?

Details of the possible supplier:

A.2 Is there potential for an existing system(s) to meet these requirements? List options:

A.3 What is the justification for not using an existing system?

A.4 Will the system need to integrate with any other IT Systems?

A.5. Will the system be storing personal or sensitive data? Please provide information classification as per “Policy 3
http://www.lboro.ac.uk/services/registry/information-governance/policy3/
A.6. What is (a) the total estimated contract value and (b) the strategy for purchasing the system? The value should
Contracts over £10k should be competed in line with the University’s Procurement Rules or have a fully approved w
Manager can advise on any options to call-off an existing framework agreement. It is important that contracts are ba
vetted by the The IT Category Manager.

a) Based on the information category identified in A5, does a DPIA need to be completed and has one been
completed?
Note: Data which is categorised as confidential or highly confidential MUST have a completed DPIA. Further
information can be found at: https://www.lboro.ac.uk/data-privacy/resources/dpia/

b) Total estimated contract Value

c) The strategy for purchasing the system?


n as per “Policy 3 – Information Categories and Controls”.
The value should include any extension options, and where the contract is indeterminate, should be based on a 4 year period.
a fully approved waiver. The tender exercise for contracts over £50k is managed by the IT Category Manager. The IT Category
at contracts are based on the University’s Terms & Conditions or those relating to any framework agreement used, or have bee
ndeterminate, should be based on a 4 year period.
aged by the IT Category Manager. The IT Category
ng to any framework agreement used, or have been
Section F - IT Services Support and Maintenance (Internal Decisions)
F1. Who will be the ITS Service Owner

F2. Who will be the Business Service Owner?

F.3 What are the support Requirements

F.4 What support will be required internally and what will be provided by the supplier?

F.5 Who will be responsible for maintaining the system?

F.6 Has suitable budget beed allocated for upgrades and service improvements?

F.7 Has this proposal had Enterprise TDA Authorisation?

F.8 Does the contract include model clauses for Data Protection adequacy?

F.9 If staff or student data is going to be: shared, transferred or accessed from outside of the University; has Chr
proposal (for Master Data Management); and has HR (Sam Hutchings ) and/or the Academic Registry (Mark List
and Information Flow proposals?
of the University; has Chris Carpenter reviewed the
demic Registry (Mark Lister) approved the Data Mapping
Supplier:

Section B - Information Governance (Response to be completed by external suppl


Ref Question

Is the company providing the service ISO 27001 certified?

B.1 Note: Certificate must be supplied in PDF format and must show the
name of the SaaS supplier, not the hosting company, and must be
from an accredited certification body.

Is the company providing the service on the Data Protection


Register?
B.2
Note: Provide registration number in response.

How can the company providing the service demonstrate compliance


B.3
with the Data Protection Act 1998?

In what region will the University’s data be stored for this service and
B.4
will data only stay in this region?

Please provide details of data centre University Data will be hosted in


B.5 and credentials held such as ISO27001, PCI-DSS certification and
SOC3 report.

B.6 What is the data retention period for this service?

What are the data deletion timescales and policies when ending the
B.7
contract?
If any form of electronic payment is to be accepted and/or processed,
B.8
is the company providing the service PCI DSS compliant?

If PCI DSS compliant please provide an up to date AoC (Attestation


B.9
of Compliance) document.

B.10 Will data be shared, collected, or analysed with or by third parties?


Section B Total Scores:

Section C - For Non ISO 27001 Companies ONLY (Response to be completed by e


Ref Question

Please provide a copy of the Information Security Policies for the


C.1
company providing the service.

Is the company providing the service subject to external Information


Governance audits? When was the last one completed? What was
C.2
the accreditation held by the auditor? Are there any outstanding risks
which have not be addressed?

Is the company providing the service subject to external Penetration


tests? When was the last one completed? What was the
C.3
accreditation held by the auditor? Are there any outstanding risks
which have not be addressed?

As part of acceptance testing, we will require permission to perform a


C.4 penetration test against the software onsite, or application hosted
remotely, can this be facilitated?

Please provide detailed documentation highlighting the application


C.5 development process, patch management process and update
process.
Has code generated by the company providing the service been
C.6
checked and certified by an external body?
Highlight any tools, which are used to ensure secure coding during
C.7
development and vulnerability scanning once complete.

Does the software or application in question follow and/or implement


C.8
Information Security principals such as AAA or AAAA?

C.9 Are all web services HTTPS enabled with weak ciphers disabled?

Web applications should not be vulnerable to attack; such as the


C.10 ones highlighted by OWASP Top Ten. Please provide documentation
of tests to ensure vulnerabilities have been mitigated.

Applications should not be vulnerable to attacks; such as the ones


C.11 highlighted by: http://cwe.mitre.org/top25/. Please provide
documentation of tests to ensure vulnerabilities have been mitigated.

Section C Total Scores:


Section D - General Technical IT (Response to be completed by external supplier)
Ref Question

D.1 What versions, of which browsers, does your product support?


Does your product require Java or any additional browser plugins to
D.2 have full functionality and if so what are they and the versions you
support?

Please provide details of the Recovery Time Objective in the event of


D.3
an incident for the service being procured.

Please provide details of your Backup and Disaster Recovery plan in


D.4
the event of an incident for the service being procured.
Section D Total Scores:
to be completed by external supplier)
Response
Section B Total Scores:

Y (Response to be completed by external supplier)


Response

Section C Total Scores:


be completed by external supplier)
Response
Section D Total Scores:
Date Completed:

Initial Score Comments from IT Services


0

Initial Score Comments from IT Services

Initial Score Comments from IT Services


0
Response to comments Final Score
0

Response to comments Final Score

Response to comments Final Score


0
Supplier:

Section D (cont.) - Single Sign On (Response to be completed by external supplier)


Ref Question
D.5 Does your product support SAML2?
Is your company a member of the UK Access Management
D.6
Federation and/or eduGain?

If you support SAML2 and are not a member of the UK Access


D.7 Management Federation, can you provide us with a copy of the
metadata for your Service Provider?
D.8 Which attributes do you require us to release?
Do you require any additional data feeds external to the SAML2
D.9
transaction?

Section E - Software Integration (Response to be completed by external supplier)


Ref Question

If middleware is required to import and/or export data between


E.1
systems please state the secure protocols used to make the transfer.

Is the company providing the service able to provide a specific IP


E.2
address which can be whitelisted to allow data transfers?

Please provide the details of any supported data exchange format or


E.3
API in use by the company providing the service.

Please provide the cost and process involved in Loughborough


E.4 University withdrawing from the service and recovering data held by
the company providing the service.

Section F - Accessibility (Response to be completed by external supplier)


Ref Question

Does your product meet accessibility standards including screen


readers, low vision etc. (from standards such as WCAG 2.0:
F.1
www.w3.org, BS 8878:2010 Web Accessibility - Code of Practice or
equivalent)
Date Completed: 0

be completed by external supplier)


Response Comments from IT Services

e completed by external supplier)


Response Comments from IT Services

eted by external supplier)


Response Comments from IT Services
0

Response to comments

Response to comments

Response to comments
Scoring Sheet
Scoring Sc
Evaluator Name
Date
1
Project / Software Details
Data Classification

2
Section Final Score
Section B 0
Section C 0
Section D 0 3
Total: 0

Decision
4
Scoring Scheme

Unacceptable Response
The evaluator believes the question has
not been correctly answered or no
answer has been provided.

Adequate Response Risk Matrix


The evaluator believes the question has
been answered but very little details or Outcome Range
evidence has been provided Fail 0 - 34
Investigate 35- 66
Good Response
The evaluator believes the question has Pass 67 - 100
been answered correctly

Excellent Response
The evaluator believes the question
was answered correctly with full details
and evidence provided

You might also like