Information Technology Guideline 08.1.1

Software Decision Analysis and System Risk Assessment Guideline


Date of Current Revision or Creation: July 25, 2019


The purpose of an Information Technology Standard is to specify requirements for compliance with ¹ÏÉñÍø Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this guideline is to support University Policy 3509 and to ensure that software-based technologies, applications and services meet University information technology requirements, are compatible with existing technology standards and services, and are aligned with information technology priorities without introducing unnecessary service interruptions or other risks to the efficient operation of business at the University.

Definitions

Data Owners - University employees (typically at the level of Registrar or Unit Director) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of institutional data under their purview.

Project Management Office (PMO) - A strategic functional unit within the Office of Information Technology Services (ITS) that promotes and advances project management principles and services for information technology (IT) projects at ¹ÏÉñÍø.

Software Technologies, Applications and Services - Computer programs or a group of computer programs and related data that operate on or interact with the University systems and information technology resources. These include, but are not limited to, system software, application software, and programming software, whether delivered as software as a service (cloud), hosted, or on-premises installed on ¹ÏÉñÍø systems.

System Owner - Manager or departmental head responsible for operation and maintenance of a University IT system or oversight of hosted systems under their purview.

Guidelines

University Policy 3509 establishes the practice that for software technologies, applications and services, prior to procurement, the requesting department will initiate a software decision analysis to assess integration requirements with existing University services, systems and standards, and operational support requirements.

University Policy 3504, Data Administration Policy, establishes the need for IT security roles and responsibilities, and ITS Standard 01.2.0, IT Security Roles and Responsibilities, establishes the System Owner as the one responsible for operation and maintenance of University IT systems or hosted systems under their purview, including adhering to University policy and standards, managing the risks and maintaining compliance associated with their systems. ITS and Procurement Services support the System Owner in their role as stewards of the systems that they oversee.

NEW PURCHASES

  1. For new purchases of software technologies, applications and services, the requester can initiate a software decision analysis (SDA) via the ITS Project Management Office, which assists with initial information gathering. ITS will assist in the completion of the software decision analysis and resulting summary that informs the System Owner and others regarding:

    • Regulatory compliance
    • Data classification
    • Documentation of risk, when warranted
    • Whether a contract addendum is required, and which contract addendum applies
    • Whether a third-party assessment is required
    • How authentication and account management are addressed
    • Whether remote access is required to the ¹ÏÉñÍø network
    • Whether an ITS project is likely needed
    • IT security roles and responsibilities for System Owner and Data Owner(s)
    • Sign-off by System Owner and Data Owner(s)
    • When warranted in the estimation of the System Owner, Data Owner or Chief Information Security Officer (CISO), a review and comment by the CISO and Chief Information Officer (CIO) and acceptance by the responsible Vice President or Associate/Assistant Vice President on the basis of business requirements versus the identified risks
  2. After appropriate procurement procedures and documentation are complete, Procurement Services may execute the contract, with the appropriate addendum and assessments as specified in the SDA summary, once the summary is accepted by the System Owner and Data Owner(s) and, when warranted in the estimation of the System Owner, Data Owner and CISO, a review and comment by the CISO and CIO, and accepted by the responsible Vice President or Associate\Assistant Vice President on the basis of business requirements versus the identified risks.
  3. Risk-based decisions may be made by the System Owner, in collaboration with the Data Owner and ITS Security, for Procurement Services to enter into and execute a contract after the Software Decision Analysis has been signed-off by appropriate parties. This includes acceptance by the System Owner of modifications to the addendum for protecting hosted data and residual risks identified in the software decision analysis summary. Data Owners have the discretion to deny the sharing of data under their stewardship.
  4. If, in the assessment of the System Owner, Data Owner or CISO, the risks fall outside of what is considered acceptable based on numerous factors, but the business need for the system requires purchase, the responsible Vice President or Associate\Assistant Vice President can accept the risks on behalf of the University via sign-off of the Software Decision Analysis summary.
  5. Exceptions to the software decision analysis can be made for IT purchases that do not inherently require such an analysis, or that are reviewed and implemented through different processes, such as:
    • Desktop software that involves no cloud storage of protected data, no remote access requirement, and is implemented according to applicable ITS Standards.

      • Example: Word Processor with templates that are stored in cloud
    • Academic, instructional or research desktop software that involves no cloud storage of protected data, no remote access requirement, and does not introduce privacy or security considerations.
    • Subscription SaaS (Software as a Service) solutions that license access to third-party data or services that don't involve ¹ÏÉñÍø sharing protected data or integration with ¹ÏÉñÍø systems.
      • Example: Subscription access to business data used for SCoB business analysis
    • SaaS software that does not involve regulated data and is considered lower risk may receive minimal documentation and contract support.
      • Examples: TeamDynamix, or other hosted solutions involving no regulated data
    • Site Licensed software that is managed by ITS, has no cloud storage of data, and is implemented according to applicable ITS Standards.
    • Commodity hardware such as routers, switches, rack servers, etc. that do not have a new software component.
    • Software technologies, services and systems that do not meet the criteria established in University Policy 3509 Software Decision Analysis Policy.

Third-party assessments may be industry standard SOC II type reports, or a report that provides a similar assurance relative to the risks involved.

  • For all systems involving regulated data (confidential or restricted), prior to procurement processing and\or contract execution, the System Owner will seek to collect a third-party assessment report prior to purchase, and appropriate review will be made by ITS Security Operations based on the risks associated with the system. Reports will be reviewed for restricted systems, and reports may be reviewed for confidential systems.

    • For FERPA confidential data that would normally be classified as Directory Information according to our FERPA Data Owner (/about/monarchcitizenship/ferpa), no third-party assessment will be required.
  • For systems with restricted data, the System Owner will collect the third-party assessment annually thereafter, prior to any renewal of the contract, which will be reviewed by ITS Security Operations.
  • For systems with confidential data, prior to any renewal of the contract, the System Owner will collect third-party assessments upon renewal of the contract, which may be reviewed by ITS Security Operations, based on the degree of risks associated with the system.
    • For FERPA confidential data that would normally be classified as Directory Information according to our FERPA Data Owner (/about/monarchcitizenship/ferpa ), no third-party assessment will be required.

System Risk Assessments are related to the risk portion of the software decision analysis, and are completed according to 08.01.0 Risk Assessment Standard.

  • For new systems that are classified as restricted during the software decision analysis, a System Risk Assessment will be conducted by the System Owner with assistance from ITS Security Operations during the project phase and completed prior to deployment to production.
  • For new systems classified as confidential during the software decision analysis, the Software Decision Analysis Summary will serve as the system risk assessment.
  • For lower risk systems, completion of a full system risk assessment is a low priority and should not infringe upon efficient operations.
  • System Risk Assessments can be requested by submission of an ITS support ticket.

RENEWALS

At time of renewal, Procurement Services will follow their Technology Software Renewal Guideline to support System Owners in renewing contracts.

If there is no Software Decision Analysis Summary or System Risk Assessment on record, a best effort will be made to conduct a review before renewal.

  • The Software Decision Analysis for renewals is handled according to the same procedure as with new purchases.
  • Procurement Services may continue with renewals for existing services in order to maintain availability of services. In that case, a Software Decision Analysis or System Risk Assessment will be scheduled by the System Owner as soon as is practical but no later than one year from the time of the contract and will be made available to Procurement Services.

Standards, Procedures, Guidelines & Other Related Information

History

Date Responsible Party Action
September 2018 Information Security Office Created
July 2019 Information Security Office Updated