SaaS Definition

Software as a Service (SaaS) is a piece of software that generally:

• Is cloud-based and hosted by a vendor
• Does not require the University to install and host the service on premises
• The vendor is completely responsible for the maintenance and management of the software
• The vendor provides access to the software/application to multiple organisations, (not just Loughborough University). Each organisation will only have access to its own data.
• The system does not require any additional hardware to be installed.

SaaS requests are taken through the Software Risk Assessment process (SRA). The SRA process is to ensure that all software meets the Cyber Essentials security requirements and upholds the University’s IT and data standards.

If data (personal or sensitive) is going off campus, the chances are it will need to go through the SRA.

Below are examples of when it will NOT need to go through the SRA:

Individual

If an Individual is signing up for something, then this process is not aimed at them. The SRA is for groups of people using a new piece of software. Generally, this process is aimed at groups of ten-plus people. So, for instance, a few academics signing up to a subscription service to access some specific journals is not something that would go through the software risk assessment.

Registering an account

If you are not buying a software solution but instead are registering an account as a means to access something, for example using the ‘Enterprise’ website to hire a car, then this is not a software solution and does not need to go through the software risk assessment.

Inputting data

If you are not inputting data and there are no user accounts except admins for example 'Career pathways' who can modify the content to show specific info on specific school / course pages.

Virtual Server

If it will be hosted on a LU virtual server for example 'OnPortal' no software risk assesment is required as data will be under Loughborough University's control.