Understand why we carry out a Software Risk Assessment

Security

• ITS need to need to ensure that the SaaS providers policies and processes are in line with industry best practices to ensure data processed on behalf of the University is not subject to any unnecessary risks.
• The University requires Cyber Essentials and Cyber Essentials plus in order to maintain existing contracts and bid for new contracts at certain risk levels. The SRA process allows the IT Security team to ensure procured SaaS products align with the requirements of the certification.
• Allows IT Security to audit technical controls which are deployed by the SaaS provider, such as strong password policies, penetration testing and secure coding practices to allow a risk based approach to determine the risks posed to University data.
• Data breach's at vendors have exposed sensitive university data in the past, this is a real risk that we must aim to minimise.

Enterprise Architecture

• ITS need to understand how the SaaS solution will integrate with our existing systems and ensure compatibility. The departments wishing to procure a SaaS system sometimes fail to identify integration requirements (e.g. data feeds needed to set up user accounts or permissions) and late identification of these can lead to delays in implementation due to IT resource constraints. Some vendors use unreliable or insecure methods of data integration that create risks to data integrity and security.
• Vendors often omit key information about how their service will be rolled out, e.g. failing to disclose that the SaaS solution actually requires some components or software to be installed in our data centres or on desktops, leading to increased complexity and resource costs to manage the locally installed software. These are checked as part of the assessment.
• Single Sign-On and / or Multi factor authentication is required for all SaaS solutions in order to maintain the University's compliance with Cyber Essentials, and checks must be made to ensure the vendor provides this service in a way that is compatible with the University's Single Sign-On approach. 
• The Software Risk Assessment will include a review of requirements and checks against existing software solutions. This often results in an existing solution being utilised, removing the need for additional IT systems, and reducing costs and IT complexity for LU.

Data Governance

• The University has a legal responsibility to comply with UK data protection legislation.  When purchasing a SaaS solution , the University must conduct due diligence to ensure vendors meet UK GDPR requirements for processing personal data, and individuals aren’t unnecessarily exposed to risk.
• A breach of UK data protection law could have severe operational, reputational, and financial consequences for the University, potentially resulting in fines of up to £15m and loss of research funding.
• Vendors often make misleading or exaggerated claims about their products’ compliance with various countries data protection laws, even when they don’t actually meet those standards.
• Finally, although it can often appear that there is no data being shared with the vendor, there almost always is. But if the data is minimal, we only need to carry out minimal checks.