IT Guideline – Software as a Service Purchases

Effective as of 10/1/2015, This IT Guideline should be observed by faculty and staff.

Sponsors and Approvers

Scott Montgomery, Former UA Deputy Chief Information Officer – Sponsor

Dr. John P. McGowan, UA Chief Information Officer – Approver

Statement of Need and Purpose

Not all software available as a service (i.e. hosted on 3rd party premises) is maintained and supported at a level sufficient to ensure adequate information security and intellectual property protections. Alternative solutions may already be available. Some applications may not be easily integrated with the UA network and security architecture. Some applications may impose excessive bandwidth demands on the campus network. This guideline is provided to assist with selection of software services suitable for use by UA constituents.

Guideline

1. Understand the risk – Be sure you know what data will be hosted by the application and what potential the impacts would be of data loss or exposure. If there is any personally identifiable information such as social security numbers included, the need for privacy and security is paramount. If the application will host any proprietary information or intellectual property, the risks of exposure or loss must be considered carefully.
2. Understand the services – Ask key questions of the service provider and assure that satisfactory answers are included in the written contract or service-level agreement. These should include but are not necessarily limited to:
   • What measures does the service provider use to ensure privacy, physical security, backup, and disaster recovery for the data?
   • Is there a guarantee that the data will not be transmitted through, stored, or copied to storage devices or servers located in any foreign country?
   • Is the data co-mingled with data from other “customers” on the same physical hardware?
   • Is the data encrypted?
     • When stored?
     • During transmission?
     • Who holds the encryption keys?
     • What encryption standard is used?
   • What provider employees will have access to the data?
   • Does the contract assure these policies will be retained even in the event that the company is divested, merged with, or acquired by another company?
   • What service level guarantees are provided regarding:
     • Service availability (up-time)?
     • Service performance?
     • Service problem notifications?
     • Incident response?
     • Incident escalation (how long before, to whom)?
     • Frequency of backup or replication processes?
     • Time to restore in the event of data loss or system failure?
3. Follow approved contracting processes including:
   • Engaging UA Purchasing Services
   • Reviewing technology purchases with OIT
   • Allowing for legal review of agreements
   • Ensuring an authorized UA signatory signs any agreements or contracts

Compliance

Compliance to Guidelines is voluntary but recommended. Not adhering to guidelines can cause disruption to services, security exposures, and/or adverse impacts to other users. Enforcement of guidelines is addressed when deviations cause issues for others or result in known and significant security exposures and are handled through the organizational management structure.