SaaS Request and Approval Process
Guidance
Thank you for submitting your request. Based on your answers, your SaaS request will need to go through the Software Risk Assessment process.
If you plan to purchase or use a SaaS application, you must complete the Software Risk Assessment.
The Software Risk Assessment (SRA) process, managed by Business Partnering, assesses and approves the use of SaaS systems. The SRA is a process carried out by IT Services to ensure that all software meets the Cyber Essentials security requirements and upholds the University’s IT and data standards.
Before continuing, please read the following carefully.
What you need to know
User access
To use the software, it must support SSO and/or MFA
All SaaS applications must support secure user sign-in (authentication) methods: Loughborough University Single Sign On (SSO) and/or Multi-factor authentication (MFA). This is a mandatory security measure to protect University systems and data.
Requests for solutions that do not support these methods will be declined.
We recommend confirming this with the vendor before continuing. If authentication is not supported, you need to seek an alternative SaaS solution.
Personal and sensitive data
Complete a DPIA checklist
Before sharing personal or sensitive data, you must assess the risks and put appropriate safeguards in place. A Data Protection Impact Assessment (DPIA) helps you identify and manage these risks.
To ensure a smooth review, we recommend completing the DPIA after submitting your SaaS request form.
For more information and access to the DPIA checklist, visit the What is a DPIA page.
Timescales, Question guide and getting started
SRA process
Depending on the urgency and complexity of the request, the process takes on average around three months, although it can take longer. Business Partnering will oversee the process but does not chase suppliers.
To start the process, please review the SaaS Question guide before starting, to help you prepare your responses.
Supporting information
Do I need to complete the Software Risk Assessment?
Please see What is not considered a SaaS Solution.
Have you checked if there is a similar approved SaaS available?
A list of all approved Software as a Service (SaaS) within Loughborough University, please see:
Software - Software as a Service - filterable | IT Services | Loughborough University
Why we carry out a Software Risk Assessment
This helps the University ensure that the data we hold, process, and share with suppliers is kept to a minimum risk. While cloud-based software is our preferred delivery model, it does place greater reliance on supplier security controls.
Further information is available via the link below.
What happens during a Software Risk Assessment?
The process involves five stages and can take anywhere from a few weeks to several months to complete.
Colleagues with expertise in IT Security, Systems Architecture, Data Governance, and Procurement, will assess your request and provide guidance to ensure the solution you purchase does not put you and the University at any undue risk.
The Software Risk Assessment is not applicable on lab computers and desktop applications.
Further information is available via the link below.