Software Decision Analysis

Image
Software Decision Analysis Banner

What is an SDA?

Before sharing or storing university data with a new digital solution or service, the product or vendor will receive a review to assess requirements for compliance with federal, state, and University Policies, security, privacy, and compatibility with existing technologies.

If your department is looking for a solution to solve a need or gap, please reach out to PMO@odu.edu. They can assist in identifying potential existing solutions and help facilitate connections with departments using the existing solution.

The Software Decision Analysis is used to meet several needs of the university, taking a data-first approach. The goals of any SDA are to:

  • Conduct third-party risk management, which encompasses a review of vendors’ data security and privacy practices, breach response and notifications, compliance requirements, and University contractual obligations.
  • Ensure alignment of University initiatives such as the OMNI initiative.
  • Assess implementation, support, ongoing maintenance, and efficiency of technical solutions.
     

How is an SDA review conducted?

  • First, submit a Software Decision Analysis Questionnaire.
  • We will review for potential exemption criteria.
  • If the solution does not meet exemption criteria, an SDA review is necessary. During the SDA review, we will:
    • identify the data involved
    • look at business use cases
    • determine how the solution processes, integrates and shares data
    • assess vendor security and privacy
    • identify potential risks, etc.
  • Identify and obtain signatures from system compliance owner, data compliance, and any other roles as identified.
  • We will include the requestor in all communications throughout the review process.
     

What should I include the questionnaire?

  • Ask the vendor to complete the Higher Education Cloud Vendor Assessment Tool form.
  • Include a procurement contract, which may include:
    • MSA, SaaS, SLA, etc, agreements that define the Terms and Conditions of Use, etc.
    • A vendor quote/proposal that defines the scope, deliverables, term start/end dates and costs.
    • Sole Source Justification if the software can’t be purchased from an approved cooperative/GPO.
  • The SDA process will try to work in parallel with procurement.
     

Data classification

The level of security review is dependent upon data classification:

This would include information protected under federal, state, or industry regulations and/or civil statues, where if lost may require breach notification and cause potential regulatory sanctions, fines and damages to the institution’s mission and reputation.

Types of vendor assurance to include in SDA submission include but not limited to: SOC 2 Type 2, HITRUST, ISO Certifications, PCI AoC, FedRamp

This would include data not explicitly as define in class 1, but could be regulated while posing lower risk, proprietary, or confidential information that if improperly released has the potential to cause harm to the institution, its mission, or its reputation. Examples includes proprietary and properly de-identified research information, business related email or other communication records, financial information, employee performance records, operational documentations, contractual information, intellectual property, internal memorandums, salary information, and all other information releasable in accordance with the Virginia Freedom of Information Act (Code of Virginia 2.2-3700).

Types of vendor assurance to include in SDA submission include but not limited to: assurances from class 1, HECVAT, security white papers, external scan or pen reports

This would include data not explicitly defined in class 1-3, not regulated, and poses a lower risk to the University or considered publicly available for unrestricted use and disclosure.

General assessment or complete exemption. Types of assurance for proprietary include HECVAT, Privacy Policy, etc.