Software and Web-based Services Review Process

Learn about the roles played by the person requesting software, IT staff, and the review team, how requests will be evaluated, and a rough timeline for the process.

On this page:

Roles and Responsibilities

  1. Perform initial triage:
    • Ensure that the expected value of the software is less than $50,000 (calculated over the length of the contract)
    • Ensure that the software is not for personal use
    • Ensure that the software is not purchased with personal funds
    • Check to see if existing “Cleared” software could meet functionality needs
    • Check if desired software is Cleared for subsequent use
  2. Initiate review process, submit a new review request and verify the following (limited to specific IT staff):
    • Data Classification Level
    • Business use
    • Integrations
    • Usage – Faculty, staff, students
    • Course requirements
    • Software Classification
  3. Acquire documentation if necessary:

A version of the VAR in Microsoft Word is available for your convenience.

Review Completion

Outcomes: Final disposition of software review.

  • Cleared: Product aligns with policies, security standards, and accessibility requirements and may be acquired and/or used
  • Cleared with Conditions: Product aligns with polices, security standards and accessibility requirements but also needs to comply with conditions, requirements, or restrictions for acquisition/use
  • Rejected: Product does not align with policies, security standards and/or accessibility requirements and may not be acquired or used

Next Steps:

  • Provide Cleared Review Outcome email notification to Purchasing to complete purchasing process.
  • Contact service area provider for implementation if needed (add-ins, SSO, integration, etc.) and provide Cleared Review Outcome email notification as proof of Cleared review outcome.

Review Timeframe

The time required for a review can vary based on a product's complexity and availability of the required documentation. Complexity may include additional documentation review, testing of software, use case, etc.  

  • Low complexity: 1 - 2 weeks
  • Medium/high complexity: 3 - 5 weeks

Please allow adequate time for the software review and additional time if the product is a new purchase or renewal as procurement may have other requirements and reviews to process.

Examples

Data Type Software Description Outcome
Cat 1 MySQL Enterprise Database server system Cleared: Runs on IT-supported equipment, protected by firewalls, patched regularly.
Cat 1
GitHub Code repository with local or cloud options Cleared with conditions: The data it includes might include passwords or impact operations of UB's infrastructure, may be used to collaborate with external vendor, so UBIT is pursuing a centrally-supported enterprise implementation. Departments are allowed to use GitHub independently in the meantime.
Cat 1
KeePass Desktop application that stores user's passwords (CAT1 data) Rejected: Unable to obtain documentation necessary to review.
Cat 2   Avant Assessment Cloud product for language proficiency assessment Cleared with conditions: While the product takes appropriate steps to secure data, its Single Sign-on solution needs to be updated to work with UB's systems within one year.
Cat 2
LabFlow Cloud product that integrates with Brightspace Cleared: UB Learns team approved integration before request was submitted, vendor provided requested documentation, user interactions are protected by UBIT login.
Cat 3
Calendly Cloud product for scheduling, integrates with MS365
Rejected: Vendor captures more than Cat 3 data; duplicates functionality UBIT already provides through Microsoft Bookings / Bookings for Me / FindTime.
Cat 3
LabView Desktop software that communicates with lab equipment Cleared: No integrations with cloud services, vendor provides updated versions of the software.

Impact Software Description Outcome
High SONA Software to perform experiments for research in a lab, controlled environment Cleared: Accessibility testing found minimal issues. Vendor is committed to remediation of issues.
High Career Leader Career assessment tool Cleared with conditions: Significant accessibility issues identified. Vendor quickly remediated the issues prior to purchase of the software.
High Interview Query Job interview preparation for data science and business analytics students Rejected: Serious accessibility issues identified that will present barriers to people with disabilities.
Medium UbiSim Immersive virtual lab simulations Exception Granted: No other vendor provides the content and functionality of this product. The department has an Equity Effective Alternative Access Plan in place to provide timely access to students who cannot access the platform due to a disability.

Red Flags in the Software Review Process

Reg Flags are common indicators that a software package may pose significant risk to the university in one or more of the following areas:

  • Accessibility
  • Data Security
  • Compatibility with university IT infrastructure
  • Vendor support

Understanding these may help you choose more appropriate software.

  • An old version of the VPAT is used (check for latest version)
  • The date of the last completed VPAT/ACR is more than year old
  • The product description does not match the product being reviewed
  • Notes and exceptions indicate that a portion(s) of the product has not been reviewed
  • Evaluation methods indicate a minimal or cursory evaluation of the product
  • Success criteria do not include Conformance Level entries and/or each entry includes text other than Supports, Partially Supports, Does not Support or Not Applicable
  • There are few or no comments in the Remarks and Explanations cell for each success criterion
  • Comments indicate that the company does not fully understand the goals of the success criteria
  • Disclaimers indicate that the company does not stand by their claims in the ACR

  • Testing reveals serious accessibility issues that are a complete barrier for individuals with disabilities. These barriers prevent access to core processes or tasks or to many secondary processes or tasks
  • Testing reveals significant accessibility issues that make it difficult to use the site or software as intended. These issues prevent access to some secondary processes or tasks and/or make it difficult to access core processes or tasks
  • Testing reveals moderate accessibility issues that result in a mediocre user experience

  • Lack of SSO or multi-factor authentication (for CAT 1 and 2)
  • Lack of encryption, at rest and in transit
  • Product accesses inappropriate data from a system it integrates with

  • Uses technology not currently known or supported by university personnel
  • Uses deprecated technology

  • Vendor does not provide regular updates and bug fixes
  • Vendor has no mechanism for requesting support
  • Vendor is unresponsive to clarifications and questions