FAS IT Stakeholders’ and CAIT Managers’ Forum

Wednesday, January 27, 2016

Lamont Library Forum Room

Navigating Click-Through SaaS Agreements

Announcements

Noah Selsby – Network Maintenance: March 11-12

Gretchen Grozier – HarvardKey Update

2

Framing the SaaS Environment

Eric D’Souza – HUIT PMO

Panelists

Peter Katz – Office of the General Counsel

Rick Kellan – Risk Management and Audit Services

Sandy Silk – IT Security

Chris Gambon – Strategic Procurement

Ellen Gulachenski – HUIT PMO / Vendor Management Office

3

The Business Case

I am an administrator

I have a specific business need

I found a small SaaS-based application, and I have a click-through

agreement in front of me on my screen.

Should I click “agree?”

4

Legal Questions

1) Am I authorized to sign or click through an online license agreement on

behalf of the University?

2) How important is the service I am acquiring? Should I be signing a

boilerplate license for an important service?

3) Is there an existing negotiated University contract for the service?

5

Risk Management Questions

4) What type of data is it? Is it Level 3 or above?

5) Do we need to control vendor access to or use of the data?

6) Can Harvard recover the data if we exit the agreement or if the vendor goes

out of business?

6

7) What is the potential harm if data gets corrupted, deleted, or exposed?

8) Who is going to manage access to the system and remove access when

people leave?

9) If I leave, can Harvard still use the service and the data?

IT Security Questions

7

Vendor Performance Questions

10) Is the service defined concretely enough in the click-through agreement

(e.g., customer support)?

11) What aspects of the service will be used to measure quality

(e.g., availability)?

12) What recourse do you have if there is an issue with delivery or quality?

8

Vendor Management Life Cycle

Vendor Management

Life Cycle

Service Sourcing Strategy

1. Define Service Sourcing Strategy and

align to organizational strategy

Procurement2. Vendor evaluation and selection

3. Contract negotiations

Vendor Performance Management4. Contract management & administration

5. Vendor relationship management

6. Risk management (financial, operational and compliance)

7. Service, license, and deployment management

Key Questions - Summary

1) Am I authorized to sign or click through an online license agreement on behalf of the University?

2) How important is the service I am acquiring? Should I be signing a boilerplate license for an

important service?

3) Is there an existing negotiated University contract for the service?

4) What type of data is it? Is it level 3 or above?

5) Do we need to control vendor access to or use of the data?

6) Can Harvard recover the data, either if we exit the agreement or if the vendor goes out of

business?

7) What is the potential harm if data gets corrupted, deleted, or exposed?

8) Who is going to manage access to the system and remove access when people leave?

9) If I leave, can Harvard still use the service and the data?

10) Is the service defined concretely enough in the click-through agreement?

11) What aspects of the service will be used to measure quality?

12) What recourse do you have if there is an issue with delivery or quality?

10

The Business Case - Revisited

Should I click “agree?”

Has the discussion today impacted the way you will approach

answering this question?

11

Helpful Resources

General IT Questions or Assistance: ithelp@harvard.edu

Vendor Security Risk Assessment Requests: itsec-ec@harvard.edu

General Security Guidance: http://security.harvard.edu

Sourcing or Contract Questions christopher_gambon@harvard.edu

HUIT VMO Questions or Contact: huitvm@harvard.edu

Cloud Service Providers: http://rmas.fad.harvard.edu/cloud-service-providers

Harvard Cloud and DevOps: http://cloud.huit.harvard.edu/

Cloud Connect Event – Fri., Feb. 19: cloud.huit.harvard.edu/event/cloud-connect

12

Thank you.