Navigating saa s agreements
-
Upload
kevindonovan -
Category
Education
-
view
1.765 -
download
2
Transcript of Navigating saa s agreements
FAS IT Stakeholders’ and CAIT Managers’ Forum
Wednesday, January 27, 2016
Lamont Library Forum Room
Navigating Click-Through SaaS Agreements
Framing the SaaS Environment
Eric D’Souza – HUIT PMO
Panelists
Peter Katz – Office of the General Counsel
Rick Kellan – Risk Management and Audit Services
Sandy Silk – IT Security
Chris Gambon – Strategic Procurement
Ellen Gulachenski – HUIT PMO / Vendor Management Office
3
The Business Case
I am an administrator
I have a specific business need
I found a small SaaS-based application, and I have a click-through
agreement in front of me on my screen.
Should I click “agree?”
4
Legal Questions
1) Am I authorized to sign or click through an online license agreement on
behalf of the University?
2) How important is the service I am acquiring? Should I be signing a
boilerplate license for an important service?
3) Is there an existing negotiated University contract for the service?
5
Risk Management Questions
4) What type of data is it? Is it Level 3 or above?
5) Do we need to control vendor access to or use of the data?
6) Can Harvard recover the data if we exit the agreement or if the vendor goes
out of business?
6
7) What is the potential harm if data gets corrupted, deleted, or exposed?
8) Who is going to manage access to the system and remove access when
people leave?
9) If I leave, can Harvard still use the service and the data?
IT Security Questions
7
Vendor Performance Questions
10) Is the service defined concretely enough in the click-through agreement
(e.g., customer support)?
11) What aspects of the service will be used to measure quality
(e.g., availability)?
12) What recourse do you have if there is an issue with delivery or quality?
8
Vendor Management Life Cycle
Vendor Management
Life Cycle
Service Sourcing Strategy
1. Define Service Sourcing Strategy and
align to organizational strategy
Procurement2. Vendor evaluation and selection
3. Contract negotiations
Vendor Performance Management4. Contract management & administration
5. Vendor relationship management
6. Risk management (financial, operational and compliance)
7. Service, license, and deployment management
Key Questions - Summary
1) Am I authorized to sign or click through an online license agreement on behalf of the University?
2) How important is the service I am acquiring? Should I be signing a boilerplate license for an
important service?
3) Is there an existing negotiated University contract for the service?
4) What type of data is it? Is it level 3 or above?
5) Do we need to control vendor access to or use of the data?
6) Can Harvard recover the data, either if we exit the agreement or if the vendor goes out of
business?
7) What is the potential harm if data gets corrupted, deleted, or exposed?
8) Who is going to manage access to the system and remove access when people leave?
9) If I leave, can Harvard still use the service and the data?
10) Is the service defined concretely enough in the click-through agreement?
11) What aspects of the service will be used to measure quality?
12) What recourse do you have if there is an issue with delivery or quality?
10
The Business Case - Revisited
Should I click “agree?”
Has the discussion today impacted the way you will approach
answering this question?
11
Helpful Resources
General IT Questions or Assistance: [email protected]
Vendor Security Risk Assessment Requests: [email protected]
General Security Guidance: http://security.harvard.edu
Sourcing or Contract Questions [email protected]
HUIT VMO Questions or Contact: [email protected]
Cloud Service Providers: http://rmas.fad.harvard.edu/cloud-service-providers
Harvard Cloud and DevOps: http://cloud.huit.harvard.edu/
Cloud Connect Event – Fri., Feb. 19: cloud.huit.harvard.edu/event/cloud-connect
12