Software and Web-based Services Review Process

Learn about the roles played by the person requesting software, IT staff, and the review team, how requests will be evaluated, and a rough timeline for the process.

Roles and Responsibilities

Contact your departmental IT support to guide you through the process.

Perform initial triage:
- Ensure that the expected value of the software is less than $50,000 (calculated over the length of the contract)
- Ensure that the software is not for personal use
- Ensure that the software is not purchased with personal funds
- Check to see if existing “Cleared” software could meet functionality needs
- Check if desired software is Cleared for subsequent use
Initiate review process, submit a new review request and verify the following (limited to specific IT staff):
- Data Classification Level
- Business use
- Integrations
- Usage – Faculty, staff, students
- Course requirements
- Software Classification
Acquire documentation if necessary:
- HECVAT (Higher Education Community Vendor Assessment Toolkit)
- VPAT (Voluntary Product Accessibility Template), version 2.4 or higher

A version of the VAR in Microsoft Word is available for your convenience.

Review Completion

Outcomes: Final disposition of software review.

Cleared: Product aligns with policies, security standards, and accessibility requirements and may be acquired and/or used
Cleared with Conditions: Product aligns with polices, security standards and accessibility requirements but also needs to comply with conditions, requirements, or restrictions for acquisition/use
Rejected: Product does not align with policies, security standards and/or accessibility requirements and may not be acquired or used

Next Steps:

Provide Cleared Review Outcome email notification and Web-based Services and Software Under $50,000 Pre-purchase Form to Purchasing to complete purchasing process.
Contact service area provider for implementation if needed (add-ins, SSO, integration, etc.) and provide Cleared Review Outcome email notification as proof of Cleared review outcome.

Review Timeframe

The time required for a review can vary based on a product's complexity and availability of the required documentation. Complexity may include additional documentation review, testing of software, use case, etc.

Low complexity: 1 - 2 weeks
Medium/high complexity: 3 - 5 weeks

Please allow adequate time for the software review and additional time if the product is a new purchase or renewal as procurement may have other requirements and reviews to process.

Examples

Data Type	Software	Description	Outcome
Cat 1	MySQL Enterprise	Database server system	Cleared: Runs on IT-supported equipment, protected by firewalls, patched regularly.
Cat 1	GitHub	Code repository with local or cloud options	Cleared with conditions: The data it includes might include passwords or impact operations of UB's infrastructure, may be used to collaborate with external vendor, so UBIT is pursuing a centrally-supported enterprise implementation. Departments are allowed to use GitHub independently in the meantime.
Cat 1	KeePass	Desktop application that stores user's passwords (CAT1 data)	Rejected: Unable to obtain documentation necessary to review.
Cat 2	Avant Assessment	Cloud product for language proficiency assessment	Cleared with conditions: While the product takes appropriate steps to secure data, its Single Sign-on solution needs to be updated to work with UB's systems within one year.
Cat 2	LabFlow	Cloud product that integrates with Brightspace	Cleared: UB Learns team approved integration before request was submitted, vendor provided requested documentation, user interactions are protected by UBIT login.
Cat 3	Calendly	Cloud product for scheduling, integrates with MS365	Rejected: Vendor captures more than Cat 3 data; duplicates functionality UBIT already provides through Microsoft Bookings / Bookings for Me / FindTime.
Cat 3	LabView	Desktop software that communicates with lab equipment	Cleared: No integrations with cloud services, vendor provides updated versions of the software.

Impact	Software	Description	Outcome
High	SONA	Software to perform experiments for research in a lab, controlled environment	Cleared: Accessibility testing found minimal issues. Vendor is committed to remediation of issues.
High	Career Leader	Career assessment tool	Cleared with conditions: Significant accessibility issues identified. Vendor quickly remediated the issues prior to purchase of the software.
High	Interview Query	Job interview preparation for data science and business analytics students	Rejected: Serious accessibility issues identified that will present barriers to people with disabilities.
Medium	UbiSim	Immersive virtual lab simulations	Exception Granted: No other vendor provides the content and functionality of this product. The department has an Equity Effective Alternative Access Plan in place to provide timely access to students who cannot access the platform due to a disability.

Red Flags in the Software Review Process

Reg Flags are common indicators that a software package may pose significant risk to the university in one or more of the following areas:

Accessibility
Data Security
Compatibility with university IT infrastructure
Vendor support

Understanding these may help you choose more appropriate software.

An old version of the VPAT is used (check for latest version)
The date of the last completed VPAT/ACR is more than year old
The product description does not match the product being reviewed
Notes and exceptions indicate that a portion(s) of the product has not been reviewed
Evaluation methods indicate a minimal or cursory evaluation of the product
Success criteria do not include Conformance Level entries and/or each entry includes text other than Supports, Partially Supports, Does not Support or Not Applicable
There are few or no comments in the Remarks and Explanations cell for each success criterion
Comments indicate that the company does not fully understand the goals of the success criteria
Disclaimers indicate that the company does not stand by their claims in the ACR

Testing reveals serious accessibility issues that are a complete barrier for individuals with disabilities. These barriers prevent access to core processes or tasks or to many secondary processes or tasks
Testing reveals significant accessibility issues that make it difficult to use the site or software as intended. These issues prevent access to some secondary processes or tasks and/or make it difficult to access core processes or tasks
Testing reveals moderate accessibility issues that result in a mediocre user experience

Lack of SSO or multi-factor authentication (for CAT 1 and 2)
Lack of encryption, at rest and in transit
Product accesses inappropriate data from a system it integrates with

Uses technology not currently known or supported by university personnel
Uses deprecated technology

Vendor does not provide regular updates and bug fixes
Vendor has no mechanism for requesting support
Vendor is unresponsive to clarifications and questions

Questions?

Contact vpcio-software-review@buffalo.edu

Software and Web-based Services Review Process

On this page:

Roles and Responsibilities

Review Completion

Review Timeframe

Examples

Red Flags in the Software Review Process

Help

News and Alerts

About Us

Forms

IT Policies

Follow UBIT

Software and Web-based Services Review Process

On this page:

Roles and Responsibilities

Requestor (person who wants to acquire or use a software product)

Departmental IT Support (requestor’s IT support)

Review Completion

Review Timeframe

Examples

Examples of actual cases and outcomes for IT Assessments

Examples of actual cases and outcomes for Accessibility Assessments

Red Flags in the Software Review Process

Red flags when reviewing a VPAT/Accessibility Conformance Report (ACR)

Red flags when testing a product

Red flags on data security

Red flags on compatability with university IT infrastructure

Red flags when reviewing the vendor support aspects of a product

Help

News and Alerts

About Us

Forms

IT Policies

Follow UBIT