Missouri S&T IT follows a software review process laid out by the UM System in BPM 12004. This policy ensures that IT and Telecom resources meet each campus’s security, compatibility, supportability, and sustainability requirements.
When obtaining a software product (brand-new, renewal, open-source, or software maintenance), there is a lot going on behind the scenes.
Legal Review
S&T IT begins by sending the software product’s Terms of Service (TOS), End User License Agreement (EULA), and/or Privacy Policy to UM System Office of General Counsel (OGC) for review. They make sure that the University’s interests are protected and ensure that the terms, agreements, or policies meet the requirements that the UM System is obligated to follow because it is an instrumentality of the State of Missouri. Additionally, OGC works to protect the individual employee or department from being sued by shifting legal risk to the department and university. Once OGC has reviewed the terms, agreements, and/or policies, any modifications are sent to the software vender for approval.
Risk Management Review
If the software vendor rejects the modifications, S&T IT sends the suggested agreement modifications to the Office of Risk and Insurance Management (RIM). RIM will then evaluate how the original terms, agreements, and/or policies pose risk to the University. In many cases, they will approve use if the department requesting the software accepts the legal and financial risks and obligations (including hiring legal representation outside the State of Missouri). If the requesting department accepts the risk of using the software product without a modified terms, agreements, and/or policies, it will proceed to S&T IT Security’s review.
Security Review
S&T IT Security evaluates if the software product meets Missouri S&T and UM System security requirements. This is more than just making sure the software is free of malware, spyware, and security vulnerabilities. In addition, Data Classification Level (DCL) must be set based on the UM System’s Data Classification System. DCL defines levels of use in regards to policies such as FERPA or HIPPA. For example, student names and university email addresses are DCL-3 and are not allowed to be entered into software approved for DCL-1 or DCL-2.
CIO Review
If the software product is approved by legal, risk management, and security reviews, it is then sent to S&T IT’s CIO or CIO Designated Delegate for final approval. They will evaluate software use case and costs along with any OGC, RIM, or S&T IT Security recommendations.
Through this process, S&T IT ensures that we are following UM System and Missouri S&T standards, policies, and records retention as well as reducing cost by avoiding duplication.