Software Risk Management Program
Review BEFORE you buy.
Start your review by emailing software-risk-mgmt@umd.edu.
Overview
The University of Maryland is committed to safeguarding its data, infrastructure, and community by ensuring that all third-party technology solutions undergo a thorough review process. The Software Risk Management (SRM) Program is designed to assess, monitor, and manage risks associated with external IT vendor applications and software, ensuring compliance with university policies, state regulations, and federal laws.
Purpose
The SRM Program aims to:
- Protect UMD's Interests: Safeguard the university's data, systems, and reputation by evaluating the security and compliance posture of third-party vendor applications and software.
- Ensure Compliance: Align vendor engagements with applicable laws, including FERPA, HIPAA, and state procurement regulations.
- Promote Efficiency: Streamline the acquisition process to prevent redundancy, reduce service duplication, and ensure compatibility with existing systems.
- Enhance Transparency: Maintain a centralized list of approved applications and software for institutional awareness and oversight.
Process Statement
All software, software as a service products, and cloud acquisitions must complete the Software Review and Management (SRM) assessment process before procurement. This ensures that:
- Security risks are identified and mitigated.
- Data privacy concerns are addressed.
- Digital accessibility concerns are addressed.
- Contracts are reviewed for compliance and risk exposure.
- Solutions are compatible with UMD's IT infrastructure.
Scope
This process applies to all University of Maryland departments, units, affiliates, faculty, staff, workforce members, and sponsored affiliates who engage in contractual relationships with third-party vendors or contractors for IT applications and/or software. If you answer “yes” to any of the questions below, the Software Risk Management (SRM) process is required.
- Does the tool/service involve an agreement/contract (with or without costs, including a “click-through” agreement where you accept the terms of use) with a service provider who provides a network-accessible service on behalf of UMD to collect, transmit, or process any institutional data?
- Does the tool/service require that a service provider process payment card information on behalf of UMD? Please note, this applies to all entities involved in the payment card process including merchants, processors, issuers and service providers. This also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. Payment Card will be part of the review if the Data Element for Credit Cards is marked.
- Does the tool/service involve transferring any institutional data from a university-owned system to a third-party system, including cloud and Software as a Service solutions?
- Does the tool/service require that a third-party system collect or process any institutional data that will later be transmitted for use by UMD?
- Does the tool/service need to be used by students as a part of coursework and it collects and/or stores personally identifiable information including intellectual property or grades?
- Does the tool/service make a copy of documents or materials containing any of the data elements described above or that are classified as elevated or high risk according to the UMD Data Classification Standard (IT-2) (i.e., institutional, financial, or student data)?
Timeline for Reviews
The average duration of each review depends on several factors, including the complexity of the request, the completeness and timeliness of submitted documentation, and the current volume of requests under review. As a general guideline, once requested materials are received from the vendor, departments should plan for approximately 3 to 4 weeks (15–20 business days) once all required documents are received to receive SRM approval or disapproval. Only after the software/tool is approved can the item be procured.
SRM Assessment Process
- Initiation: Departments identify the need for a new IT solution and and initiate a review by emailing software-risk-mgmt@umd.edu.
- Risk Evaluation: The SRM team assesses the solution's security, data privacy, and accessibility risk by collaborating with relevant stakeholders, including IT Compliance, IT Accessibility, Data Privacy, and Legal teams for a comprehensive evaluation.
- Approval and Registration: Upon approval, the SRM team will send the requestor an approval form and then the requestor can proceed with the procurement process.
Roles and Responsibilities
- Requestor: Initiate SRM assessments and ensure compliance with the process in a timely manner. Fill out appropriate forms as needed.
- SRM Team: Conduct risk evaluations and coordinate reviews with stakeholders.
- Vendor: Provide requested materials and respond in a timely manner with full cooperation.
- Office of General Counsel (as needed): Review contractual terms and compliance obligations.
- Procurement: Ensure adherence to procurement policies and procedures.
Exceptions
Certain low-risk acquisitions may qualify for an expedited review or exemption. Departments must consult with the SRM team to determine eligibility.
Criteria for such exceptions include:
- No access to sensitive or regulated data.
- No integration with critical university systems.
Departments must consult with the SRM team to determine eligibility for exceptions.
Annual Review
The SRM process will undergo an annual review to incorporate changes in regulatory requirements, emerging risks, and institutional priorities.
To ensure continued protection of university data, all applications and software will undergo a re-review every three years. This regular review cycle enables the university to adapt to evolving security standards and vendor management practices.
Any application or software that is not approved through the SRM process will be eligible for a re-review after 1 calendar year.
Resources
- Software Catalog: University of Maryland Software Catalog
- Software Risk Management Team: The SRM team is the primary point of contact for the Software Risk Management Process. Contact the SRM Team at software-risk-mgmt@umd.edu.
FAQs
Reviews typically take 3-4 weeks once all documents are received. Reviews will be delayed if all documents are not received in a timely manner.
There are three reviews, and each one needs specific documents.
- ADA: IT Accessibility Form and Voluntary Product Accessibility Template (VPAT). The software company is responsible for providing the VPAT.
- Data Privacy: Data Privacy Questionnaire
- IT-Compliance: IT Compliance Assessment Form and System and Organization Controls 2 (SOC2) form. The software company is responsible for providing the SOC2.
Any faculty or staff member may initiate a review.
There are several instances where a new review should be submitted.
- When a new piece of software is being procured
- When the data classification level is being updated
- Certain software will need to be re-reviewed - typically 3 years after the initial review
- Change in use or features
Exceptions are very rare and made on a case-by-case basis. Please reach out to the Software Risk Management Team for exceptions.
Please email the Software Risk Management Team to check on the status of your individual review. Please be sure to include the name of the title being reviewed.
Please email the Software Risk Management team to edit the information on your review.
Some tools note free use, but when you get to the agreement, terms, or web descriptions, it is disclosed that the tool is free for personal (vs. enterprise) use, for one install/one user only, or that it has other restrictions. Even if it is free, there are still risks that are posed. If in doubt, initiate a review.
There are several individuals and groups involved in the review process:
- Requestor
- Software Risk Management Team
- IT Accessibility Team
- Data Privacy Team
- IT Compliance Team
- Office of General Counsel (as needed)
- Procurement and Business Services
If a vendor signature is required, you must route your agreement through Workday to Procurement and Business Services.
Only Procurement and Business Services has signatory authority. Any agreements requiring a physical signature must be routed through Procurement.
Universities must comply with various federal and state regulations regarding data protection. Risk assessments ensure that third-party providers meet these legal requirements, helping the university avoid penalties, audit findings, legal issues and protecting the university reputation.
Each review group is looking at different aspects of the tool.
- ADA: Compliance with campus and federal ADA guidelines and regulations. Whether or not a tool is required for class or departmental work.
- Data Privacy: How the vendor will store and use university data.
- IT Compliance: Whether the third-party providers meet legal requirements, helping the university avoid penalties, audit findings, legal issues and protecting the university reputation.
The expedited process allows departments to acquire low-cost software licenses more quickly—bypassing the full Software Risk Management review—if specific conditions are met. To use the expedited procurement process, users can submit the Expedited Procurement form.
To qualify, the software must:
- Cost less than $25,000 total (including free or trial versions), and
- Not involve any sensitive use cases, such as storing restricted data or being used in instruction. Contact SPARCS@umd.edu for more information about the expedited process.
Yes. However, any of these titles are subject to future review and, potentially, removal.