When purchasing or renewing software/applications there are minimum standards that MUST be met to ensure the University meets all its internal policy and legal requirements. To help you through this process, you will need to fill in a Contract Information for Software Compliance (CISC) request.
This applies to all software applications or services both locally installed and externally hosted e.g. web services / Software-as-a-Service (SaaS) applications including free-of-charge software.
The previously separate New Digital Education System Request form is now part of the CISC request, and it is no longer necessary to complete a separate form for Digital Education Systems.
What information is needed for the CISC request?
Please check you have all the information you need before starting.
- Details of hosting (e.g. locally installed, server hosted, web service)
- Name of supplier
- Type of license (e.g. site license, user licenses, device licenses, concurrent license)
- Cost of software/service
- Details of any data integration/data extract requirements
- Details of Single-Sign-On requirements
Requirements for IT support
For software/services which store classified data (The information below can usually be found on the supplier’s website under Privacy Policy / Data Policy)
- Information about any personal or otherwise confidential data which is stored/processed (including name/e-mail address)
- Classification of data which will be stored/processed and details about where this is stored.
- Copy of existing supplier Data Processing Agreement (if applicable) and Data Processing Impact Assessment (if required)
- Information about any card payments processed on behalf of the University.
- Details about supplier’s information protection standards (e.g. ISO27001, SOC2/3, PCI-DSS, etc.)
For software/services which have a web interface
Details about compliance with web accessibility standards (WCAG 2.1) (This can usually be found on the supplier’s website under Accessibility)
You can find a list of the CISC questions attached on this KB article to help you ensure you have all the information you need before starting. You may not be asked to fill in ALL questions; the questions will vary based on whether you are requesting a new purchase or a renewal and the types of data requirements. Once you are ready, you can fill in Contract Information for Software Compliance (CISC) request.
Why do we need to do this?
The University has a duty to ensure that all software and services meet our legal and other policy requirements in areas such as:
- Data Protection and Information Security (ensuring that staff and students’ personal information and otherwise confidential data is effectively secured and used appropriately).
- Accessibility (making sure that the software or services are accessible to all)
- Procurement (checking that contractual terms cover the proposed use of the software or service and that the purchase complies with the University’s procurement rules)
Renewals of our existing services are included in this process. This is to enable the University to complete regular compliance checks on the services provided by our current suppliers, as the standards that we need to deliver do change over time. (You can find a list of previously approved requests here on the Excel spreadsheet). You MUST still complete a form, however, if you insert the previous approval code from the list, you will only have to complete a reduced CISC process.
CISC Process: High-Level Process Map
1. Request submitted and the requester is given a reference number
2. Request Review: The request is reviewed by the appropriate teams (IT Contract Management, IT Governance (inc Accessibility), BRM, and Purchasing. If required Digital Education Service and IT architecture).
3. Stage 1 Approval / Decline: Typically less complex requests / Renewals
4. Stage 2 Approval / Decline: More complex requests are discussed on a weekly CISC group call.
5. Outcome: Given to the requester via the request raised.
What happens after your CISC request is submitted?
After completing your CISC request, the software/application will be reviewed to ensure it means the minimum standards.
For items like subscriptions, local installs, and items not sharing data this is usually completed in 7 days. For items that involve sharing confidential data or any integrations, it may take longer depending on the complexity.
Request outcome
You will receive an email with a formal decision from a member of the Contracts Assurance Group.
The Request number should be shared with purchasing via a SIPR.
Next Steps – After formal approval has been received.
Please do NOT commit to purchasing the software until the relevant checks have been passed.
If you need to pay a supplier, you will need to raise a requisition (SIPR), contact your local Finance Team to make a credit card purchase, or create a Science Warehouse requisition.
If you require IT to manage the license and raise the SIPR use this request form.
For any requests for software that will be used for teaching and need to be available widely, please complete a Teaching software request, via this link(Licence already purchased).
For installation of software (already purchased) use this request form.
We are working to merge these forms into one form (excluding the SIPR Form); we expect to have this in place by the end of the year.
Contact details
- BRM Team
- Katherine Viglianisi - IT Contract Manager - K.A.Viglianisi@leeds.ac.uk
- Neil Favager – IT Information Governance Manager - N.Favager@leeds.ac.uk
- Colin Challinor - Category Manager - c.challinor@adm.leeds.ac.uk
- Ben Waters – Category Manager - A.B.Waters@leeds.ac.uk
Question & Answers
- I have had this software for a long time, why do I need to follow this process?
The process for purchasing software and services has changed in line with University policy as a result of changes in the legislative and legal requirements placed upon the University in areas such as data protection, web accessibility, and information governance. - It’s free software, what do I need to do?
You still need to complete a CISC request. Even free software may store personal or otherwise confidential data or require integration with other systems. Some software is only free for personal users, so use within a University would be outside the terms of the contract. - I need to purchase some software or a web service for learning and teaching. Do I still need to complete the form?
Yes, the previously separate New Digital Education System Request form is now part of the CISC request. Whilst it is no longer necessary to complete a separate form for Digital Education Systems you will need to complete the CISC form to obtain DES approval for learning & teaching use.