Managing 3rd Party Software Applications

Audience: College Staff

Notes: 


The implementation of new software applications not owned or endorsed by the West Australian Government or Department of Education must be checked by the College’s IT Support team for security vulnerabilities and privacy compliance.

In this article 3rd Party software refers to a platform, either web or device based, that requires student data be entered or uploaded in to it. Accessing a website that is freely available to the pubic (i.e. it does not require a user to login) does not need to be assessed under this policy.

Below is the steps that will need to be completed prior to the implementation of new 3rd Party Software within the College.

  1. Open a service request with the IT Support Team
    To begin, open a service request at voyager.jbsc.wa.edu.au under the Software/ Application Request help topic. Be sure to include as much information as possible.
  2. Identification of Known Vulnerabilities
    The IT Support Team will then utilise a platform known as CVE (Common Vulnerabilities and Exposures https://cve.mitre.org/) to identify any known risks or vulnerabilities that the platform has.
  3. Completion of Risk Assessment
    Throughout the research process through CVE, the team will complete a Department of Education risk assessment form (attached below). This risk assessment checklist is designed to assist Department of Education business units/schools in ensuring that record keeping issues and risks associated with cloud computing are properly identified, assessed and managed.
  4. Compatibility Check
    Upon the completion of the risk assessment, the team will commence a compatibility check on the platform. This process differs between web and device based platforms.
    • Web Based:
      • A testing device is utilised to access the web platform.
      • While this is occurring, the team monitors the incoming and outgoing traffic through the School Internet Gateway and/or Wireshark. Throughout this step, the team is looking for traffic that is being blocked, or being routed through foreign countries, that were not identified in the Risk Assessment.
    • Device Based:
      • A testing device is utilised to install, and access the platform or application.
      • A range of stress tests or compatibility tests are run to ensure the device can operate at a level deemed suitable.
      • While this is occurring, the team monitors the incoming and outgoing traffic through the School Internet Gateway and/or Wireshark. Throughout this step, the team is looking for traffic that is being blocked, or being routed through foreign countries, that were not identified in the Risk Assessment.
  5. Approval
    Based on the outcomes of the risk assessment and compatibility check, approval from the Principal, or RED is required. The level of approval is based on the risk associated with the implementation of the new platform.

Additional Resources:


Key Words

  • 3rd Party Applications, Students Online Policy, Cloud Computing, Risk Assessment