Oxford University Computing Services

Checklist for assessing third-party IT services

Availability and reliability: What guarantees are provided about support or level or service? Are they adequate for the intended use? For example, if the service is unavailable for an extended period of time, how seriously would this affect the Unit's activities?
Continuity of service: Is there any agreement concerning continuity of the service? How serious is the risk that the service might change its policies, or prices, or go out of business? For example, does the Unit care if a free service becomes a paying one, or one subsidized by advertising? Does the Unit have an alternative or exit strategy in such an eventuality?
Support issues: What level of support activity will be needed? Is the service widely used by comparable units outside Oxford? What is its public perception? Is there a strong community of existing users who can provide peer support, or will the Unit need to seek or provide specialist training? Does the service provide (e.g.) a hotline for academic or technical support issues beyond the run of the mill? Is it likely that existing IT support networks (e.g. OUCS Help desk) would be able to provide firstline support?
Migration issues: If the proposed service overlaps wholly or in part with a service already used by the Unit, what will the support costs be in moving existing users? is migration without loss of information simple, technically feasible, or impossible? Does the proposed new service have all the functionality of the existing one (for example, does it provide the same or enhanced levels of security, backup, etc.)?
Domino effects: Will introduction of the new service affect other existing services, for example by reducing or increasing their importance or requiring changes in them? Is there a risk that the service would increase for example network traffic or spam beyond currently acceptable thresholds?
Duplication effects: Is the service (or something analogous) already being used by some other Unit? If so, is there scope for co-operation e.g. in licensing or in pooling of support activities? Alternatively, is there a risk of confusion or lack of data integrity if the same service is provided under different brandings within the University?
Strategic and legal considerations: How well does the new service conform to established University strategic priorities or practice? For example, can it take advantage of current university-wide authentication and identification systems? is it equally usable in all hardware and software environments of importance to the Unit? Does the new service open the Unit to possible additional risk with respect to its legal obligations, e.g. privacy legislation, or contracts, e.g. Janet regulations? Is the service provided under terms specified by an enforceable contract between the service provider and the University?
Rights issues: Are the terms and conditions appropriate for the intended use? For example, if the service will store or manage material in which the Unit has rights, do the T & C adequately protect those rights?
Privacy and confidentiality: Are the terms and conditions adequate for the intended use? For example, who may access the Unit's data and in what circumstances? Is usage of the service auditable by the Unit (for example to track any alleged abuse)?
Cost implications: What are the cost-benefit implications of using the new service? what is the total cost (or saving), taking into account all the above considerations, of using this service as opposed to expanding (or continuing with) an existing internal service -- or doing without? how will that cost be met?