This policy links with University policy on information handling which specifies how individuals may use outsourced or cloud computing providers that are not University IT Services (e.g. DropBox, Amazon web services).
It explains the procedures, risk assessments and permissions required before third party solutions can be selected and implemented.
It applies to all departments and members of the University who are considering, selecting, implementing or operating a third party service as a University IT service.
1.1 Outsourced and cloud computing IT services may be considered where new and changed IT services are planned. Legal obligations relating to information security and other aspects of implementing and operating outsourced services, such as commercial and reputation risk, will be evaluated and managed through the use of risk assessments and contractual agreements.
1.2 A formal procurement process, including a risk assessment and review of proposed contractual terms and conditions, must be used to assess whether a University IT Service can be supplied by outsourcing or cloud computing. The same process should be followed whether the University will pay for the service or use it free of charge. The process will be managed as a project and will involve University staff with expertise in procurement, information law, contract law, information security and data protection. Human Resources expertise may also be required. Specialist advice must be sought from external agencies where required.
1.3 The risk assessment will use the criteria defined in the “Method Statement - Risk assessment for selection of outsourcing or cloud computing provider”. The results of the risk assessment will identify if the outsourcing arrangement should proceed and if so, any requirements for specific controls.
1.4 The contract will be defined in accordance with the “Method Statement - Contractual requirements for IT outsourcing and cloud computing”. The contract will specify the information security and other standards the supplier is required to meet and will include adequate remedies for breach as well as a Service Level Agreement (SLA) specifying working practices. The contract will ensure the supplier is aware of and accepts their responsibilities.
1.5 If the outsourcing or cloud computing arrangement involves transfer of personal data overseas, outside the European Economic Area, the transfer is to be governed by a contract which provides for the transfer and security of the data under the seventh and eighth Data Protection principles.
1.6 If the outsourcing or cloud computing arrangement involves transfer of University data to the United States, the University will require the supplier to achieve, as a minimum, the standards of Safe Harbor registration (or such alternative scheme as replaces it) for the duration of the contract.
1.7 When the formal evaluation process is complete, the Director of Information (or nominated alternative) will decide if the information risks can be managed to an acceptable level. The project team will then consider all aspects of the outsourcing proposal to decide whether the University IT Service can be supplied by the third party. Depending on the risk and impact of the proposed new service, the Registrar and Secretary and/or Vice Chancellor might be asked to give their approval.
1.8 Use of a third-party service will not commence until any necessary information security measures specific to the service have been implemented and a contract has been signed.
1.9 University IT Services provided by third parties will be routinely monitored and reviewed by the service owner to ensure that service changes and enhancements continue to meet the terms of the formal agreement and that University information security requirements are being satisfied.
2.1 This policy applies to all departments and to all members of the University who might be considering, selecting, implementing or operating a third party service as a University IT service.
2.2 This policy links with University policy on information handling which specifies how individuals may use outsourced or cloud computing providers that are not University IT Services (e.g. DropBox, Amazon web services).
2.4 This policy supplements University policy relating to procurement of goods and services including the University’s Financial Regulations and Purchasing Procedures.
3.1 The Information Security Board, chaired by the Director of Information, will monitor the effectiveness of this policy and carry out regular reviews.
4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.
4.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.
4.3 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
4.4 Any breach of information security or violation of this policy must be reported to the Director of Information who will take appropriate action and inform the relevant authorities.
5.1 This document, together with related method statements is available at: http://www.york.ac.uk/.
External organisations, or individuals, involved in providing and operating an IT service, other than the University’s own staff or students
The use of an IT service from a third party supplier instead of using in-house capabilities
A type of outsourcing whereby an IT service is accessed via the internet. The service may include hardware rental, system software, application software or a combination of all three.
Services which are either provided directly by University departments and managed by University staff OR provided to the University by third parties under bilateral outsourcing or cloud computing arrangements. Examples include:
Services which staff and students are able to access and use through the internet but which are provided by organisations with which the University does not have any formal agreement. Examples of use of external IT services include:
|12 September 2012||Approved by Information Policy Executive|
|08 October 2012||Approved by Information Security Board|
|29 January 2016||Reviewed and approved by Information Security Board|
Review cycle: Three yearly
Date of next review: January 2019