This policy links with University policy on information handling which specifies how individuals may use outsourced or cloud computing providers that are not University IT Services (e.g. DropBox, Amazon web services).
It explains the procedures, risk assessments and permissions required before third party solutions can be selected and implemented.
It applies to all departments and members of the University who are considering, selecting, implementing or operating a third party service as a University IT service.
1.1 Outsourced and cloud computing IT services may be considered where new and changed IT services are planned. Legal obligations relating to information security and other aspects of implementing and operating outsourced services, such as commercial and reputation risk, will be evaluated and managed through the use of risk assessments and contractual agreements.
1.2 A formal process, including a risk assessment and review of proposed contractual terms and conditions, must be used to assess whether a University IT Service can be supplied by outsourcing or cloud computing (IT Outsourcing and Cloud Computing - Method Statement). The same process should be followed whether the University will pay for the service or use it free of charge. The process will involve University staff with expertise in procurement, law, information security, data protection and other areas as required. Specialist advice will be sought from external agencies where required.
1.3 Data Protection Screening Questions must be completed and returned to the Data Protection Officer for all new systems that process personal data. Where appropriate, a Data Protection Impact Assessment will be conducted.
1.4 The computing risk assessment must identify if the outsourcing arrangement should proceed and if so, any requirements for specific controls.
1.5 The contract must specify the information security and other standards the supplier is required to meet and will include adequate remedies for breach as well as a Service Level Agreement (SLA) specifying working practices. The contract will ensure the supplier is aware of and accepts their responsibilities.
1.6 If the outsourcing or cloud computing arrangement involves the transfer of personal data, appropriate data protection clauses will need to be incorporated into the contract.
1.7 Where personal data is to be transferred outside the European Economic Area (i.e. the European Union and Norway, Iceland and Liechtenstein) additional safeguards will be needed to ensure compliance with international data transfer arrangements. Where Standard Contractual Clauses are used, supplementary measures may also be required.
1.8 When the formal evaluation process is complete, the Director of Technology, Estates and Facilities (or nominated alternative) will decide if the information risks can be managed to an acceptable level. The project team will then consider all aspects of the outsourcing proposal to decide whether the University IT system or service can be supplied by the third party.
1.9 Use of a third-party service will not commence until any necessary information security measures specific to the service have been implemented and a contract has been signed.
1.10 New services must be formally owned within the organisation and a lead contact must be appointed and recorded as new services are introduced.
1.11 Services provided by third parties will be routinely monitored and reviewed by the service owner to ensure that service changes and enhancements continue to meet the terms of the formal agreement and that University information security requirements are being satisfied.
2.1 This policy applies to all departments and to all members of the University who might be considering, selecting, implementing or operating a third party service as a University IT service.
2.2 This policy supplements other University policies including the University’s Financial Regulations, Purchasing Procedures and policy relating to procurement of goods and services, Data Protection and Records Management.
3.1 The Information Security Board, chaired by the Director of Technology, Estates and Facilities, will monitor the effectiveness of this policy and carry out regular reviews.
4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.
4.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.
4.3 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
4.4 Any breach of information security or violation of this policy must be reported to the Director of Information who will take appropriate action and inform the relevant authorities.
External organisations, or individuals, involved in providing and operating an IT service, other than the University’s own staff or students
The use of an IT service from a third party supplier instead of using in-house capabilities
A type of outsourcing whereby an IT service is accessed via the internet. The service may include hardware rental, system software, application software or a combination of all three.
Services which are either provided directly by University departments and managed by University staff OR provided to the University by third parties under bilateral outsourcing or cloud computing arrangements. Examples include:
Services which staff and students are able to access and use through the internet but which are provided by organisations with which the University does not have any formal agreement. Examples of use of external IT services include:
|12 September 2012||Approved by Information Policy Executive|
|08 October 2012||Approved by Information Security Board|
|29 January 2016||Reviewed and approved by Information Security Board|
|18 November 2020||Reviewed and approved by Information Security Board|
Review cycle: Three yearly
Date of next review: November 2023