1.1 This method statement describes the steps that must be taken to select and introduce an outsourced or cloud computing system. It forms part of the University Information Security Policy.
2.1 The service or department leading on the introduction of the system must appoint a lead contact to work through these steps. A lead contact for the system post implementation must also be agreed.
2.2 Data Protection Screening Questions must be completed and returned to the Data Protection Officer for all new systems that process personal data. Where appropriate, a Data Protection Impact Assessment will be conducted.
2.3 Working with the supplier (or using materials that the supplier makes available), a Computing Risk Assessment must be completed for review and sign off by the Director of Infrastructure and Faculty IT. The implementation and ongoing adherence to any resultant controls will be the responsibility of the service owner.
2.4 Draft contracts must be prepared, reviewed and judged to be suitable prior to being entered into. Contracts must be signed off by the Head of Procurement (or nominated alternative).
2.5 Final contracts must be agreed by the senior manager responsible for the service. If the service is to be provided at a University level the contract should be agreed by the Director of Technology, Estates and Facilities or their nominated alternative.
3.1 The Information Security Board, chaired by the Director of Technology, Estates and Facilities, will monitor the effectiveness of this method statement and carry out regular reviews.
|12 September 2012||Approved by Information Policy Executive|
|08 October 2012||Approved by Information Security Board|
|29 January 2016||Reviewed and approved by Information Security Board|
|18 November 2020||Reviewed and approved by Information Security Board|
Review cycle: Three yearly
Date of next review: November 2023