Risk assessment for selection of outsourcing or cloud computing provider

1. Introduction

1.1 This method statement describes the risk assessment steps that must be taken to select a third party to provide an outsourced or cloud computing University IT Service. It forms part of the University Information Security Policy.

2. Risk assessment

2.1 A project team of University staff comprising specialists in the following areas must be involved in the risk assessment process:

  • Information and contract law
  • Data protection
  • Information security
  • University procurement regulations
  • University IT (technical specialist)

2.2 The University team must fully document details of the service or facility to be outsourced including the value and sensitivity of the information involved and the criticality of the information for University operations.

2.3 The University team should analyse and document details of how the external party will access, store and process information and include as a minimum the following information:

  • who may have access to the University data
    • details of staff training and vetting procedures
    • details of any sub contractors involved
  • where the University data is stored
    • which country the data is held in
    • the jurisdiction of the contract
    • whether the storage is dedicated or shared
    • details of backups and restore testing
  • how securely the University data is stored
    • type of premises used and quality standards achieved
    • type of storage
    • ensure that encryption used for authentication, data storage and in-transit
    • how data is securely deleted at the end of the contract
    • auditing and quality control processes operated
    • change control process used
  • how University data is used
    • this should only be for purposes for which the data is supplied
    • this should respect sensitivities and obligations that come with the data to be processed or held
    • use should be in line with any legislative, contractual or common law obligations or duties of care
  • how available and reliable the service is
    • specify the availability targets and actions and penalties if the targets are not reached
    • how resilient is the University connection to the service
    • upgrade schedule and impact on availability
    • hours of cover and support, including escalation mechanism
    • ncident management procedure
  • how viable the provider and the facility will be in the long term
    • the length of contract envisaged and termination options for the third party and the University
    • commercial viability of company providing the service
  • how the service might change in terms of user interface or conditions of use
    • enhancement and development plans
    • release schedule, past and future
    • method for releasing new features and notice period
    • policy for end of life of previous versions
  • how data can be recovered in the event of disaster or a decision to migrate elsewhere
    • facilities to migrate data to other systems
  • how the service might impact on the privacy of individuals
    • cookies, monitoring, location and tracking
    • loss of anonymity
    • exercise of rights by individuals
    • unsolicited advertising
    • ownership or retention of data
    • impact of new or changed functions

2.4 The University team must review the draft contract with the third party to identify how information security controls are covered in the formal agreement. If the service will involve transfer of personal data overseas, outside the European Economic Area, the contract should provide for the transfer and security of the data under the seventh and eighth Data Protection principles.

2.5 The University team must document how the third party service will be monitored and measured against the agreed Service Level Agreement to ensure that the University requirements are being met and that information security controls are effective.

2.6 The University team must assess whether the third party service meets the requirements of other University policy including Data Protection and Records Management.

2.7 The University team must review recent advice and guidance from other organisations concerning risk management in relation to cloud computing. Evidence of such appraisal must be recorded. Examples of such advice include:

 2.8 When all the risk analysis steps above have been completed, the findings must be made available to the Director of Information (or nominated alternative) for review and further discussion. The Director of Information is responsible for making the decision about whether the outsourcing arrangement can proceed or not.

3. Oversight

3.1 The Information Security Board, chaired by the Director of Information, will monitor the effectiveness of this method statement and carry out regular reviews.

Document history and status

12 September 2012 Approved by Information Policy Executive
08 October 2012 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board

Status

Review cycle: Three yearly

Date of next review: January 2019