IT Outsourcing and Cloud Computing - Method Statement

1. Introduction

1.1 This method statement describes the steps that must be taken to select and introduce an outsourced or cloud computing system. It forms part of the University Information Security Policy.

2 Process

2.1 The service or department leading on the introduction of the system must appoint a lead contact to work through these steps. A lead contact for the system post implementation must also be agreed.

2.2 Data Protection Screening Questions must be completed and returned to the Data Protection Officer for all new systems that process personal data. Where appropriate, a Data Protection Impact Assessment will be conducted.

2.3 Working with the supplier (or using materials that the supplier makes available), a Computing Risk Assessment must be completed for review and sign off by the Director of Infrastructure and Faculty IT. The implementation and ongoing adherence to any resultant controls will be the responsibility of the service owner.

2.4 Draft contracts must be prepared, reviewed and judged to be suitable prior to being entered into. Contracts must be signed off by the Head of Procurement (or nominated alternative).

2.5 Final contracts must be agreed by the senior manager responsible for the service. If the service is to be provided at a University level the contract should be agreed by the Director of Technology, Estates and Facilities or their nominated alternative.

3. Oversight

3.1 The Information Security Board, chaired by the Director of Technology, Estates and Facilities, will monitor the effectiveness of this method statement and carry out regular reviews.

Document history and status

12 September 2012	Approved by Information Policy Executive
08 October 2012	Approved by Information Security Board
29 January 2016	Reviewed and approved by Information Security Board
18 November 2020	Reviewed and approved by Information Security Board

Status

Review cycle: Three yearly

Date of next review: November 2023