1.1 This method statement describes the risk assessment steps that must be taken to select a third party to provide an outsourced or cloud computing University IT Service. It forms part of the University Information Security Policy.
2.1 A project team of University staff comprising specialists in the following areas must be involved in the risk assessment process:
2.2 The University team must fully document details of the service or facility to be outsourced including the value and sensitivity of the information involved and the criticality of the information for University operations.
2.3 The University team should analyse and document details of how the external party will access, store and process information and include as a minimum the following information:
2.4 The University team must review the draft contract with the third party to identify how information security controls are covered in the formal agreement. If the service will involve transfer of personal data overseas, outside the European Economic Area, the contract should provide for the transfer and security of the data under the seventh and eighth Data Protection principles.
2.5 The University team must document how the third party service will be monitored and measured against the agreed Service Level Agreement to ensure that the University requirements are being met and that information security controls are effective.
2.6 The University team must assess whether the third party service meets the requirements of other University policy including Data Protection and Records Management.
2.7 The University team must review recent advice and guidance from other organisations concerning risk management in relation to cloud computing. Evidence of such appraisal must be recorded. Examples of such advice include:
2.8 When all the risk analysis steps above have been completed, the findings must be made available to the Director of Information (or nominated alternative) for review and further discussion. The Director of Information is responsible for making the decision about whether the outsourcing arrangement can proceed or not.
3.1 The Information Security Board, chaired by the Director of Information, will monitor the effectiveness of this method statement and carry out regular reviews.
|12 September 2012||Approved by Information Policy Executive|
|08 October 2012||Approved by Information Security Board|
|29 January 2016||Reviewed and approved by Information Security Board|
Review cycle: Three yearly
Date of next review: January 2019