Accessibility statement

IT Outsourcing and Cloud Computing Policy

Related pages

This policy links with University policy on information handling which specifies how individuals may use outsourced or cloud computing providers that are not University IT Services (eg Dropbox, Amazon web services).

It explains the procedures, risk assessments and permissions required before third party solutions can be selected and implemented.

It applies to all departments and members of the University who are considering, selecting, implementing or operating a third party service as a University IT service.

 

1. Policy

1.1Outsourced and cloud computing IT services may be considered where new and changed IT services are planned. Legal obligations relating to information security and other aspects of implementing and operating outsourced services, such as commercial and reputation risk, will be evaluated and managed through the use of risk assessments and contractual agreements.

1.2 A formal process, including a risk assessment and review of proposed contractual terms and conditions, must be used to assess whether a University IT Service can be supplied by outsourcing or cloud computing (IT Outsourcing and Cloud Computing - Method Statement). The same process should be followed whether the University will pay for the service or use it free of charge. The process will involve University staff with expertise in procurement, law, information security, data protection and other areas as required. Specialist advice will be sought from external agencies where required.

1.3Data Protection Screening Questions must be completed and returned to the Data Protection Officer for all new systems that process personal data. Where appropriate, a Data Protection Impact Assessment will be conducted.

1.4 The computing risk assessment must identify if the outsourcing arrangement should proceed and if so, any requirements for specific controls.

1.5 The contract must specify the information security and other standards the supplier is required to meet and will include adequate remedies for breach as well as a Service Level Agreement (SLA) specifying working practices. The contract will ensure the supplier is aware of and accepts their responsibilities.

1.6 If the outsourcing or cloud computing arrangement involves the transfer of personal data, appropriate data protection clauses will need to be incorporated into the contract.

1.7 Where personal data is to be transferred outside the European Economic Area (ie the European Union and Norway, Iceland and Liechtenstein), additional safeguards will be needed to ensure compliance with international data transfer arrangements. Where Standard Contractual Clauses are used, supplementary measures may also be required.

1.8 When the formal evaluation process is complete, the Director of Technology, Estates and Facilities (or nominated alternative) will decide if the information risks can be managed to an acceptable level. The project team will then consider all aspects of the outsourcing proposal to decide whether the University IT system or service can be supplied by the third party.

1.9 Use of a third-party service will not commence until any necessary information security measures specific to the service have been implemented and a contract has been signed.

1.10 New services must be formally owned within the organisation and a lead contact must be appointed and recorded as new services are introduced.

1.11 Services provided by third parties will be routinely monitored and reviewed by the service owner to ensure that service changes and enhancements continue to meet the terms of the formal agreement and that University information security requirements are being satisfied.