Defining the University’s approach to third party computing facilities and services
This control procedure defines the University’s approach to the use of third party computing facilities and services, and directly supports the following policy statements from the Information Security Policy:
Information processing facilities are housed in secure areas, physically protected from unauthorised access, damage and interference by defined security perimeters. Layered internal and external security controls will be in place to deter or prevent unauthorised access and protect assets, especially those that are critical or sensitive, against forcible or surreptitious attack.
The University will ensure the correct and secure operations of information processing systems. This will include documented operating procedures; the use of formal change and capacity management; controls against malware; defined use of logging; vulnerability management.
The University will maintain network security controls to ensure the protection of information within its networks, and provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities, in line with the classification and handling requirements associated with that information.
Information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems. Controls to mitigate any risks identified will be implemented where appropriate. Systems development will be subject to change control and separation of test, development and operational environments.
This procedure is intended to be read and understood by any staff considering the use of cloud storage or systems; ISDS and other staff who are responsible for the implementation of IT systems; and for those involved in scoping projects that may require the processing of University information by other parties.
Cloud computing solutions – that is, internet-accessed solutions hosted by another party rather than in the University’s data centre – will be considered alongside traditional in-house solutions as an appropriate response to business needs. Legal obligations relating to information security and other aspects of implementing and operating outsourced services, such as commercial and reputational risk, will be evaluated and managed through the use of risk assessments and contractual agreements.
A formal procurement process, including a risk assessment and review of proposed contractual terms and conditions, must be undertaken to assess whether University IT service can be supplied via cloud computing services. Consideration should be given to existing procedures around IT project management and risk assessment.
Advice on the information security aspects of cloud computing can be provided by the Information Security team where required. The University’s Legal team must be consulted regarding data protection considerations and contractual terms and conditions.
The use of both University-provisioned and personal cloud storage – such as MS OneDrive, SharePoint Online, Dropbox or Google Drive – is covered in the Information Classification Scheme.
Cloud computing solutions will be evaluated on a case-by-case basis against the University’s information security policies, procedures and guidelines as well as established good practice, such as the HMG Cloud Security Principles.
Cloud computing solutions must deliver the same or better levels of service as an in-house solution to ensure business continuity, in line with the requirements of the business service being delivered.
Consideration should be given to the nature of the information being stored in the cloud solution, in line with the University’s Information Classification Scheme. Where personal data is going to be processed, a privacy impact assessment must be undertaken in consultation with the Legal team.
The Information Security team will provide advice and assistance throughout all stages of the consideration of cloud computing solutions.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security Manager annually or more frequently as required, and will be approved by the Information Security Board.