Third Party Hosting

Externally hosted solutions (often referred to as "cloud services") can offer flexible, cost-effective and scalable means of fulfilling the University's requirements for storage, sharing and processing of digital data.

However, the use of cloud services entails transmitting and entrusting third parties with potentially sensitive data, and carries risks that should be carefully considered and managed. These guidelines provide a common process and a template for performing a consistent risk assessment of cloud services.

Third Party Hosting Security checklist

    Expand
  • Definitions

    Term Definition
    Cloud Service SaaS, PaaS, or IaaS where University data is hosted of processed outside of University data centres
    SaaS Software as a Service. Software applications accessible via a browser (eg PageUp, iModules, Gmail, SeatAdvisor, DropBox)
    PaaS Platform as a Service. Platforms for developing and deploying applications (eg Google App Engine, Heroku)
    IaaS Infrastructure as a Service. Virtual or physical hosting of server infrastructure (eg Amazon EC2, Windows Azure, Rackspace)
    SOC report Service Organisation Controls report produced by an independent service auditor, attesting to the effectiveness of service organisation's internal controls. There are several different types of SOC reports. "SSAE 16 SOC 1 Type 2" is the most common.
    SSAE 16 Statement on Standards for Attestation Engagements (SSAE) No 16 is an auditing and reporting standard published by the American Institute of Certified Public Accountants (AICPA)
  • Scope of applicability

    • This guideline applies to all types of "cloud" services including SaaS, IaaS, and PaaS.
    • The guideline and checklist should be use by any University schools or branches contemplating hosting service and/or data on the cloud through on the of the three types of third party hosting solutions.
  • Guidelines

    1. Use of third party hosting services should not expose the University to adverse security risks.
    2. Security internal controls implemented by the supplier should be comparable or better than if the equivalent service was hosted "on premise" at a University-managed data centre.
    3. The attached checklist should be completed to understand the controls in place to address common risks associated with external hosting and to assess the residual risk.
    4. Evidence of independent opinion such as an SOC report or report from penetration testing performed by a security professional should be obtained wherever possible.
    5. Consult Legal & Risk and Information Technology and Digital Services throughout the evaluation process or if you have any queries.
    6. Where residual risk is deemed unacceptable after mitigating controls are considered, then alternative options should be sought.
  • Assessment process

    Step 1 Complete the checklist with the help of the service vendor and IT Risk & Security Services, Information Technology and Digital Services
    Step 2 Obtain any supporting documents such as the Service Organisation Controls (SOC) report
    Step 3 Perform risk assessment and agree on residual risk
    Step 4 Accept residual risk or implement additional controls
    Step 5 Send a copy of the completed checklist to IT Risk & Security Services and Legal & Risk
  • Related University policies