Third Party Hosting
Externally hosted solutions (often referred to as "cloud services") can offer flexible, cost-effective and scalable means of fulfilling the University's requirements for storage, sharing and processing of digital data.
However, the use of cloud services entails transmitting and entrusting third parties with potentially sensitive data, and carries risks that should be carefully considered and managed. These guidelines provide a common process and a template for performing a consistent risk assessment of cloud services.
Term Definition Cloud Service SaaS, PaaS, or IaaS where University data is hosted of processed outside of University data centres SaaS Software as a Service. Software applications accessible via a browser (eg PageUp, iModules, Gmail, SeatAdvisor, DropBox) PaaS Platform as a Service. Platforms for developing and deploying applications (eg Google App Engine, Heroku) IaaS Infrastructure as a Service. Virtual or physical hosting of server infrastructure (eg Amazon EC2, Windows Azure, Rackspace) SOC report Service Organisation Controls report produced by an independent service auditor, attesting to the effectiveness of service organisation's internal controls. There are several different types of SOC reports. "SSAE 16 SOC 1 Type 2" is the most common. SSAE 16 Statement on Standards for Attestation Engagements (SSAE) No 16 is an auditing and reporting standard published by the American Institute of Certified Public Accountants (AICPA)
Scope of applicability
Step 1 Complete the checklist with the help of the service vendor and IT Risk & Security Services, Information Technology and Digital Services Step 2 Obtain any supporting documents such as the Service Organisation Controls (SOC) report Step 3 Perform risk assessment and agree on residual risk Step 4 Accept residual risk or implement additional controls Step 5 Send a copy of the completed checklist to IT Risk & Security Services and Legal & Risk
Related University policies