Guideline Overview:

This guideline provides the process to be followed when considering and before making a decision to contract Cloud Computing services such as:

• Applications As A Service (AaaS)/Software As-A-Service (SaaS)
• Platform-As-A-Service (PaaS)
• Infrastructure-As-A-Service (IaaS).

Risk assessment

The Information Technology Department must conduct a risk assessment when considering the use of Cloud Computing services. The extent of the 'risk assessment' must be commensurate with the data classification of data that theCloud Computing service under consideration will be using.

The following risk categories should be used when identifying risks:

• quality - does the cloud solution meet stakeholder needs
• financial - does the cloud solution provide value for money
• organizational - does the cloud solution work within the college's culture
• integration - what level and scope of integration is required for the solution
• compliance - does the cloud solution comply with NIC's legal, regulatory, security, and policy obligations
• business continuity - can the cloud solution recover from outages or disaster situation
• external - is the Cloud Service Provider's performance adequate.

The Cloud Computing service provider and all subcontractors in the service provision supply chain must be subject to the risk assessment and conditions on the service agreement/contract.

Each of the factors below should be addressed when preparing a risk assessment for proposed Cloud Computing deployments. Refer to the Cloud Computing Engagement Schedule for a checklist to assist in preparation of the risk assessment.

Evaluation process

When deciding to use a Cloud Computing service or to store Information or data in a facility which is not owned by NIC, it is the responsibility of the Information Technology Department to consult with other appropriate Information System Owners, process owners, stakeholders, and subject matter experts during the evaluation process.

Intellectual property and copyright

Information or data must not be stored in such a way that allows unauthorized parties to claim ownership of the Information or data.

Location of provider and relevant infrastructure

Due to the nature of web-based services, providers or their equipment will often be based interstate or overseas. If any data is to be hosted or stored outside of the college, the Information technology department must check where this will be, who will have access, who will be managing this and how. Depending on the response, additional terms and conditions may need to be included in the legal contracts to mitigate any potential risks. Providers should notify the college if any of these conditions change during the agreement. Data stored outside of the United States may be subject to different laws, which could affect NIC compliance requirements, such as privacy.

Use of three-way encryption (upload, download and storage) should be considered to improve data security.

Privacy and Data Security

If Personal Information is involved, an assessement must be completed (effort commensurate with the risk) at the discretion of the Information technology department.

To fulfil its privacy obligations the College must take reasonable steps to protect Personal Information from misuse, loss, unauthorized access, modification or disclosure.

Extra protection may be needed if providers or equipment are based outside of the United States or overseas. Protections may not be as strong or may conflict with college requirements. For example, under US law the US Government may be able to require access to data without notifying the relevant owner, however;  in Europe, the General Data Protection Regulation has additional and unique requirements.

If a Cloud Computing provider deals with any College Information (for example storing, transferring or accessing it) the Information Technology Department should check that there will be adequate controls in place for security and access to that data.

NIC will retain ownership of NIC Information irrespective of where it is stored. The Information Technology Department should be consulted where any security issues are unclear.

Relevant data security issues for the Information Technology Department to consider include:

• data control
• data encryption
• blending of data with other customer data
• business process if a security breach does occur or if data is damaged or destroyed
• data backup frequency/conventions/standards/accessibility
• availability of an audit trail to demonstrate that University data is reliable.

Relevant data access issues for departments requesting cloud services to consider include:

• quick and easy access
• format useability
• process to follow if data cannot be accessed or access is delayed
• ease with which the data can be amended or deleted if required.

Information or data that has been marked as Restricted Information must be stored in a way that minimizes the likelihood that the Information or data can be accessed by any unauthorised parties.

Records retention and availability

All NIC records including but not limited to teaching, and administrative records must be stored, retained and accessed in accordance with relevant legislation and regulations, and NIC Records retention practices.

Data classification

Data classification should determine the appropriate type of Cloud Computing service that may be used by the college.

Data to be considered for a Cloud Computing service must be classified according to the Data Stewardship, Security, and Protection Policy, Procedure, and guideline.

Business continuity

1. The Information System Owner must ensure the continuity of service for every system with a Cloud Computing provider. This requires the Information System Owner to:
   1. determine if the Cloud Computing provider's business continuity and disaster recovery plan is acceptable
   2. determine the impact of outages
   3. ensure the availability of data in the event of any and all types of outage (e.g. through off site backup data that is accessible to the organisation)
   4. prepare a business continuity plan for both short and long term
   5. include scheduled outages in service level agreements
   6. arrange a guarantee of availability
   7. consider the use of multiple Cloud Computing providers depending on the business criticality of the system deployed to the cloud
   8. determine whether Information is able to be retrieved or disposed of in compliance with the Public Records Act 2002 during or at the conclusion of a contract with the Cloud Computing provider.

Legal issues

Prior to acquiring or using a solution, the Information Technology Department should determine the contractual terms required, even when it is anticipated that a standardized 'click through' agreement will be the only option. A prior understanding of the College's terms will provide a basis to ensure the final contract will meet business requirements, security requirements and adequately address the risks associated with the cloud solution.

The department seeking a cloud solution should consult with the Chief Information Officer (CIO), appropriate IT Director, and Business Office, to establish a Service Level Agreement (SLA) with the vendor. At a minimum the SLA will include:

1. clear definition of services
2. agreed upon service levels including service availability time, service outages, routine maintenance timeframes, upgrades and changes to the cloud computing services
3. clearly defined physical and logical security conditions
4. performance measurement
5. problem management
6. customer duties
7. disaster recovery
8. termination of agreement
9. protection of sensitive Information and intellectual property
10. agreement of the disposal of Information when required
11. definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery.

An exit strategy for disengaging from the vendor and/or service should be planned before committing Information or data to a Cloud Computing or outsourced service. The exit strategy should outline how the relevant records will be preserved and maintained, and how the service can be discontinued or transitioned to another provider.