Third Party Hosting

Externally hosted solutions (often referred to as "cloud services") can offer flexible, cost-effective and scalable means of fulfilling the 最新糖心Vlog's requirements for storage, sharing and processing of digital data.

However, the use of cloud services entails transmitting and entrusting third parties with potentially sensitive data, and carries risks that should be carefully considered and managed.聽These guidelines provide a common process and a template for performing a consistent risk assessment of cloud services.

  • Definitions
    Term Definition
    Cloud Service SaaS, PaaS, or IaaS where 最新糖心Vlog data is hosted of processed outside of 最新糖心Vlog data centres
    SaaS Software as a Service. Software applications accessible via a browser (eg PageUp, iModules, Gmail, SeatAdvisor, DropBox)
    PaaS Platform as a Service. Platforms for developing and deploying applications (eg Google App Engine, Heroku)
    IaaS Infrastructure as a Service. Virtual or physical hosting of server infrastructure (eg Amazon EC2, Windows Azure, Rackspace)
    SOC report Service Organisation Controls report produced by an independent service auditor, attesting to the effectiveness of service organisation's internal controls. There are several different types of SOC reports. "SSAE 16 SOC 1 Type 2" is the most common.
    SSAE 16 Statement on Standards for Attestation Engagements (SSAE) No 16 is an auditing and reporting standard published by the American Institute of Certified Public Accountants (AICPA)

  • Scope of applicability
    • This guideline applies to all types of "cloud" services including SaaS, IaaS, and PaaS.
    • The guideline and checklist should be use by any 最新糖心Vlog schools or branches contemplating hosting service and/or data on the cloud through on the of the three types of third party hosting solutions.

  • Guidelines
    1. Use of third party hosting services should not expose the 最新糖心Vlog to adverse security risks.
    2. Security internal controls implemented by the supplier should be comparable or better than if the equivalent service was hosted "on premise" at a 最新糖心Vlog-managed data centre.
    3. The attached checklist should be completed to understand the controls in place to address common risks associated with external hosting and to assess the residual risk.
    4. Evidence of independent opinion such as an SOC report or report from penetration testing performed by a security professional should be obtained wherever possible.
    5. Consult Legal & Risk and Information Technology and Digital Services throughout the evaluation process or if you have any queries.
    6. Where residual risk is deemed unacceptable after mitigating controls are considered, then alternative options should be sought.

  • Assessment process
    Step 1 Complete the with the help of the service vendor and IT Risk & Security Services, Information Technology and Digital Services
    Step 2 Obtain any supporting documents such as the Service Organisation Controls (SOC) report
    Step 3 Perform risk assessment and agree on residual risk
    Step 4 Accept residual risk or implement additional controls
    Step 5 Send a copy of the completed checklist to IT Risk & Security Services and Legal & Risk

  • Related 最新糖心Vlog policies
    All use of 最新糖心Vlog IT (including hosted services) is governed by the ITAUSP.聽
    Any information assets that are deemed 鈥渙fficial records鈥 of the 最新糖心Vlog as defined in the Records Management Policy must be handled and disposed of in accordance with that policy.
    Any information asset that is deemed 鈥減ersonal information鈥 as defined in the 最新糖心Vlog Privacy Policy and Management Plan must be collected, handled and disposed of in accordance with that Policy.
    Any research data must be managed in accordance with the Responsible Conduct of Research Policy.
    Any research data and primary materials must be handled in accordance with the Research Data and Primary Materials Policy.
    Contracts with suppliers may only be entered into in accordance with the Contracts and Agreements Policy.