Office of the CIO

Office of the CIO and Associate Vice-Principal (Information Technology Services)
Office of the CIO and Associate Vice-Principal (Information Technology Services)

Authorization to Operate

NOTICE:
The Authorization to Operate process is currently undergoing a review, and as such the process has been temporarily placed on hold.
 
If you do require immediate security, privacy, or legal advice for any new tool or service, please contact:
 
Joshua Lim
Security Associate, Information Technology Services
Phone: 613 533-6000 x75058
E-Mail: jl261@queensu.ca
 
Carolyn Heald
Director, University Records Management and Chief Privacy Officer 
Phone: 613 533-6000 x75226
E-Mail: carolyn.heald@queensu.ca

 

The Authorization to Operate process provides a structure, templates and check-list to assist in adoption of Software as a Service (SaaS) solutions at Queen's University. 

SaaS offers consistent and predictable costs, rapid deployment capability, and reduced management expenses. It is immensely practical, and sees increasingly common usage in many critical university functions - including those of Queen's University. It is here to stay, and will not be going away. However, using SaaS introduces data theft and privacy concerns. When users connect over the Internet in order to access vital business applications, any theft of usernames and passwords would put business data at risk.

Prior to beginning the process, it would be best to contact the Authorization to Operate team to discuss the proposed solution and the data elements that will be involved. An initial triage can be performed that will assist in the level of assessment that may be required.

​A flowchart summarizing the core components of the Authorization to Operate process can be found here.

Why is this needed?

In today's business environment, more and more business functions are delivered through off-premise applications. Every new app, vendor, or toolset brings with it more risk, and more touch points are needed to facilitate them - further complicating an already complex situation.

For compliance purposes, businesses need to demonstrate the policies and practices protecting access to these vital applications and data. However, users frustrated with managing multiple password policies may inadvertently defeat the security measures and put business data at risk. Strong authentication and app management solutions help, but deploying these systems can be a major undertaking, which effectively cancels out the cost and simplicity benefits of SaaS in the first place.

Routinely, we see critical information or assets being shared with cloud providers, consultants, business process outsourcers, and a myriad of other such vendors. Inevitably for businesses, this signals a certain degree of control being lost or relinquished to vendors and others outside the business’s direct control and management capability. Organizations must stay engaged and remain ever vigilant to the risks associated with these arrangements.

There seems to be some confusion amongst businesses relating to who is responsible for issues, such as data security. The confusion tends to cause many businesses to become complacent about their data security since they may in fact assume that the SaaS vendor has sufficiently strong security and privacy controls in place, even though the vendor may not actually have the level of security required. What all this comes down to is that the university service owner must take a more proactive approach to ensuring their data is truly and adequately protected.

What should you consider?

Service owners that are considering the use of (or are using) externally hosted services should always follow and execute due diligence when selecting and managing their vendor relationships. Data security, privacy, identity and access management as well as compliance considerations should always be high on the list.

During the due diligence process, service owners should discover a number of key concerns, asking questions about data, protection, access, and controls such as:

Data classification

  • What type of data will be collected, used, stored, and processed by the vendor and how sensitive is it?

Access and use

  • Who will have access to the data, and how can we confirm this?
  • How will the provider ensure that others (i.e. those whose data resides on the same server as ours) are not able to view our data?
  • Does the vendor claim the right to use the information for its own, secondary purposes?
  • Does the vendor have any rights or obligations to disclose the information to another entity?

Privacy

  • Where does the vendor operate and/or store the data and what laws govern data in that jurisdiction?Are those laws comparable to Canadian privacy laws?
  • Does the vendor have any rights or obligations to disclose the information to another entity?
  • Is access to personal information limited and restricted to authorized individuals?

Security

  • What controls does the vendor have in place for intrusion detection, perimeter security, physical security, application of security patches, and data-leak prevention, among other safety measures?
  • What policies and procedures are in place to detect, prevent, and mitigate identity theft?
  • Have there been any instances of identity theft experienced by the vendor in the last two years?
  • Does the vendor scan employee email and company social media platforms for potential breaches of customer data?
  • How are incidents and breaches reported?
  • Will we receive notification if a breach to our data occurs?

Retention and deletion

  • Can the data be retrieved and/or permanently deleted from the vendor’s systems and servers?

Disaster recovery & business continuity planning

  • Does the third party have a disaster recovery plan?
  • In the event of a disaster, how has the vendor protect our information assets?
  • Can we get our data back if the vendor goes out of business?

Contract & controls compliance verification

  • Does the potential vendor allow third-party verification?
  • If not, does the vendor provide such verification on its own?

As mentioned above, Queen's must take a more proactive approach to ensuring that their data is sufficiently protected. The reality is that the use of externally hosted solutions has become standard practice, but each different vendor will vary greatly on the control environments provided.


Key Elements

Document

Description

Triage Tool

Queen's ITS has developed a simple and effective triage tool that can rapidly gauge the security risk factor of a prospective service. This is done at the beginning of the AtO process by the Service Owner, and is a highly useful indicator as to the level of detail to which subsequent security assessments need to be made.

​Other Items

After the triage stage, Vendors will be required to complete a Security and Privacy Risk Assessment (SPRA). The purpose of this is to examine in detail the privacy and security risk profiles of the prospective service. The Vendor will need to complete a questionnaire, the responses to which will be reviewed by Queen's ITS. If necessary, further information may be requested.

Concurrently, the contract to be signed by the Vendor will be arranged for with input from the Queen's legal team. Other documentation may need to be compiled as necessary.

In some cases, the Service Owner will have to complete a Privacy Impact Assessment (PIA), for example with services where Queen's is to be an active participant in the access and usage of the data. The PIA aims to identify and mitigate the potential privacy risks in the event that this data should be compromised in this scenario.​

NOTICE: The purpose of the AtO process IS NOT to determine whether or not a service is fit for use. It is instead intended to outline the security and privacy risks involved in the use of the service; a completed AtO is simply an acknowledgement of assessment results, and an acceptance by the Service Owner of these risks and responsibilities.

Queen's ITS will review the responses received, after which further information may be requested if necessary. 

If the service involves the use and/or storage of personal information, Service Owners must complete a Privacy Impact Assessment (PIA). This aims to identify and mitigate the potential privacy risks in the event that the information should be compromised. Ideally, this should be done as early in the process as possible.

Concurrently, a contract will be constructed by the Queen's CIO and legal representatives through an Agreement Review. Once all parties are satisfied and all of the relevant documentation has been assembled and completed, the contract may be signed.

Once the contract is complete, a memo will be produced by Queen's ITS to summarise the key points and outcomes of the particular AtO process.

 

Signatures

When all required documentation has been completed, signatures are required by the following individuals to confirm the completion of the process, and the acceptance of any risk prior to go live of a SaaS solution at Queen's University:

  • Service Owner (Individual responsible for the service, at Queen's)
  • Data Steward (Owner of the data, if required)
  • Queen's CIO
  • Queen's Legal Counsel

In cases of high risk, a further signature may be required by the head of the hosting department/faculty.

 

In addition, when dealing with SaaS contracts, the Policy on Approval and Execution of Contracts and Invoices should be consulted to provide direction for anyone engaged in:

  • making purchases of goods and services,
  • entering into or approving research contracts, investments or real estate transactions, or
  • entering into other agreements or commitments on behalf of the University.