Office of the CIO

Office of the CIO and Associate Vice-Principal (Information Technology Services)
Office of the CIO and Associate Vice-Principal (Information Technology Services)

Authorization to Operate

The Authorization to Operate process provides a structure, templates and check-list to assist in adoption of Software as a Service (SaaS) solutions at Queen's University. 

SaaS offers consistent and predictable costs, rapid deployment capability, and reduced management expenses. It is immensely practical, and sees increasingly common usage in many critical university functions - including those of Queen's University. It is here to stay, and will not be going away. However, using SaaS introduces data theft and privacy concerns. When users connect over the Internet in order to access vital business applications; the theft of usernames and passwords puts business data at risk.

Prior to beginning the process, it would be best to contact the Authorization to Operate team to discuss the proposed solution and the data elements that will be involved. An initial triage can be performed that will assist in the level of assessment that may be required.

Why is this needed?

Queen's University has chosen a "cloud first" strategy for enterprise solutions and is actively adopting web-based, hosted applications provided by Software as a Service (SaaS) vendors. By using SaaS, the university benefits from consistent and predictable costs, rapid deployment, and reduced management expenses. However, using SaaS introduces data theft and privacy concerns. Users connect over the Internet to vital business applications; the theft of usernames and passwords puts business data at risk.

The adoption and usage of these externally hosted solutions for central and/or critical university functions is growing fast and it is not going away; in fact, it is here to stay. In today’s business environment, a solid percentage of complex business functions are delivered through the use of off-premise applications. Each new app, vendor, and tool set brings with it more risk, so additional touch points are brought to the proverbial table, effectively further complicating an already complex situation.

For compliance purposes, businesses need to demonstrate the policies and practices protecting access to these vital applications and data. However, users frustrated with managing multiple password policies may inadvertently defeat the security measures and put business data at risk. Strong authentication and app management solutions help, but deploying these systems can be a major undertaking, which effectively cancels out the cost and simplicity benefits of SaaS in the first place.

Routinely, we see critical information or assets being shared with cloud providers, consultants, business process outsourcers, and a myriad of other such vendors. Inevitably for businesses, this signals a certain degree of control being lost or relinquished to vendors and others outside the business’s direct control and management capability. Organizations must stay engaged and remain ever vigilant to the risks associated with these arrangements.

There seems to be some confusion amongst businesses relating to who is responsible for issues, such as data security. The confusion tends to cause many businesses to become complacent about their data security since they may in fact assume that the SaaS vendor has sufficiently strong security and privacy controls in place, even though the vendor may not actually have the level of security required. What all this comes down to is that the university service owner must take a more proactive approach to ensuring their data is truly and adequately protected.

What should you consider?

Service owners that are considering the use of (or are using) externally hosted services should always follow and execute due diligence when selecting and managing their vendor relationships. Data security, privacy, identity and access management as well as compliance considerations should always be high on the list.

During the due diligence process, service owners should discover a number of key concerns, asking questions about data, protection, access, and controls such as:

Data classification

  • What type of data will be collected, used, stored, and processed by the vendor and how sensitive is it?

Access and use

  • Who will have access to the data, and how can we confirm this?
  • How will the provider ensure that others (i.e. those whose data resides on the same server as ours) are not able to view our data?
  • Does the vendor claim the right to use the information for its own, secondary purposes?
  • Does the vendor have any rights or obligations to disclose the information to another entity?

Privacy

  • Where does the vendor operate and/or store the data and what laws govern data in that jurisdiction?Are those laws comparable to Canadian privacy laws?
  • Does the vendor have any rights or obligations to disclose the information to another entity?
  • Is access to personal information limited and restricted to authorized individuals?

Security

  • What controls does the vendor have in place for intrusion detection, perimeter security, physical security, application of security patches, and data-leak prevention, among other safety measures?
  • What policies and procedures are in place to detect, prevent, and mitigate identity theft?
  • Have there been any instances of identity theft experienced by the vendor in the last two years?
  • Does the vendor scan employee email and company social media platforms for potential breaches of customer data?
  • How are incidents and breaches reported?
  • Will we receive notification if a breach to our data occurs?

Retention and deletion

  • Can the data be retrieved and/or permanently deleted from the vendor’s systems and servers?

Disaster recovery & business continuity planning

  • Does the third party have a disaster recovery plan?
  • In the event of a disaster, how has the vendor protect our information assets?
  • Can we get our data back if the vendor goes out of business?

Contract & controls compliance verification

  • Does the potential vendor allow third-party verification?
  • If not, does the vendor provide such verification on its own?

As mentioned above, Queen's must take a more proactive approach to ensuring that their data is sufficiently protected. The reality is that the use of externally hosted solutions has become standard practice, but each different vendor will vary greatly on the control environments provided.


Templates

Document

Description

Security & Privacy Risk Assessment of Service Owner

This document is the responsibility of the Project Manager, and will be completed with input from the Service Owner.

The Privacy Risk Assessment (PRA) shall provide an evaluation of controls and risks relative to the cloud environment in scope with an eye towards achieving the following objectives:

  • To determine the privacy risks related to the current implementation and how the implementation aligns with

    the Ontario legislation  - FIPPA - Freedom of Information and Protection of Privacy Act, and the Federal legislation – PIPEDA, Personal Information Protection and Electronic Documents (Note: PIPEDA applies to commercial organizations but the principles do apply.)
  • To understand and document where sensitive information is stored and used, the level of adequacy of the existing security controls in Queen's University (focus being on people, processes, and technical security).

The purpose of this report is to:

  • Document the findings of a security-focused Privacy Risk Assessment (PRA) for the Queen's University software applications and services in scope
  • Inform Clients and stakeholders about the privacy objectives and safeguards of the Queen's University software applications and processes
  • Allow Clients and stakeholders to understand how the Queen's University software applications, service and processes may contribute to the business risks that they must manage.

Security & Privacy Risk Assessment of Vendor

The initial portion of these questions are to be  included in any RFP  that the Service Owner submits for a Cloud based or hosted Software as a Service solution.

The detailed portion of this document is what is used when negotiating with or short listing proponents.

The responses to these questions will be reviewed by ITServices to assist in proponent selection.

Non Disclosure Agreement

The Queen's Non Disclosure Agreement is to be  signed by Vendors prior to a contract  in which an exchange of personal and confidential information is necessary between Queen's and the vendor as part of a negotiation, review or understanding of a service.

Vendor SLA

A  Service Level Agreement (SLA)  document for the contract needs be in place to address details such as  a definition of services, performance measurement, problem management, customer duties, warranties, disaster recovery and termination of agreement. Having this document early in the in the process will help in the completion of the PRA.

Signatures

When all required documentation has been completed signatures are required by the following individuals to confirm the completion of the process, and the acceptance of any risk prior to go live of a SaaS solution at Queen's University.

  • Service Owner (Individual responsible for the service, at Queen's)
  • Data Steward (Owner of the data, or delegate)
  • Queen's CIO
  • Queen's General Counsel

Operational Documentation

Documentation will be required to identify the ongoing support of the service, contingency plans in case of an outage, notification process, contact information, license renewal schedule and other areas that will provide the plan as to how the service will run efficiently. 

Operational Document is completed at the end of the AtO process, and links all the components that have been completed.

As a result, this becomes the Executive Summary of the collection of documents, and would be the first point of reference if needed.

 

In addition, when dealing with SaaS contracts, the Policy on Approval and Execution of Contracts and Invoices should be consulted to provide direction for anyone engaged in:

  • making purchases of goods and services,
  • entering into or approving research contracts, investments or real estate transactions, or
  • entering into other agreements or commitments on behalf of the University.