Please enable javascript to view this page in its intended format.

Queen's University
 

Authorization to Operate

The  Authorization to Operate  process provides a structure, templates and check-list to assist in adoption of Software as a Service(SaaS) solutions at Queen's University.

Queen's University has chosen a "cloud first" strategy for enterprise solutions and is actively adopting web-based, hosted applications provided by Software as a Service (SaaS) vendors. By using SaaS, the university benefits from consistent and predictable costs, rapid deployment, and reduced management expenses. However, using SaaS introduces data theft and privacy concerns. Users connect over the Internet to vital business applications; the theft of usernames and passwords puts business data at risk.

The adoption and usage of these externally hosted solutions for central and/or critical university functions is growing fast and it is not going away; in fact, it is here to stay. In today’s business environment, a solid percentage of complex business functions are delivered through the use of off-premise applications. With each new app, vendor, and tool set comes more risk, so additional touch points are brought to the proverbial table effectively making a complex situation, even more complex.

For compliance purposes, businesses need to demonstrate the policies and practices protecting access to these vital applications and data. However, users frustrated with managing multiple password policies may inadvertently defeat the security measures and put business data at risk. Strong authentication and app management solutions help, but deploying these systems can be a major undertaking, which effectively cancels out the cost and simplicity benefits of SaaS in the first place.

Routinely, we see critical information or assets being shared with cloud providers, consultants, business process outsourcers, and a myriad of other such vendors. Inevitably for businesses, this signals a certain degree of control being lost or relinquished to vendors and others outside the business’s direct control and management capability. Organizations must stay engaged and remain ever vigilant to the risks associated with these arrangements.

There seems to be a fair bit of confusion amongst businesses relating to who is responsible for issues, such as data security. The confusion tends to cause many businesses to become complacent about their data security since they may in fact assume that the SaaS vendor has sufficiently strong security and privacy controls in place, even though the vendor may not actually have the level of security required. What all this comes down to is that the university service owner must take a more proactive approach to ensuring their data is truly and adequately protected.

What should you consider?

Service owners that are considering the use of (or are using) externally hosted services should always follow and execute due diligence when selecting and managing their vendor relationships. Data security, privacy, identity and access management as well as compliance considerations should always be high on the list.

During the due diligence process, businesses should discover a number of key concerns, asking questions about data classification, protection, access, and control such as:

Data protection

  • How will data be protected?
  • What controls does the vendor have in place for intrusion detection, perimeter security, physical security, application of security patches, and data-leak prevention, among other safety measures?

Data access

  • Who will have access to the data, and how can we confirm this?
  • How will data be protected?
  • Does the vendor have the right security controls to protect our data?
  • How will the provider ensure that others (i.e. those whose data resides on the same server as ours) are not able to view our data?
  • What controls does the vendor have in place for intrusion detection, perimeter security, physical security, application of security patches, and data-leak prevention, among other safety measures?

Data security

  • Who will have access to the data, and how can we confirm this?
  • Does the vendor have the right security controls to protect our data?
  • How will the provider ensure that others (i.e. those whose data resides on the same server as ours) are not able to view our data?
  • What policies and procedures are in place to detect, prevent, and mitigate identity theft?
  • Have there been any instances of identity theft experienced by the vendor in the last two years?
  • Does the vendor scan employee email and company social media platforms for potential breaches of customer data?
  • How are incidents and breaches reported?
  • Will we receive notification if a breach to our data occurs?
  • What policies and procedures are in place to detect, prevent, and mitigate identity theft?
  • Have there been any instances of identity theft experienced by the vendor in the last two years?
  • Does the vendor scan employee email and company social media platforms for potential breaches of customer data?
  • How are incidents and breaches reported?
  • Will we receive notification if a breach to our data occurs?

Disaster recovery & business continuity planning

  • Does the third party have a disaster recovery plan?
  • In the event of a disaster, how has the vendor protect our information assets?
  • Can we get our data back if the vendor goes out of business?
  • Does the third party have a disaster recovery plan?
  • In the event of a disaster, how will the vendor protect our information assets?

Contract & controls compliance verification

  • Does the potential vendor allow third-party verification?
  • If not, does the vendor provide such verification on its own?

As mentioned above, Queen's must take a more proactive approach to ensuring that their data is sufficiently protected. The reality is that the use of externally hosted solutions has become standard practice, but each different vendor will vary greatly on the control environments provided.


What should you do?

ITS has developed a process that addresses the above issues, and assembled tools to assist with the information gathering. The  Authorization to Operate  process provides a structure, templates and check-list to assist in adoption of Software as a Service (SaaS) solutions at Queen's University.

In addition, when dealing with SaaS contracts the Queen's Contract Signing Authority Matrix should consulted to provide direction for anyone engaged in:

  • making purchases of goods and services,
  • entering into or approving research contracts, investments or real estate transactions, or
  • entering into other agreements or commitments on behalf of the University.

The table below consists of a list of the templates, how and when to use them, along with links to download them:

Stages and Templates

Document

Description and stage required

RFP Questions

Download

 

 

The short form of these questions are to be  included in any RFP  that the Service Owner submits for a Cloud based or hosted Software as a Service solution.


The long form of this document is what is used when negotiating with or short listing proponents.

The responses to these questions will be reviewed by ITServices to assist in proponent selection.

 

Non Disclosure Agreement

Download

The Queen's Non Disclosure Agreement is to be  signed by Vendors prior to a contract  in which an exchange of personal and confidential information is necessary between Queen's and the vendor as part of a negotiation, review or understanding of a service.


Vendor SLA


Service Level Agreement (SLA)  document for the contract needs be in place to address details such as  a definition of services, performance measurement, problem management, customer duties, warranties, disaster recovery and termination of agreement. Having this document early in the in the process will help in the completion of the PRA.

Privacy Risk Assessment

Download

This document is the responsibility of the Service Owner, and will be completed with input from the Service Owner, the Vendor and from ITServices.

 

The Privacy Risk Assessment (PRA) shall provide an evaluation of controls and risks relative to the cloud environment in scope with an eye towards achieving the following objectives:

 

  • To determine the privacy risks related to the current implementation and how the implementation aligns with
    the Ontario legislation  - FIPPA - Freedom of Information and Protection of Privacy Act, and the Federal legislation – PIPEDA, Personal Information Protection and Electronic Documents (Note: PIPEDA applies to commercial organizations but the principles do apply.)
  • To understand and document where sensitive information is stored and used, the level of adequacy of the existing security controls in Queen's University (focus being on people, processes, and technical security).

The purpose of this report is to:

  • Document the findings of a security-focused Privacy Risk Assessment (PRA) for the Queen's University software applications and services in scope
  • Inform Clients and stakeholders about the privacy objectives and safeguards of the Queen's University software applications and processes
  • Allow Clients and stakeholders to understand how the Queen's University software applications, service and processes may contribute to the business risks that they must manage.

Signatures

Download

When all required documentation has been completed signatures are required by the following individuals to confirm the completion of the process, and the acceptance of any risk prior to go live of a SaaS solution at Queen's University.

 

  • Service Owner (Individual responsible for the service, at Queen's)
  • Data Steward (Owner of the data)
  • Queen's CIO
  • Queen's General Counsel

 

Operational Documentation

Download

Documentation will be required to identify the ongoing support of the service, contingency plans in case of an outage, notification process, contact information, licence renewal schedule and other areas that will provide the plan as to how the service will run efficiently. 


Operational Document is completed at the end of the AtO process, and links all the components that have been completed.
As a result, this becomes the Executive Summary of the collection of documents, and would be the first point of reference if needed.

 

Kingston, Ontario, Canada. K7L 3N6. 613.533.2000