Information Technology Services
Information Technology Services

Authorization to Operate

The Authorization to Operate (ATO) process provides a structure, templates and check-list to manage risk in adoption of cloud applications at Queen's University. Cloud applications are offered by external service provider companies, installed off university premises, and also called Software as a Service, or SaaS. They offer consistent and predictable costs, rapid deployment capability, reduced management effort, and are in use in many areas of Queen's University. However, Queen's is still responsible for privacy and security of university information held in these applications. The ATO review ensures privacy and security practices of the application provider are appropriate to the information, and the necessary contractual responsibilities are present in the service agreement.

Start an Authorization to Operate by completing the project triage spreadsheet tool (Queen's login required), by following its Instructions tab. Send the completed file by email to the Authorization to Operate team. The team will confirm receipt, and then do an initial triage to determine the level of assessment that will be required.

​A flowchart summarizing the core components of the Authorization to Operate process can be found here.

Why is this needed?

In today's business environment, more and more business functions are delivered through off-premises applications. Every new app, vendor, or toolset brings with it more risk, and more touch points are needed to facilitate them - further complicating an already complex situation.

For compliance purposes, organizations need to demonstrate the policies and practices protecting access to these vital applications and data. However, users frustrated with managing multiple password policies may inadvertently defeat the security measures and put business data at risk. Strong authentication and app management solutions help, but deploying these systems can be a major undertaking, which effectively cancels out the cost and simplicity benefits of cloud applications in the first place.

Routinely, we see critical information or assets being shared with cloud providers, consultants, business process outsourcers, and a myriad of other such vendors. Inevitably for businesses, this signals a certain degree of control being lost or relinquished to vendors and others outside the business’s direct control and management capability. Organizations must stay engaged and remain ever vigilant to the risks associated with these arrangements.

There seems to be some confusion amongst businesses relating to who is responsible for issues, such as data security. The confusion tends to cause many businesses to become complacent about their data security since they may in fact assume that the service vendor has sufficiently strong security and privacy controls in place, even though the vendor may not actually have the level of security required. What all this comes down to is that the university service owner must take a more proactive approach to ensuring their data is truly and adequately protected.

What should you consider?

Service owners that are considering the use of (or are using) externally hosted services should always follow and execute due diligence when selecting and managing their vendor relationships. Data security, privacy, identity and access management as well as compliance considerations should always be high on the list.

During the due diligence process, service owners should discover a number of key concerns, asking questions about data, protection, access, and controls such as:

Data classification

  • What type of data will be collected, used, stored, and processed by the vendor and how sensitive is it?

Access and use

  • Who will have access to the data, and how can we confirm this?
  • How will the provider ensure that others (i.e. those whose data resides on the same server as ours) are not able to view our data?
  • Does the vendor claim the right to use the information for its own, secondary purposes?
  • Does the vendor have any rights or obligations to disclose the information to another entity?


  • Where does the vendor operate and/or store the data and what laws govern data in that jurisdiction?Are those laws comparable to Canadian privacy laws?
  • Does the vendor have any rights or obligations to disclose the information to another entity?
  • Is access to personal information limited and restricted to authorized individuals?


  • What controls does the vendor have in place for intrusion detection, perimeter security, physical security, application of security patches, and data-leak prevention, among other safety measures?
  • What policies and procedures are in place to detect, prevent, and mitigate identity theft?
  • Have there been any instances of identity theft experienced by the vendor in the last two years?
  • Does the vendor scan employee email and company social media platforms for potential breaches of customer data?
  • How are incidents and breaches reported?
  • Will we receive notification if a breach to our data occurs?

Retention and deletion

  • Can the data be retrieved and/or permanently deleted from the vendor’s systems and servers?

Disaster recovery & business continuity planning

  • Does the third party have a disaster recovery plan?
  • In the event of a disaster, how has the vendor protect our information assets?
  • Can we get our data back if the vendor goes out of business?

Contract & controls compliance verification

  • Does the potential vendor allow third-party verification?
  • If not, does the vendor provide such verification on its own?

As mentioned above, Queen's must take a more proactive approach to ensuring that their data is sufficiently protected. The reality is that the use of externally hosted solutions has become standard practice, but each different vendor will vary greatly on the control environments provided.

Key Elements



Triage Tool

Queen's ITS has developed a simple and effective triage tool that can rapidly gauge the security risk factor of a prospective service. This is done at the beginning of the AtO process by the Service Owner, and is a highly useful indicator as to the level of detail to which subsequent security assessments need to be made.

​Other Items

After the triage stage, Vendors will be required to complete a Security and Privacy Risk Assessment (SPRA). The purpose of this is to examine in detail the privacy and security risk profiles of the prospective service. The Vendor will need to complete a questionnaire, the responses to which will be reviewed by Queen's ITS. If necessary, further information may be requested.

Concurrently, the contract to be signed by the Vendor will be arranged for with input from the Queen's legal team. Other documentation may need to be compiled as necessary.

In some cases, the Service Owner will have to complete a Privacy Impact Assessment (PIA), for example with services where Queen's is to be an active participant in the access and usage of the data. The PIA aims to identify and mitigate the potential privacy risks in the event that this data should be compromised in this scenario.​

NOTICE: The purpose of the AtO process IS NOT to determine whether or not a service is fit for use. It is instead intended to outline the security and privacy risks involved in the use of the service; a completed AtO is simply an acknowledgement of assessment results, and an acceptance by the Service Owner of these risks and responsibilities.

Queen's ITS will review the responses received, after which further information may be requested if necessary. 

If the service involves the use and/or storage of personal information, Service Owners must complete a Privacy Impact Assessment (PIA). This aims to identify and mitigate the potential privacy risks in the event that the information should be compromised. Ideally, this should be done as early in the process as possible.

Concurrently, a contract will be constructed by the Queen's CIO and legal representatives through an Agreement Review. Once all parties are satisfied and all of the relevant documentation has been assembled and completed, the contract may be signed.


In addition, when dealing with SaaS contracts, the Policy on Approval and Execution of Contracts and Invoices should be consulted to provide direction for anyone engaged in:

  • making purchases of goods and services,
  • entering into or approving research contracts, investments or real estate transactions, or
  • entering into other agreements or commitments on behalf of the University.

Last Updated: June 26, 2019