Ensuring adequate protection and control of University data, whether personal or non-personal, comes under the umbrella of information security. Even where there are no legal obligations, the University has a responsibility to take care of other types of data or information created or controlled during the normal course of University business, whether for research, education or administration. Generally, data has value and there is a consequent and proportionate requirement to protect that data. The protection of data may include controlling access and use of the data; ensuring that the information is backed-up, archived or otherwise kept safe; and generally curating data to retain or enhance its value.
In practice it is the staff and students of the University who create, control, reuse and share data or information, some of which will be data owned or controlled by the University rather than by individuals (See University of Oxford Statute XVI: Property, Contracts, and Trusts (Part B: Intellectual Property)). Therefore individual staff and students of the University share in the responsibility for information security. This is an important consideration within the context of cloud IT services since it is now very easy for anyone to register to use online services that may be used for the processing of University data (e.g. file storage and sharing).
Information security is primarily concerned with ensuring that information or data is protected against unauthorised access and use; that data remains accurate and 'tamper-proof', and available when and to whom required. Data may be created during the course of research; or to support teaching and learning; or administration. The data may include commercially confidential data or may contain a set of ideas valuable to the University as intellectual property. Unauthorised access to, or the loss or damage of such data may result in reputational damage or financial costs to the University. Lost or damaged data may be costly or impossible to re-create. Of course, these observations apply to the safe-keeping of data more generally, whether held within or outwith the University. Cloud services may, of course, be used to facilitate the sharing and publication of data (e.g. “open access” data) and the continued availability of this data, whether to the general public or a defined group, may be a key requirement.
The degree and type of protection applied requires an assessment and classification of the data, together with an assessment of the risks to that data (i.e. how sensitive or valuable is the data, and what threats to the data do we need to protect against). This assessment and classification will be performed by the owners of that information type (commonly known as Information Asset Owners). Information Asset Owners will also define a set of handling rules for the information, following the guidance below.
|Access, store, process…||Confidential||Internal||Public|
||Any method allowed|
The University Information Security Policy applies to the management of all information or data, whether held within the University or transferred elsewhere, in physical or digital formats. The Policy applies to those who handle University-controlled data, whether as employees, students, contractors or suppliers. The Information Security Policy is therefore relevant for the selection and use of cloud services for the transfer and processing of University data (whether personal or non-personal).
The guidance relating to information security in this toolkit is designed to assess the suitability of the cloud service provider for use with University data. This is divided into two stages:
- Confirming that the handling rules for the information permit the use of cloud service providers; and
- Performing information security due diligence of potential cloud service providers.
The first stage is to confirm that the handling rules for the information permit the use of cloud based services. This will be defined by the Information Asset Owner based on the classification of the information. If the handling rules do not permit the use of cloud based services the Information Asset Owner may grant an exemption based on the specific circumstances. If there is no defined Information Asset Owner you may be the Information Asset Owner, for example by being the Principal Investigator for a research project, and will need to take responsibility for your data. The Information Security Team can support you in defining the rules for your data.
The second stage is to perform information security due diligence of potential cloud service providers to assess the information security control arrangements of any potential cloud service provider (CSP) to provide assurance that University information will be appropriately secured and that these arrangements comply with the handling rules for the information. This is formed of three activities:
If formally procuring a cloud service, completing a Third Party Security Assessment (TPSA) to gain assurance over the cloud service provider’s information security control environment. The Third Party Security Assessment template is included within any relevant procurement process led by the Purchasing Department. Of course, the response to the TPSA then requires analysis by the procurement group and the process may form the basis for a dialogue between the University and the cloud service provider. If cloud services are being engaged outside of a procurement process led by the Purchasing Department the Information Security Team can facilitate the completion of TPSA.
Developing a set of appropriate information security contractual provisions to provide adequate legal protection. A set of standard information security contractual clauses have been developed and will be incorporated into any relevant purchasing process led by the University Purchasing Department. For other, non-central, procurement please contact the Purchasing Department for the clauses and further guidance.
If considering the use of a consumer cloud service provider (e.g. Dropbox) or once terms have been set, it is important to complete the Cloud Security Checklist which provides the mechanism to document the University’s information security requirements and then review these against the provisions in the contract with the cloud service provider. The Information Security Team can facilitate this process on your behalf and help interpret the output.
It is recognised that the selection and use of cloud services is not always through a formal procurement process nor necessarily by a department of the University. Individual members of the University are generally free to use internal and external IT services during the course of their employment or studies. However, the use of University data with a cloud service still requires an assessment of both the data and the service prior to use.
This process is designed to assess the capability of the cloud service provider to provide an acceptable level of security (i.e. acceptable relative to the value or sensitivity of the data being accessed/stored/processed).
Key information security areas for evaluation, and the likely sources to use as a basis for evaluation, include:
- Cloud service provider's maturity and capability (sources: service-level agreement; customer references; sector recommendations);
- Information lifecycle security (sources: terms of service; service-level agreement; support documentation);
- Physical security (personnel and data centre) (sources: standards certification; security-related policies);
- Application and platform security (software) (sources: standards certification, security-related policies, release and change management policies);
- Access control security (sources: security-related policies; support documentation, e.g. for two-factor authentication);
- Network security (security-related policies);
- Encryption security (sources: security-related policies; support documentation);
- Technical vulnerability management (sources: terms of service or service-level agreement (e.g. for communications to customers));
- Incident management (sources: service-level agreement or terms of service);
- Service continuity and disaster-recovery management (sources: service-level agreement);
- Portability and interoperability (sources: terms of service (e.g. exit strategy), supporting documentation);
- Compliance and transparency (sources: terms of service).
- Cloud security guidance
- Cloud services information security flowchart (PDF)
- Cloud security checklist (Excel)
- Third-party security assessment template (Excel)