external hosting (cloud) evaluation checklist - detailed
TRANSCRIPT
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
1. Business risks1.1 Downtime Loss of service / access to data. Business
impact will depend on importance of service / application / data to the business.See also Legal section of this paper.
Contractual provisions including indemnities, robust service level and service credits regime, specified failover requirements / business continuity obligations linked to service credits / most favoured customer clause, if possible
Insurance coverage – UQ and/or service provider1.2 Reliance upon / tie to
chosen service provider for future services
Less commercial leverage Interoperability due diligence Contractual provisions around interoperability Robust exit provisions and vigilance in ensuring
these are used (eg ensure exit plan is prepared and kept up to date as part of contract management)
1.3 Chosen service provider becomes insolvent
Loss of service; need to bring service in-house or transfer to another service provider
Contractual provisions requiring service provider to notify on insolvency events (see GITC definition of insolvency events), so that UQ has prior notice of potential insolvency and allowing UQ to terminate agreement and/or enliven exit services upon certain insolvency events
Also as per Ref 1.21.4 Data loss Service Provider loses client data Loss of data. Business impact will depend on
importance of data to the business. See also Legal section of this paper.
Ensure service provider offers backup and archiving services
UQ clients may need to maintain local backup of data
Insurance coverage – UQ and/or service provider Also as per Ref 1.1 in relation to downtime
1
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
2. Technical risks2.1.1 Interoperability Restrictive client-side OS or browser
requirements for Software-as-a-Service Offerings (SaaS)
Not usable by all UQ clients SaaS offerings use browser for client side Supported browsers must at least include Internet
Explorer, Safari, Firefox
2.1.2 Service provider upgrades software and/or infrastructure
Cost/time impact on UQ users Adequate notification and details of upgrades (cover in contract)
Data integrity (cover in contract) Service provider must provide migration tools if
appropriate to upgrade activity2.1.3 Lack of confirmed VM image format
standardisation complicates migration of VMs between UQ and Service Provider clouds and between Service Provider Clouds
Cost/time impact on UQ clients UQ clients made aware
2.1.4 IP address changes of external hosted services
Service availability Service providers need to provide UQ with IP address, small range of IP addresses or DNS name
2.2.1 Integration Service can not utilise Identity Provider services
Security and inconvenience (potentially remember many multiple passwords)
Service provider demonstrates capability to use external Identity Provider services
2.2.2 Lack of standardised Service Provider APIs
Lock in to specific Service Provider Encourage service providers to participate in standardisation activities
Promote UQ client awareness2.2.3 Decentralised use of cloud services results
in a multitude of hosted services and therefore service providers, some provid-ing the same services, and a correspond-
Support and maintenance costs associated with each instance of locally developed soft-ware interacting with a hosted service. Support and maintenance costs for each local
Centralised register of hosted services. Centralised approval mechanism for hosted
services. Centralised SOA-based solution for
2
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
ing number of UQ-based processes and software to utilise these services.
provisioning and deprovisioning solution to utilise a hosted service. Difficulties associ-ated with identifying all hosted services in use - auditability issues
provisioning/deprovisioning Centralised SOA-based solution for data
integration with hosted services, where applicable
2.3.1 Data Service requires access to non-public facing UQ services such as databases
Security; Privacy Where possible seeks alternate means of delivering data to service provider
Transfer data using strong encryption2.3.2 Portability - use of non-standard data
interchange formats to allow for ease of migration between service provider and UQ
Cost/time to UQ clients Promote UQ client awareness
2.4.1 Heavy reliance on stability and speed of network connection
UQ Internet link failure or degradation (reduced capacity, reduced performance)
Degradation and/or loss of service Increase UQ Internet link resilience and capacity
2.4.2 Service Provider link failure or degradation (reduced capacity, reduced performance)
Degradation and/or loss of service Contractual service levels / service credits
2.4.3 Connectivity failure or degradation (reduced capacity, reduced performance) between UQ and service provider
Degradation and/or loss of service Contract requiring service provision with multiple internet attachment points with diverse connectivity
3
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
3. Legal risks3.1 UQ non-compliance with
obligations under newly-enacted Information Privacy Act 2009 (Qld) (“IP Act”).
Breach of any Information Privacy Principles (“IPPs”) under the IP Act, including: The obligation to ensure reasonable
safeguards are in place to prevent loss, unauthorized access, use disclosure, modification or misuse of personal information held by UQ
The obligation to fulfill individuals’ requests to see all records containing their personal information and have any inaccuracies in such records corrected on request
The obligation to only disclose personal information if the individual concerned is aware of or has consented to, that disclosure. Depending on the details of the external hosting model the personal information may or may not be “disclosed” to the service provider.
The obligation to seek individuals’ consent to transfer of personal information outside Australia OR in absence of consent, to carry out due
negative PR associated with UQ breaching legislation
fines for offences under the IP Act (eg potential $10,000 fine for failure to take reasonable steps to comply with compliance notice issued by the Information Commissioner following alleged non-compliance with any provision of the IP Act or failure to produce a document when requested to do so by the Information Commissioner
UQ to contractually oblige the service provider to employ security measures against hacking / accidental disclosure of personal information
encryption, so that an individual’s identity is cannot be discerned or is not effectively being disclosed
subject service provider to contractual provisions that effectively uphold principles for the fair handling of personal information that are substantially similar to the IPPs (ideally replicate IPPs)
conduct due diligence to ensure the personal information it transfers will not be held, used or disclosed by the service provider in a way that is inconsistent with the IPPs.
Make any individuals whose personal information may be disclosed as part of external hosting aware that such information is being so disclosed (see IPP 11).
Need to strictly specify reason for disclosure of information (ie external hosting only – information not disclosed to the service provider for any other purpose and the service provider may not use the information for any other purpose).
4
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
diligence and have appropriate contractual provisions in place to ensure personal information is protected in line with the IP Act.
Potential future obligation under privacy laws: obligation to notify the Privacy
Commissioner and affected individuals of a data breach in which their personal details may have been compromised
Get individuals’ consent to any transfer of information outside Australia OR ensure:
UQ reasonably believes that the recipient of the personal information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the IPPs [this is about the contractual provisions per bullet point 3 above]; AND
UQ has taken reasonable steps to ensure that the personal information it transfers will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the IPPs [this is about due diligence by UQ to ensure the service provider’s technology and processes live up to the IPP requirements – UQ should keep a record of such due diligence activity]
Contractual obligation on service provider to advise UQ of any security breach so that individuals whose personal information may have been disclosed may be notified.
5
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
3.2 Non-compliance with National Privacy Principles (“NPPs”) set out in the Privacy Act 1988 (Cth) or proposed new Uniform Privacy Principles set out in the ALRC report.
While UQ is not required to comply with the National Privacy Principles (“NPPs”) as a matter of law it is required to do so under some of its agreements (eg under a number of Commonwealth funding agreements).
Breach of any NPPs to which UQ is subject under its agreements which are not already covered by the IPPs in Ref 3.1, including: Obligation to keep all personal
information held complete and up to date
The obligation to ensure reasonable safeguards are in place to prevent loss, unauthorized access, use disclosure, modification or misuse of personal information held by UQ
Obligation to fulfill individuals’ requests to access their personal information
Breach of contract and potential for damages claim for losses parties UQ contract with may suffer as a result of UQ’s breach of NPPs
Contractual obligations to ensure UQ is able to access information at required and placing obligations on service provider to keep information up to date (if appropriate in context of service arrangement)
Also as per Ref 3.1
3.3 Non-compliance with obligations under the Public Records Act 2002 (Qld) (“PR Act”)
Deletion of records Loss of records Inability to access records
This could be caused by downtime, data loss or security breach
negative PR s13 of the PR Act makes it an offence to
dispose of a public record without State Archivist’s approval. Fine - $16,500
contractual provisions / indemnity around compliance with UQ’s obligations under the PR Act
PR Act provides that, without limiting the public authority’s responsibility for ensuring the safe custody and preservation of records in its possession, an arrangement between a public authority and another person for the person to
6
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
have custody of a record of the public authority must include arrangements for the safe keeping, proper preservation and return of the record (s8)
create back up / contractually oblige service provider to create back up
3.4 Non-compliance with obligations under the newly enacted Right to Information Act 2009 (Qld) (“RTI Act”)
UQ is unable to provide information in response to a request of a member of the public or the Information Commissioner in the timeframe required under the RTI Act or at all because it cannot be identified or accessed
UQ is fettered in its ability to use the option to “push” information to the public rather than wait for applications under the RTI Act
UQ’s published information on the “push” model is unavailable to the public, making UQ in breach of its published statements on availability of information.
This could be caused by downtime, data loss or security breach
* The RTI Act was enacted in June 2009
negative PR fines under the RTI Act. For example, in
addition to the public’s right to access documents by request under the RTI Act, the Information Commissioner may by notice require UQ to produce a particular document. Failure to do so constitutes an offence with a fine of $10,000.
contractual provisions around data retention and security and UQ ability to access information on request, within required timeframes / indemnity
7
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
and is expected to commence on 1 July 2009. The RTI Act replaces the Freedom of Information Act 1992 (Qld) but represents an overhaul of FOI legislation. UQ is still in the process of considering the legislative changes and adjusting its procedures to ensure compliance, so it is possible that additional issues around the RTI Act in the external hosting context will come to light as UQ works through that process.
3.5 Breach of contractual obligations
Storage of information on service provider systems could risk breach of contractual obligations, eg: obligations not to disclose certain
information; obligations to keep certain data safe
etc obligations to comply with NPPs (see
Ref 3.2) – this obligation is commonly included in UQ’s Commonwealth funding agreements
Breach of contract - potential for damages claim for losses parties UQ contract with may suffer as a result of UQ’s breach of contract
Most effective risk mitigation would be to audit contracts and seek consent to external hosting – note this could be impractical
Minimise risk by employing strategies recommended in respect of Refs 3.1 to 3.4 above
3.6 Breach of software licence terms
Software licence terms may not allow for operation of software on third party service provider systems
Breach of licence – licensor could charge UQ additional licence fee, sue UQ for damages if it suffers loss flowing from breach of licence or take any other action it is entitled to take
Before entering into external hosting arrangement, consider what licensed software UQ would be running on external service provider systems and check software licence terms allow for this. If
8
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
under its licence agreement licence terms do not allow for this, seek amendment to licence to cater for external hosting (but bear in mind there could be a cost implication)
3.7 Disclosure of UQ confidential information
Storage of information on third party (service provider) systems could constitute disclosure of confidential information to service provider OR poor data security by service provider could result in disclosure of confidential information to other third parties
UQ secrets could be disclosed to third parties – impact would depend upon importance of particular confidential information to UQ
Encryption Due diligence on service provider security Contractual obligations around service provider
security Periodical audits around service provider security
3.8 Disclosure of third party confidential information
Storage of information on third party (service provider) systems could constitute disclosure of confidential information to service provider OR poor data security by service provider could result in disclosure of confidential information to other third parties
Third party secrets disclosed to UQ and which UQ is required to keep confidential could be disclosed to third parties.This could place UQ in breach of common law, equitable or contractual obligations of confidence to third parties. Third parties affected could sue for damages to cover their losses.
As per Ref 3.7
3.9 Legal risk flowing from local laws in particular jurisdictions (eg Patriot Act in US, encryption prohibitions in US and France)
Will depend upon particular jurisdiction Will depend upon particular jurisdiction, however examples could include: Fines Criminal penalties Cancellation of accounts by service
provider in response to government / court order
Assess issues associated with proposed jurisdiction/s and decline to use service if jurisdiction presents too many issues
Include a compliance with laws obligation in contract
Contractual obligations to consult with UQ and provide warning / opportunity for issue to be
9
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
resolved before cancellation of account or other government / court action is taken
Otherwise, will depend upon particular jurisdiction
3.10 Legal risk flowing from lack of local laws in particular jurisdictions (eg fewer laws protecting intellectual property in Asia)
Will depend upon particular jurisdiction Will depend upon particular jurisdiction Assess issues associated with proposed jurisdiction/s and decline to use service if jurisdiction presents too many issues
Will need specific contractual protections depending on particular issues faced in particular jurisdictions
3.11 Loss of legal professional privilege
Waiver of legal professional privilege by disclosure of communication
Discovery of sensitive legal advice in legal proceedings – could have very significant impact depending upon the circumstances
Negative PR
As per Ref 3.7
3.12 Inability to comply with disclosure / discovery / subpoena obligations
UQ may not be able to meet its obligations on time or at all if records being externally hosted are not accessible or if data has been lost
Fines Other discipline by Court
Contractual provisions ensuring data security and ability for UQ to access data in a timely manner
3.13 Ownership of email addresses on exit
External hosting service provider owns email addresses and when contract comes to an end, UQ does not have a right to use the email addresses.
Mass communication required internally and externally on change of email addresses.
Technical measures required to ensure emails are forwarded in interim.
Service provider given opportunity to charge for transfer of email addresses
Contractual provisions ensuring addresses are owned by UQ and returned / transferred to the control of UQ, or transferred to a new service provider, on exit from contract.
10
INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS
OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….
Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.
IDENTIFICATION ANALYSIS
Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk
3.14 Loss of or inability to access information relevant to patents
UQ is not able to access historical data relevant to patentability or proof of patent ownership
Inability to resist patent right challenges by third parties
Contractual provisions around data security and access to data
3.15 Invalidation of patents Disclosure of information relevant to patents that invalidate patent due to disclosure into public domain
No right to patents for UQ inventions affected and/or competitors stealing ideas and UQ unable to seek redress due to information having been leaked into public domain
Data security measures UQ policies quarantining such information (eg
such information not to be sent by email)
3.16 Loss of IP Inability to access material in which intellectual property rights subsist due to data loss
Will depend upon value of particular IP lost Contractual obligations on service provider in respect of protection of data
3.17 Breach of employment laws or general law duty of care to employees if they suffer loss as a result of the outsourcing
If UQ’s passing of information to external host was negligent and a staff member suffered loss
Negative PR Employee could sue UQ for damages
Careful due diligence and continuing contract management to ensure appropriate safeguards in place
11