external hosting (cloud) evaluation checklist - detailed

INITIAL RISK ANALYSIS – EXTERNAL HOSTING SOLUTIONS

OU Name:………………….…………… Date of Review:……………Compiled by:………………………………. Date:……………Approved by:……………………………… Date:…………….

Note: This is an initial, high level analysis of the potential risks associated with UQ entering into external hosting solutions and is intended as a general guide only. A definitive analysis of the risks associated with a particular proposed external hosting solution should be conducted once the detailed particulars of the particular solution (eg proposed service provider, jurisdiction in which University data will be hosted, technical features of the solution, commercial offering and service provider’s proposed contractual terms) are known.

IDENTIFICATION ANALYSIS

Ref Brief risk description Details of risk Impact Potential measures (controls) which could minimise risk

1. Business risks1.1 Downtime Loss of service / access to data. Business

impact will depend on importance of service / application / data to the business.See also Legal section of this paper.

Contractual provisions including indemnities, robust service level and service credits regime, specified failover requirements / business continuity obligations linked to service credits / most favoured customer clause, if possible

Insurance coverage – UQ and/or service provider1.2 Reliance upon / tie to

chosen service provider for future services

Less commercial leverage Interoperability due diligence Contractual provisions around interoperability Robust exit provisions and vigilance in ensuring

these are used (eg ensure exit plan is prepared and kept up to date as part of contract management)

1.3 Chosen service provider becomes insolvent

Loss of service; need to bring service in-house or transfer to another service provider

Contractual provisions requiring service provider to notify on insolvency events (see GITC definition of insolvency events), so that UQ has prior notice of potential insolvency and allowing UQ to terminate agreement and/or enliven exit services upon certain insolvency events

Also as per Ref 1.21.4 Data loss Service Provider loses client data Loss of data. Business impact will depend on

importance of data to the business. See also Legal section of this paper.

Ensure service provider offers backup and archiving services

UQ clients may need to maintain local backup of data

Insurance coverage – UQ and/or service provider Also as per Ref 1.1 in relation to downtime

1






2. Technical risks2.1.1 Interoperability Restrictive client-side OS or browser

requirements for Software-as-a-Service Offerings (SaaS)

Not usable by all UQ clients SaaS offerings use browser for client side Supported browsers must at least include Internet

Explorer, Safari, Firefox

2.1.2 Service provider upgrades software and/or infrastructure

Cost/time impact on UQ users Adequate notification and details of upgrades (cover in contract)

Data integrity (cover in contract) Service provider must provide migration tools if

appropriate to upgrade activity2.1.3 Lack of confirmed VM image format

standardisation complicates migration of VMs between UQ and Service Provider clouds and between Service Provider Clouds

Cost/time impact on UQ clients UQ clients made aware

2.1.4 IP address changes of external hosted services

Service availability Service providers need to provide UQ with IP address, small range of IP addresses or DNS name

2.2.1 Integration Service can not utilise Identity Provider services

Security and inconvenience (potentially remember many multiple passwords)

Service provider demonstrates capability to use external Identity Provider services

2.2.2 Lack of standardised Service Provider APIs

Lock in to specific Service Provider Encourage service providers to participate in standardisation activities

Promote UQ client awareness2.2.3 Decentralised use of cloud services results

in a multitude of hosted services and therefore service providers, some provid-ing the same services, and a correspond-

Support and maintenance costs associated with each instance of locally developed soft-ware interacting with a hosted service. Support and maintenance costs for each local

Centralised register of hosted services. Centralised approval mechanism for hosted

services. Centralised SOA-based solution for

2






ing number of UQ-based processes and software to utilise these services.

provisioning and deprovisioning solution to utilise a hosted service. Difficulties associ-ated with identifying all hosted services in use - auditability issues

provisioning/deprovisioning Centralised SOA-based solution for data

integration with hosted services, where applicable

2.3.1 Data Service requires access to non-public facing UQ services such as databases

Security; Privacy Where possible seeks alternate means of delivering data to service provider

Transfer data using strong encryption2.3.2 Portability - use of non-standard data

interchange formats to allow for ease of migration between service provider and UQ

Cost/time to UQ clients Promote UQ client awareness

2.4.1 Heavy reliance on stability and speed of network connection

UQ Internet link failure or degradation (reduced capacity, reduced performance)

Degradation and/or loss of service Increase UQ Internet link resilience and capacity

2.4.2 Service Provider link failure or degradation (reduced capacity, reduced performance)

Degradation and/or loss of service Contractual service levels / service credits

2.4.3 Connectivity failure or degradation (reduced capacity, reduced performance) between UQ and service provider

Degradation and/or loss of service Contract requiring service provision with multiple internet attachment points with diverse connectivity

3






3. Legal risks3.1 UQ non-compliance with

obligations under newly-enacted Information Privacy Act 2009 (Qld) (“IP Act”).

Breach of any Information Privacy Principles (“IPPs”) under the IP Act, including: The obligation to ensure reasonable

safeguards are in place to prevent loss, unauthorized access, use disclosure, modification or misuse of personal information held by UQ

The obligation to fulfill individuals’ requests to see all records containing their personal information and have any inaccuracies in such records corrected on request

The obligation to only disclose personal information if the individual concerned is aware of or has consented to, that disclosure. Depending on the details of the external hosting model the personal information may or may not be “disclosed” to the service provider.

The obligation to seek individuals’ consent to transfer of personal information outside Australia OR in absence of consent, to carry out due

negative PR associated with UQ breaching legislation

fines for offences under the IP Act (eg potential $10,000 fine for failure to take reasonable steps to comply with compliance notice issued by the Information Commissioner following alleged non-compliance with any provision of the IP Act or failure to produce a document when requested to do so by the Information Commissioner

UQ to contractually oblige the service provider to employ security measures against hacking / accidental disclosure of personal information

encryption, so that an individual’s identity is cannot be discerned or is not effectively being disclosed

subject service provider to contractual provisions that effectively uphold principles for the fair handling of personal information that are substantially similar to the IPPs (ideally replicate IPPs)

conduct due diligence to ensure the personal information it transfers will not be held, used or disclosed by the service provider in a way that is inconsistent with the IPPs.

Make any individuals whose personal information may be disclosed as part of external hosting aware that such information is being so disclosed (see IPP 11).

Need to strictly specify reason for disclosure of information (ie external hosting only – information not disclosed to the service provider for any other purpose and the service provider may not use the information for any other purpose).

4






diligence and have appropriate contractual provisions in place to ensure personal information is protected in line with the IP Act.

Potential future obligation under privacy laws: obligation to notify the Privacy

Commissioner and affected individuals of a data breach in which their personal details may have been compromised

Get individuals’ consent to any transfer of information outside Australia OR ensure:

UQ reasonably believes that the recipient of the personal information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the IPPs [this is about the contractual provisions per bullet point 3 above]; AND

UQ has taken reasonable steps to ensure that the personal information it transfers will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the IPPs [this is about due diligence by UQ to ensure the service provider’s technology and processes live up to the IPP requirements – UQ should keep a record of such due diligence activity]

Contractual obligation on service provider to advise UQ of any security breach so that individuals whose personal information may have been disclosed may be notified.

5






3.2 Non-compliance with National Privacy Principles (“NPPs”) set out in the Privacy Act 1988 (Cth) or proposed new Uniform Privacy Principles set out in the ALRC report.

While UQ is not required to comply with the National Privacy Principles (“NPPs”) as a matter of law it is required to do so under some of its agreements (eg under a number of Commonwealth funding agreements).

Breach of any NPPs to which UQ is subject under its agreements which are not already covered by the IPPs in Ref 3.1, including: Obligation to keep all personal

information held complete and up to date

The obligation to ensure reasonable safeguards are in place to prevent loss, unauthorized access, use disclosure, modification or misuse of personal information held by UQ

Obligation to fulfill individuals’ requests to access their personal information

Breach of contract and potential for damages claim for losses parties UQ contract with may suffer as a result of UQ’s breach of NPPs

Contractual obligations to ensure UQ is able to access information at required and placing obligations on service provider to keep information up to date (if appropriate in context of service arrangement)

Also as per Ref 3.1

3.3 Non-compliance with obligations under the Public Records Act 2002 (Qld) (“PR Act”)

Deletion of records Loss of records Inability to access records

This could be caused by downtime, data loss or security breach

negative PR s13 of the PR Act makes it an offence to

dispose of a public record without State Archivist’s approval. Fine - $16,500

contractual provisions / indemnity around compliance with UQ’s obligations under the PR Act

PR Act provides that, without limiting the public authority’s responsibility for ensuring the safe custody and preservation of records in its possession, an arrangement between a public authority and another person for the person to

6






have custody of a record of the public authority must include arrangements for the safe keeping, proper preservation and return of the record (s8)

create back up / contractually oblige service provider to create back up

3.4 Non-compliance with obligations under the newly enacted Right to Information Act 2009 (Qld) (“RTI Act”)

UQ is unable to provide information in response to a request of a member of the public or the Information Commissioner in the timeframe required under the RTI Act or at all because it cannot be identified or accessed

UQ is fettered in its ability to use the option to “push” information to the public rather than wait for applications under the RTI Act

UQ’s published information on the “push” model is unavailable to the public, making UQ in breach of its published statements on availability of information.

This could be caused by downtime, data loss or security breach

* The RTI Act was enacted in June 2009

negative PR fines under the RTI Act. For example, in

addition to the public’s right to access documents by request under the RTI Act, the Information Commissioner may by notice require UQ to produce a particular document. Failure to do so constitutes an offence with a fine of $10,000.

contractual provisions around data retention and security and UQ ability to access information on request, within required timeframes / indemnity

7






and is expected to commence on 1 July 2009. The RTI Act replaces the Freedom of Information Act 1992 (Qld) but represents an overhaul of FOI legislation. UQ is still in the process of considering the legislative changes and adjusting its procedures to ensure compliance, so it is possible that additional issues around the RTI Act in the external hosting context will come to light as UQ works through that process.

3.5 Breach of contractual obligations

Storage of information on service provider systems could risk breach of contractual obligations, eg: obligations not to disclose certain

information; obligations to keep certain data safe

etc obligations to comply with NPPs (see

Ref 3.2) – this obligation is commonly included in UQ’s Commonwealth funding agreements

Breach of contract - potential for damages claim for losses parties UQ contract with may suffer as a result of UQ’s breach of contract

Most effective risk mitigation would be to audit contracts and seek consent to external hosting – note this could be impractical

Minimise risk by employing strategies recommended in respect of Refs 3.1 to 3.4 above

3.6 Breach of software licence terms

Software licence terms may not allow for operation of software on third party service provider systems

Breach of licence – licensor could charge UQ additional licence fee, sue UQ for damages if it suffers loss flowing from breach of licence or take any other action it is entitled to take

Before entering into external hosting arrangement, consider what licensed software UQ would be running on external service provider systems and check software licence terms allow for this. If

8






under its licence agreement licence terms do not allow for this, seek amendment to licence to cater for external hosting (but bear in mind there could be a cost implication)

3.7 Disclosure of UQ confidential information

Storage of information on third party (service provider) systems could constitute disclosure of confidential information to service provider OR poor data security by service provider could result in disclosure of confidential information to other third parties

UQ secrets could be disclosed to third parties – impact would depend upon importance of particular confidential information to UQ

Encryption Due diligence on service provider security Contractual obligations around service provider

security Periodical audits around service provider security

3.8 Disclosure of third party confidential information

Storage of information on third party (service provider) systems could constitute disclosure of confidential information to service provider OR poor data security by service provider could result in disclosure of confidential information to other third parties

Third party secrets disclosed to UQ and which UQ is required to keep confidential could be disclosed to third parties.This could place UQ in breach of common law, equitable or contractual obligations of confidence to third parties. Third parties affected could sue for damages to cover their losses.

As per Ref 3.7

3.9 Legal risk flowing from local laws in particular jurisdictions (eg Patriot Act in US, encryption prohibitions in US and France)

Will depend upon particular jurisdiction Will depend upon particular jurisdiction, however examples could include: Fines Criminal penalties Cancellation of accounts by service

provider in response to government / court order

Assess issues associated with proposed jurisdiction/s and decline to use service if jurisdiction presents too many issues

Include a compliance with laws obligation in contract

Contractual obligations to consult with UQ and provide warning / opportunity for issue to be

9






resolved before cancellation of account or other government / court action is taken

Otherwise, will depend upon particular jurisdiction

3.10 Legal risk flowing from lack of local laws in particular jurisdictions (eg fewer laws protecting intellectual property in Asia)

Will depend upon particular jurisdiction Will depend upon particular jurisdiction Assess issues associated with proposed jurisdiction/s and decline to use service if jurisdiction presents too many issues

Will need specific contractual protections depending on particular issues faced in particular jurisdictions

3.11 Loss of legal professional privilege

Waiver of legal professional privilege by disclosure of communication

Discovery of sensitive legal advice in legal proceedings – could have very significant impact depending upon the circumstances

Negative PR

As per Ref 3.7

3.12 Inability to comply with disclosure / discovery / subpoena obligations

UQ may not be able to meet its obligations on time or at all if records being externally hosted are not accessible or if data has been lost

Fines Other discipline by Court

Contractual provisions ensuring data security and ability for UQ to access data in a timely manner

3.13 Ownership of email addresses on exit

External hosting service provider owns email addresses and when contract comes to an end, UQ does not have a right to use the email addresses.

Mass communication required internally and externally on change of email addresses.

Technical measures required to ensure emails are forwarded in interim.

Service provider given opportunity to charge for transfer of email addresses

Contractual provisions ensuring addresses are owned by UQ and returned / transferred to the control of UQ, or transferred to a new service provider, on exit from contract.

10






3.14 Loss of or inability to access information relevant to patents

UQ is not able to access historical data relevant to patentability or proof of patent ownership

Inability to resist patent right challenges by third parties

Contractual provisions around data security and access to data

3.15 Invalidation of patents Disclosure of information relevant to patents that invalidate patent due to disclosure into public domain

No right to patents for UQ inventions affected and/or competitors stealing ideas and UQ unable to seek redress due to information having been leaked into public domain

Data security measures UQ policies quarantining such information (eg

such information not to be sent by email)

3.16 Loss of IP Inability to access material in which intellectual property rights subsist due to data loss

Will depend upon value of particular IP lost Contractual obligations on service provider in respect of protection of data

3.17 Breach of employment laws or general law duty of care to employees if they suffer loss as a result of the outsourcing

If UQ’s passing of information to external host was negligent and a staff member suffered loss

Negative PR Employee could sue UQ for damages

Careful due diligence and continuing contract management to ensure appropriate safeguards in place

11

external hosting (cloud) evaluation checklist - detailed

Technology