A Cloud Service鈥痠s a聽free or paid聽service聽or software solution聽delivered聽over the internet聽by an聽external聽vendor. This聽service聽provides access to applications and resources,聽using infrastructure or聽hardware聽external to 捆绑SM社区.聽Personal and institutional (enterprise and research) data聽is聽stored, processed and聽transmitted聽outside of 捆绑SM社区 infrastructure,聽鈥渋n the cloud鈥.聽
See Cloud 101聽for聽an聽overview of聽Cloud Services.
What is the Cloud Directive and related Cloud Service Acquisition Process?
罢丑别听Cloud Directive聽outlines 捆绑SM社区's obligations in聽securely聽acquiring聽and using Cloud Services. It describes聽the necessary protections (controls) to use cloud services, depending on the type of data involved and its required security and privacy needs.聽聽
罢丑别听颁濒辞耻诲听厂别谤惫颈肠别听础肠辩耻颈蝉颈迟颈辞苍听笔谤辞肠别蝉蝉聽describes聽in detail聽what聽steps聽need to be followed聽to acquire a Cloud Service.聽The process聽requires聽that a privacy, a contractual and an IT risk assessment be performed to evaluate if the vendor can deliver on their鈥痗ommitments鈥痶o safeguard our data against theft, loss and corruption.聽
Why do we need聽the Cloud Directive聽and Cloud Service Acquisition process?
The main objective of the Cloud Directive and the Cloud Service Acquisition process聽is to:聽
-
protect聽personal聽information (PI) as well as personal health information (PHI). Examples include: SIN number, date of birth, address, gender, medical records or bank account information (to just name a few)
-
safeguard our聽institutional (enterprise) data, research data, proprietary information and intellectual property (IP)聽
-
comply聽with applicable laws, regulations and聽standards
Students who leverage solutions that have been assessed and approved by 捆绑SM社区, can do so knowing that their personal information is managed securely.
What happens if we don鈥檛聽follow the Cloud Directive聽and Cloud聽Service聽Acquisition process?
If聽we聽don鈥檛聽follow this directive and process,聽then聽we聽don鈥檛聽have any assurance that聽our data is properly safeguarded, and聽as a聽result, our data privacy and Intellectual Property rights聽are not guaranteed.聽Our data could be prone聽to unauthorized use聽or loss.聽
In addition,聽we have聽a聽legal responsibility to safeguard聽our data.聽For example,聽personal聽information must聽be protected.聽In other words, if we聽are not聽safeguarding our data appropriately, we聽are聽in violation of the law.
What data needs to be protected in the cloud?聽
Any聽data that is confidential聽needs to be protected.聽This includes聽data whose protection is聽required聽by law or聽regulation, or聽governed by contract or聽捆绑SM社区 policies.聽
Here are a few examples of聽data聽to聽protect:聽
-
Faculty members聽need to protect student聽personal information,聽and hence ensure that聽educational software for teaching and learning聽has been聽evaluated and聽approved.聽
-
Researchers聽(including students working on research projects) need to protect their research data and the intellectual property associated with their research聽
-
Staff members聽need to protect聽other people鈥檚 personal聽information, such as聽employee files, medical information, student records
Who needs to comply?聽
All members of the 捆绑SM社区 community聽must聽comply with the Cloud Directive聽and the Cloud Service Acquisition Process聽when聽acquiring聽and/or using聽paid or聽free鈥疌loud Services. Research data聽and聽educational software used for teaching and learning聽are聽subject to the Cloud Directive as well.聽
How to get support?
We realize that it may be difficult to聽understand the聽details聽of聽捆绑SM社区聽policies聽and directives. We, therefore, encourage you to聽contact聽itgovernance.its [at] mcgill.ca聽if you have questions聽or concerns. It will be our pleasure to assist and聽guide you through the process.聽聽