Secure hosting control procedure

Contents

Policy statement

This control procedure defines the university’s approach to the use of externally-provisioned computing facilities and services, and directly supports the following policy statements from the Information Security Policy

“Information processing facilities are housed in secure areas, physically protected from unauthorised access, damage and interference by defined security perimeters. Layered internal and external security controls will be in place to deter or prevent unauthorised access and protect assets, especially those that are critical or sensitive, against forcible or surreptitious attack.” 

“The university will ensure the correct and secure operations of information processing systems. This will include documented operating procedures; the use of formal change and capacity management; controls against malware; defined use of logging; vulnerability management.”

“The university will maintain network security controls to ensure the protection of information within its networks, and provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities, in line with the classification and handling requirements associated with that information.”

“Information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems. Controls to mitigate any risks identified will be implemented where appropriate. Systems development will be subject to change control and separation of test, development and operational environments.”

Audience

This procedure is intended to be read and understood by any staff considering the use of externally provisioned computing facilities and services; IT & digital and other staff who are responsible for the implementation of IT systems as well as those involved in scoping projects that may require the processing of university information by other parties. 

Control statements

Externally provisioned solutions

Externally provisioned solutions – will be considered alongside traditional in-house solutions as an appropriate response to business needs. Legal obligations relating to information security and other aspects of implementing and operating outsourced services, such as commercial and reputational risk, will be evaluated and managed using risk assessments and contractual agreements. 

A formal procurement process, including a risk assessment and review of proposed contractual terms and conditions, must be undertaken to assess whether university IT service can be supplied via externally provisioned services. Consideration should be given to existing procedures around IT project management and risk assessment. 

Advice on the information security aspects of secure hosting can be provided by the Information Security and Cyber Security Operations teams where required. The university’s Legal team must be consulted regarding data protection considerations and contractual terms and conditions. 

Assessment of cloud solutions

Externally provisioned solutions will be evaluated on a case-by-case basis against the university’s information security policies, procedures and guidelines as well as established good practice, such as the HMG Cloud Security Principles, where the solution may be cloud based.  

Cloud computing solutions must deliver the same or better levels of service as an in-house solution to ensure business continuity, in line with the requirements of the business service being delivered. 

Consideration should be given to the nature of the information being stored in the solution, in line with the university’s Information Classification Scheme. Where personal data is going to be processed, a privacy impact assessment must be undertaken in consultation with the Legal team. 

The Information Security team will provide advice and assistance throughout all stages of the consideration of externally provisioned computing solutions. 

Consideration will need to be given to all other information security policies and procedures when considering the use of all computing solutions. These include but are not limited to, access control, cryptography and threat and vulnerability management  

Cloud storage 

The use of both University-provisioned and personal cloud storage – such as MS OneDrive, SharePoint Online, Dropbox or Google Drive – is covered in the Information Classification Scheme

Compliance

Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure. 

Compliance checks will be undertaken by the university’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.

Browse Information Security policies and control procedures

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.

Version: 1.0
Release date: 16/10/2023
Review date: 16/09/2024