Cloud Services at McGill

Learn to safely use cloud applications with this short video:

 

When acquiring or using a new software app, here's what you need to know...

These days most software used at McGill is provided by third-party vendors and hosted "in the cloud". Because data is exchanged and/or stored outside of McGill's IT infrastructure, we need to perform due diligence to ensure our data is safe and to respect laws and regulations. We are all responsible for keeping McGill data safe.

What is McGill's Cloud Directive?

The Cloud Directive prescribes when and where you can process, transmit and store McGill data, depending on the type of data involved and its required security and privacy needs.

Cloud Directive - Official document, found on the Secretariat website

Who needs to comply?

All members of the McGill University community are obligated to comply with the Cloud Directive, even when using free cloud services.

Research data is also subject to the Cloud Directive.

All educational software used for teaching and learning must comply with the McGill Cloud Directive . 

 

Where should I begin?

For guidance on obtaining and using cloud services, view the sections below, starting with Cloud 101.

Cloud 101

    Cloud 101 Overview

    Click on the image to view a PDF that provides an introduction to Cloud Service, including:

    • What cloud services are
    • Different types of data and the level of protection they require
    • What is expected from you

     

    There are benefits and risks that come with using cloud services to store McGill data. To help mitigate these risks, it is essential that we take the steps outlined in the Cloud service acquisition process.

    Benefits of storing data in the cloud

    • Large storage capacity: You can get virtually unlimited amounts of storage space for free or cheap.
    • Access files anywhere: You can easily access and synchronize your data from multiple devices anywhere in the world.
    • Share and collaborate: It's easy to share your information with others and control permissions to view or edit files.
    • Productivity: Cloud services can help you be more productive and effective.

    Risks of storing data in the cloud

    • Syncing between devices may leave sensitive data on an unsecured device.
    • Due to "data deduplication", deleting a file doesn't necessarily get rid of the data in the cloud.
    • Vulnerabilities of the service to cyber attacks can expose data to unauthorized access.
    • Weak encryption of data on some cloud services can compromise data security and integrity.
    • No control over data shared with third parties, depending on terms of service.

     

    Cloud service acquisition process

    Process for acquiring / using cloud servicesHigh-level interactive view of the process 

    McGill is required to have a process for vetting cloud services to ensure that vendors can deliver on their commitments to safeguard our data against theft, loss and corruption.

    This interactive process map provides a high-level overview of the Cloud service acquisition process. Anyone at McGill who wants to acquire or use a cloud service must follow this process.

     

    Detailed process for all roles

    This process map provides the complete process for Cloud Service Acquisition. 

    detailed process map

    Roles & responsibilities

    Find out where you fit into the Cloud Acquisition Process.

     

    Requester & portfolio manager roles & responsibilities

    Requesters and portfolio managers work together to complete the Request for Data Trustee Approval:

    FileRequest for Data Trustee Approval Form

    PDF iconRequest for Data Trustee Approval Job Aid

    The Request for Data Trustee Approval captures information about:

    • The purpose/intended use of the solution
    • What data is collected and from whom in relation to purpose
    • Information about the user population

    Data trustee roles & responsibilities

    For more information about the role of the data trustee see:

    PDF iconRole of Data Trustee in Cloud Acquisition Process

    Data trustee criteria checklist

    Data trustees assess the information provided in the Request for Data Trustee Approval submitted by the Requester/Portfolio Manager to work toward initial concept approval.

      This checklist provides data trustees with a guide to the assessment of the request:

       PDF icon Data Trustee Criteria Checklist

      All roles & responsibilities

      This is a summary of the roles and responsibilities as reflected in the Cloud Acquisition Process detailed process.

       PDF icon Cloud Acquisition Process Roles and Responsibilities

      Activities
      Description
      Requester 
      Procurement Services
      Legal Services
      Data Trustee(s)
      IT Services
      Vendor
      Defining Needs

      Requester and IT Portfolio Manager

      • Lists all types of data in scope (to be stored or used) by the cloud solution
      • Assesses the sensitivity level of the non-personal information
      • Completes the "Procurement Mandate Form" and submits to Procurement Services
      x       x  
      Assess Data Request

      Data Trustee

      • Evaluates data request & provides an "In Concept" data approval
            x    
      Decide contract award method and requirements

      Procurement Services

      • Determines the type of contract which will be pursued
        • Contract by mutual agreement
        • Contract through tendering
      • Assesses eligibility requirement of vendor (the vendor must not be on RENA or other department list verified by McGill)
      • Obtains most current version of privacy addendum from legal services
        x        
      Assess Sensitivity level of personal data

      Legal Services

      • Assess the sensitivity level of personal data
          x      
      Prepare financial schedule

      Requester and Procurement Services

      • Collaborate on a model that will provide clear price information
      x x        
      Obtaining Proposals

      Procurement Services asks the vendor 

      • to sign Privacy Addendum (for Regulated data only)
      • To provide Data Flow Diagram

      Vendor

      • Receives the documents and evaluates/ completes them

      Procurement Services

      • Manages communications to help the vendor with the documents
      • Receives the documents back from the vendor
        x       x
      Verify (Contrator) eligibility

      Procurement Services

      • Verifies that vendor is not on RENA or other department list verified by McGill
        x        
      Verify (Contractor) Compliance

      Procurement Services

      • Validates Privacy Addendum is compliant (text, approved locations)
      • Returns to vendor to complete missing information
      Vendor
      • Completes missing information - if the Privacy Addendum is not signed, the process is stopped
        x x      
      Review Proposal(s) Procurement Services
      • sends complete package of information to IT Services for IT Risk Assessment
      IT Services
      • Begins assessment
      • Sends assessment reports to Procurement Services outlining criteria to Pass/Fail/Conditionally Pass/Conditionally Fail.
      • Makes recommendations to Procurement Services to remediate what does not pass
      • Procurement Services
      • works with vendor, legal services, IT Portfolio Manager (if not business-lead) and Requester, and provides IT Services with a response on the recommendations
        x     x x
      Contracting Procurement Services
      • informs Data Trustees and stakeholders of contract approval
      • issues PO to vendor
        x        
      File contract Records IT Services
      • issues final IT Risk Assessment report
      • Procurement Services
      • files contract documents in CCT and shares with the Requester
      x x     x  

      What to consider when using a cloud service

      When using a free or paid cloud service, there are various factors requesters need to consider throughout its lifecycle: before acquisition, during use, and at renewal.

      Below are questions you will need to ask yourself at each stage. Refer to them often, as they may change over time with changes in technology and the security landscape.

      Prior to acquisition

      1. What types of data will you be working with, and what do you want to do with them? 
      Note that only certain types of data are eligible for use with cloud solutions, depending on their level of sensitivity and the protection offered by the vendor.

      Cloud services that store, process or transmit data that are normally protected and/or regulated require special consideration, as required by Quebec and/or Canadian law, regulation or industry standard.

      2. Is your proposed solution really a cloud service?
      Validate that the solution you are considering is in fact a cloud service.
      On-premise solutions are not subject to the same considerations.

      Refer to Cloud services: Definition in Cloud services 101 on the Cloud Service Directive & Guidance page on the ITS website to find out more.

      3. Does McGill already have a similar solution that meets your requirements?
      The IT Service Desk can identify validated existing solutions in use at McGill.

      4. Have you researched multiple alternatives that can meet your needs?
      Plan to have more than one option in case the vendor cannot comply with the regulatory obligations that the Institution must abide by. The three assessments (Privacy, IT Risk, and Contract) will identify any compliance gaps.

      5. Have you clearly defined your requirements?
      Requirements need to be complete, clear, correct and consistent. To be able to identify your requirements, you need to understand how you are working today and identify how you wish to work in the future with the new solution.

      6. Most cloud services cannot be customized, so can you work within these constraints?
      If your processes cannot be adjusted accordingly, we encourage you to look for alternatives. 

      7. If it is necessary to leave the vendor in the future, (given your evolving needs, market changes, compliance requirements, etc.) do you understand what happens to your data after termination of the contract?
      Formulate an exit strategy which will allow you to migrate your data to another service provider without losing functionality. 

      8. Are you aware of the funding model for the acquisition of cloud services?
      Cloud services at McGill are considered an operational expense, while other types of software are mostly classified as capital expenses.
      The requester is responsible for the recurring subscription costs for the use of the cloud service. 

      9. How soon do you want to start using the cloud service?
      Negotiations and obtaining complete information from the vendor can result in delays of 3 months or more.
      All free and paid cloud services (except those that solely involve public data) must first undergo an assessment process - see the documents Cloud 101 and Process for evaluating the acquisition and use of a Cloud Service for details.

      Be aware that a cloud service may be approved or rejected as a result of the vendor assessment.Ensure that the evaluation period and possible outcomes are taken into account when planning a cloud solution.

      During use

      10. Do you have the resources and expertise to support the ongoing maintenance and monitoring of the cloud service and vendor? 
      It is the business’ responsibility to ensure that their unit can support the ongoing maintenance and monitoring. It is strongly recommended to dedicate the right expertise and resources to these activities.

      At renewal

      11. Cloud services do not need to undergo the assessment process upon renewal, unless one of the following factors is present: 

      • Client raises issues with service
      • Vendor changes processes, systems, or « flow of data »
      • Any breach of contract related to security, performance or privacy compliance
      • Scope change by client (which includes further or different access to protected info)
      • Significant changes to laws, regulations and industry standards that would necessitate an amendment

      McGill Approved Cloud Services

      A list of Cloud Services that have undergone the Cloud Acquisition Process is available to all McGill staff. This page will allow you to see the results of the Cloud Acquisition Process (Approved, Limited use, Rejected) for select services. 

      This list of approved cloud services is restricted to McGill Staff. To access restricted content in this section of the website, please sign in with your McGill Username and Password. Return to this tab once logged in.

      Once logged in, click Cloud Services that have been approved/rejected for McGill use to view the content.

      Glossary of Terms

      Definitions of Common Terms

      The terms below provide you definitions and examples of common terms and acronyms used in the context of cloud services.

      Term Definition & Examples
      Cloud Services A cloud service is a service or solution that is provided to a customer remotely as a service, by an external provider, and accessed over the internet. Cloud services can be free or paid. It contrasts with on-premise solutions. 
      Data subscription A data subscription refers to a model where a customer must pay a recurring price at regular intervals for access to data. 
      Directive

      A directive sets aims - for a specific topic - that should be followed by every McGill community member impacted by the directive. 

      E.g., the cloud directive defines how to acquire and use cloud services for McGill institutional data.

      IaaS 

      (Infrastructure as a service) 

      IaaS is a form of cloud computing that provides infrastructure resources, remote - as a service - over the internet. With IaaS, the vendor manages the infrastructure whereas McGill manages the data, application, database and operating system (see PaaS and SaaS). 
      Institutional Data  All data owned or licensed by the University. Institutional Data is either Regulated Institutional Data, Protected Institutional Data or Public Institutional Data. 
      On premise solutions  On-premises solutions are installed and run on computers within the walls of McGill, rather than a remote solution managed by a service provider. This contrasts with Cloud Services. 
      PaaS (Platform as a service)  PaaS is a form of cloud computing that provides resources remote - as a service - over the internet. With PaaS, the vendor manages the infrastructure, operating system and database whereas McGill manages the data and application (see IaaS and SaaS). 

      PCI 

      (Payment card industry) 

      The Payment Card Industry (PCI) regulations govern the use of all cardholder data. It applies to all merchant organizations, which store, process and transmit payment cardholder data.  

      E.g., a credit card number 

      Personal Information 

      Information concerning a natural person that allows the person to be identified as provided for in applicable Canadian and Quebec privacy legislation 

      E.g., student records, human resource records, donor information, and personal health information). 

      PHI 

      (Personal Health Information)

      Personal health information refers to medical and/or pharmaceutical data related to an individual. 
      Protected Institutional Data 

      McGill confidential information, other than regulated institutional data, is referred to as Protected Institutional data. 

      Examples where confidentiality is required: Contracts or strategic directions 

      Public Institutional Data 

      When protection of information is not required, because data is not confidential, we refer to it as Public Institutional data. 

      E.g., a blog on a McGill website  

      Regulated Institutional Data 

      When protection of information is mandated by law, regulation or industry requirement, we refer to it as Regulated Institutional data. 

      E.g., Personal information, Student/employee records, Passwords, Legal files 

      SaaS 

      (Software as a Service)

      SaaS is a form of cloud computing that provides resources remote - as a service - over the internet. With SaaS, the vendor manages the infrastructure, operating systems, databases and applications whereas McGill manages the data (see IaaS and PaaS). 

       

       

      FAQs about the Cloud Directive and where it applies

      Do I need to invoke the Cloud Service Acquisition Process if I'm using a Cloud Service for my own personal use, with my own data?

      No. The Cloud Directive is aimed at protecting McGill institutional data, including personal data of others under McGill's custodianship. You should, however, learn about the risks associated with data in the cloud to keep your own personal data safe online.

      Does the Cloud Directive cover research projects?

      Research data is subject to the Cloud Directive. You must follow the Cloud Service Acquisition Process when acquiring cloud services for research data.

       

      *** Additional FAQs coming soon ***

      Who to contact

      For general questions

      McGill unit / Faculty and Role Primary Contact

      Procurement Services
      (for general questions about the use of cloud services)

      cloudservices.procurement [at] mcgill.ca
      Information Technology Services
      (for technical guidance and questions about the Cloud Directive)
      Jacek Slaboszewicz
      Sue Reali

      Portfolio Buyers

      The Buyer/Lead Buyer for your portfolio / unit is your main point of contact throughout the cloud service acquisition process. For their contact information, see the Contact Us page on the Procurement website.

      Data Trustees / Approvers for cloud service requests

      Before contacting Procurement Services, validate with the responsible Data Trustee(s) / Approver(s) to determine if the desired data can be hosted in the cloud.  Choose the person most closely responsible for the data.

       

      Area Data Trustees/Approvers or their delegates
      Financial

      Cristiane Tinmouth
      Associate Vice-Principal (Financial Services)

      Human Resources
      Examples: employment status, salary, etc.

      Diana Dutton
      Associate Vice-Principal (Human Resources)
      Payment Card Industry (PCI)
      Example: credit card 

      Peter Guertin
      Jacek Slaboszewicz
      PCI Compliance Steering Committee

      Student
      Examples: student id, grades, registration, etc.

      Gillian Nycum
      University Registrar and Executive Director, Enrolment Services

      Student Aid 
      Examples: scholarships, awards, etc.
      Cara Piperni
      Director- Office of Scholarships and Student Aid
      Non credit courses

      Carola Weil
      Dean of the School of Continuing Studies

      Isabelle Bajeux
      Dean of the Management, Desautels Faculty Management

      David Eidelman, Dr.
      Vice-Principal (Health Affairs) and Dean of Medicine, Faculty of Medicine

      Facilities Robert Couvrette
      Associate Vice-Principal (Facilities Management and Ancillary Services)
      Information Technology Marc Denoncourt
      Chief Information Officer
      Advancement Marc Weinstein
      Vice-Principal (University Advancement)

      Contact Procurement Services for Data Trustees / Approvers not listed above.

      Back to top