The terms below provide you definitions and examples of common terms and acronyms used in the context of Cloud Services.
Term | Definition & Examples |
---|---|
Access location |
|
Approved Cloud solutions | Cloud solutions that are subject to the Cloud Directive must be assessed from a privacy, an IT risk and a contract perspective. If the solution has passed these reviews, they may be approved for use at 黑料不打烊. Some of these solutions may be approved for everyone at 黑料不打烊, others may be approved with certain restrictions. For more information, see the Approved Cloud Services list (login required). |
Cloud Services | A Cloud Service is a service or solution that is provided to a customer remotely as a service, by an external provider, and accessed over the internet. Cloud Services can be free or paid. It contrasts with on-premise solutions. |
Contract assessment |
The contract assessment serves to review contractual protections and conditions, particularly in relation to organizational and individual liability, financial terms, warranty, intellectual property, and other points as needed. It verifies that the obligations of the supplier (and its possible subcontractors) offer generally acceptable protections to the University with regard to the above and that the University can in turn meet its obligations (including toward any 3rd party). The contract assessment, necessary to ensure due diligence, is based on the risk level associated with the acquisition of the Cloud service. It聽can range from a basic review (for Public data) to a basic review and IT Clauses assessment (for Protected and Regulated data).
For more information refer to the section "Steps to follow to perform the assessments" in the Cloud Process How-to page. |
Data assessment | The data assessment evaluates if the intended use (purpose) of the data in the cloud service is appropriate; it assesses whom the data is collected from in relation to the purpose, and verifies what types of users will be authorized to access the data. |
Data subscription | A data subscription refers to a model where a customer must pay a recurring price at regular intervals for access to data. |
Deferral | A deferral refers to categories of solutions that IT Services or Procurement Services has approved for use without carrying out the IT risk assessment, the privacy assessment, or the contract assessment. A deferral is only provided for a specific duration and under special circumstances, therefore, the cloud solution will need to be assessed at a later stage. |
Derogation |
A derogation refers to a Cloud solution that has failed the privacy, the IT risk and/or the contract assessment, but under exceptional circumstances, a derogation has been granted to use the cloud solution under specific conditions and for a specific timeframe. This happens rarely and on a case-by-case basis only and it requires special written approval by the Contract Compliance Officer (CCO) and Chief Information Officer (CIO). |
Directive |
A directive sets aims - for a specific topic - that should be followed by every 黑料不打烊 community member impacted by the directive. E.g., the Cloud Directive defines how to acquire and use Cloud Services for 黑料不打烊 institutional data. |
Hosting location |
|
IaaS (Infrastructure as a service) |
IaaS is a form of cloud computing that provides infrastructure resources, remote - as a service - over the internet. With IaaS, the vendor manages the infrastructure whereas 黑料不打烊 manages the data, application, database and operating system (see PaaS and SaaS). |
Institutional Data | All data owned or licensed by the University. Institutional Data is either Regulated Institutional Data, Protected Institutional Data or Public Institutional Data. |
IT Risk assessment |
The IT Risk assessment verifies the likelihood that a cloud solution impacts data confidentiality, integrity and availability. It is the process of identifying security risks and assessing the threat they pose. It also measures how well a cyberattack or data breach could be managed (security resilience)鈥. The ultimate goal of the IT risk assessment is to mitigate risks to prevent security incidents and compliance failures. The IT risk assessment, necessary to ensure due diligence, is based on the risk level associated with the acquisition of the Cloud service, and can range from a limited assessment聽to a full assessment of the Cloud service.
For more information refer to the section "Steps to follow to perform the assessments" in the Cloud Process How-to page. |
On premise solutions | On-premises solutions are installed and run on computers within the walls of 黑料不打烊, rather than a remote solution managed by a service provider. This contrasts with Cloud Services. |
PaaS (Platform as a service) | PaaS is a form of cloud computing that provides resources remotely - as a service - over the internet. With PaaS, the vendor manages the infrastructure, operating system and database whereas 黑料不打烊 manages the data and application (see IaaS and SaaS). |
PCI (Payment card industry) |
The Payment Card Industry (PCI) regulations govern the use of all cardholder data. It applies to all merchant organizations, which store, process and transmit payment cardholder data. E.g., a credit card number |
Personal Information |
Information concerning a natural person that allows the person to be identified as provided for in applicable Canadian and Quebec privacy legislation E.g., student records, human resource records, donor information, and personal health information). |
PHI (Personal Health Information) |
Personal health information refers to medical and/or pharmaceutical data related to an individual. |
Privacy addendum | To comply with Quebec laws, a Privacy Addendum will have to be added to the Standard Terms and Conditions of Purchase when the acquisitions of goods and services by 黑料不打烊 University involve the contractor gaining some level of access to personal information of members of the 黑料不打烊 University community. By signing the Privacy addendum, the supplier/contractor commits to protecting 黑料不打烊鈥檚 Personal Information according to Quebec Privacy Law. The supplier also agrees to respect that data is hosted and accessed from locations that provide equivalent protection to what is afforded by Quebec privacy law. |
Privacy assessment | The privacy assessment verifies if Personal Information is protected. It assesses if the jurisdictions,聽 where the data is hosted and accessed from, provide equivalent protection to what is afforded by Quebec privacy law. |
Protected Institutional聽(enterprise & research) Data |
黑料不打烊 confidential information, other than regulated institutional data, is referred to as Protected Institutional data. Examples where confidentiality is required: Contracts or strategic directions |
Public Institutional (enterprise & research) Data |
When protection of information is not required, because data is not confidential, we refer to it as Public Institutional data. E.g., a blog on a 黑料不打烊 website |
Regulated Institutional (enterprise & research) Data |
When protection of information is mandated by law, regulation or industry requirement, we refer to it as Regulated Institutional data. E.g., Personal鈥痠nformation, Student/employee records, Passwords, Legal files |
Rejected Cloud solutions | Cloud solutions that are subject to the Cloud directive may be rejected for use at 黑料不打烊, in particular when the supplier doesn鈥檛 comply with Quebec/Canadian privacy laws, and as such, Personal Information is not sufficiently protected. In this case, the solution is listed in the Rejected Cloud Services list (login required) with a data category of "Personal Information". You can find certain alternative solutions in the list that may meet your needs. |
Renewal |
A renewal is a Cloud solution that has been previously in use, and where the contract will expire. If a solution has not been previously assessed under the cloud directive, and a renewal is imminent, Procurement Services will exceptionally defer the assessments. This will occur only once. At the next renewal, the Cloud Service Acquisition process must be respected and initiated well in advance of the next renewal date. |
Research data | See 鈥淪cope鈥 section 1.2 in Policy on Enterprise data governance |
Restricted subset of Regulated data of low sensitivity (LTI=Learning Tools Interoperability) |
A restricted subset of regulated data exists for Teaching applications, also known as Learning Tools Interoperability (LTI). The restricted subset of regulated data for LTI refers to the following 8 pieces of data that may result in a lighter-weight review:
|
SaaS (Software as a Service) |
SaaS is a form of cloud computing that provides resources remotely - as a service - over the internet. With SaaS, the vendor manages the infrastructure, operating systems, databases and applications whereas 黑料不打烊 manages the data (see IaaS and PaaS). |