Cloud Services Ordering Process

This procedure establishes the steps in determining when to utilize the Third Party Cloud Hosting Security Questionnaire and the process surrounding its review.

Step 1

Department evaluates a potential hosted software, hardware or service acquisition and answers the question below and attaches to requisition in KFS. This only needs to be completed if data is being stored in systems or data centers other than those at the University of Connecticut. :

  1. Is the information the vendor will host considered Confidential as determined by University policy and standards:
    1. http://policy.uconn.edu/2012/06/21/confidential-data-information-technology/
    2. http://security.uconn.edu/extended-list-of-confidential-data/)

Step 2

If the answer to the above is affirmative, the purchasing agent will forward the Third Party Cloud Hosting Security Questionnaire to the vendor. The Purchasing Agent and the Information Security Office will work with the vendor to ensure the questionnaire is completed or act as a resource for the vendor as necessary.

Step 3

The Information Security Office will evaluate the responses to the questionnaire and will provide procurement a recommendation based on any potential risk.

Step 4

Purchasing Agent will report the Information Security Office recommendations to the department so they can make the final determination regarding the purchase, after being informed of the vendor’s security posture and potential risk.