Comments

Document Feedback - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Protected Document to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will receive a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Information Technology - Third Party - Security Policy

Section 1 - Purpose and Scope

Purpose

(1) Before procuring or implementing any third-party Information Technology (IT) services, a formal information classification and risk assessment must be undertaken by Technology Services. The risk assessment must be approved by the Director, Cyber Security, or Vice President (Operations) where there is high to significant risk. Third-party services not meeting minimum standards or lacking approval may be removed or isolated from the University’s IT environment.

Scope

(2) Third-party IT services refer to IT services where the application and/or data reside on hardware not owned by the University. There are three main types of third-party IT services: hosting, software as a service (SaaS), and third-party computing.

  1. In a hosting scenario, IT resources are allocated exclusively by the provider to the University, with minimal or no sharing of capabilities or costs among multiple user organisations.
  2. In the third-party/cloud computing scenario, IT resources are allocated to applications and/or user organisations with elasticity, providing just-in-time, on-demand, and metered quantity and quality (advanced capability).
  3. In the software as a service (SaaS) scenario, IT resources are offered to multiple user organisations using the same application, but each user organisation experiences it as if it were the only entity using the application.

(3) Non-SCU entities that operate IT resources or handle institutional information are considered third-parties for the purposes of this policy.

Top of Page

Section 2 - Policy

Risk Assessment

(4) Before procuring or implementing a third-party IT service, the Technology Services Cyber Resilience Team must conduct a detailed risk assessment. This assessment should identify risks associated with the implementation of the service, and an evaluation of these risks, along with appropriate management actions and mitigations, must be included in any business case.

(5) Throughout the lifespan of the third-party IT service, risks related to its ongoing use must be incorporated into the risk management plans of Technology Services and the business owners for periodic review. These plans should include specific risks related to upgrades, additions, and new versions of the system (whether initiated by the University or the vendor), as well as monitoring assurance reports provided by vendors.