Application Service Providers

Category: Operations
Number: OPS-050-020
Audience: All University employees
Issued: September 17, 2007
Revised: June 19, 2016
Owner(s): AVP (Information Services)
Approved by: VP (Administration)
Contact: Associate Vice-President (Information Services) - 306-585-5646

Introduction

The University has an obligation to reasonably ensure all University owned records are complete, accurate, secure and available to Faculty, Staff, and Students when legitimately needed.  The University also has an obligation to ensure the academic, research, and administrative applications used by Faculty, Staff, and Students are available when needed.

When met, the above obligations ensure the University can meet the service requirements of its constituents. Use of an Application Service Provider (ASP) Vendor can be a legitimate approach to the delivery of application services within the University. An ASP vendor provides needed application services and stores records of the University within databases and upon servers that the ASP vendor runs and supports remotely from the University.

These ASP vendors may have their servers located in other provinces or countries. The ASP vendor may come under the legal jurisdiction and requirements of other provinces or countries and they will be required to comply with those laws. This means that the services and associated data of the University may come under a foreign legal jurisdiction’s control and access. Since ASP vendor servers and applications are outside the immediate control of the University, there are additional risks with respect to assured availability and proper use of the application and data on an ongoing basis. These risks must be identified, assessed, mitigated where possible, and authorized as acceptable to the University.

Therefore, this Policy must be complied with for each new ASP vendor service being contemplated and for each ASP service currently in use. At a minimum the review of existing ASP service offerings must occur once every three years in each unit. This will ensure a minimum level of due diligence is completed by the University with respect to the assessment and acceptance of the risk associated with any ASP offering.

To gather relevant information about the ASP's security practices, policies, procedures, and the application's data sensitivity, it is recommended that new ASP offerings undergo an ASP Security Assessment. The ASP Security Assessment serves as an input to the ASP High Level Risk Assessment. Given that security is a large determinate of risk, it is important that ASP’s security controls and related risks be documented for the Authorized Representative to quantify and accept.  The ASP Security Assessment is to be completed by the ASP prior to completing a risk assessment, and provided to the Authorized Representative and Director Information Services – Customer Application Support.  The security assessment should be reviewed with the same frequency as the risk assessments described in this policy.   

Compliance with this policy ensures the University has assessed the risk of any ASP offering contemplated for use or already in use, however it in no way ensures elimination or mitigation of  that risk.

Policy

University faculty and staff shall ensure that any Application Service Provider (ASP) vendor offering contemplated for use within the University is adequately assessed for risk and that this risk is acknowledged and accepted by an Authorized Representative of the University by their signing a completed ASP High Level Risk Assessment form. Such authorization must be obtained prior to the University contracting for use of the service with the ASP vendor.

University faculty and staff shall ensure that any Application Service Provider vendor offering in use within the University is adequately assessed for risk on a periodic basis and that this risk is acknowledged and accepted by an Authorized Representative of the University by their signing a completed ASP High Level Risk Assessment form. Such periodic assessments must occur at least once every three years.

All risk assessments shall be completed using the University’s ASP High Level Risk Assessment form.

Roles and Responsibilities

 Authorized Representatives

  • As required by the level of assessed risk identified on each ASP High Level Risk Assessment form, the appropriate Authorized Representative shall review and approve or disapprove the acceptance of the identified risks on behalf of the University.

Associate Vice-Presidents, Deans, University Librarian, Registrar, Directors

  • Prior to finalization of a contract or acceptance of a service offering from an ASP vendor, ensure that an ASP High Level Risk Assessment form is completed, assessed and approved by an Authorized Representative.
  • At least once every three years, complete an ASP High Level Risk Assessment form for each ASP service used in each unit under their responsibility. One form is required for each unit and ASP service combination.
  • Ensure each ASP High Level Risk Assessment form has been properly reviewed and authorized.
  • Provide a copy of each ASP High Level Risk Assessment form to the Director Information Services - Customer Application Support.

Director Information Services - Customer Application Support

  • Shall on an annual basis review all ASP High Level Risk Assessment forms on file and request units to complete an updated form on any ASP review that is three years old or older.

Consequences for Noncompliance

Supply Management Services (SMS) will not contract for ASP services until the appropriate ASP Risk Assessment documents are completed and signed by an Authorized Representative of the University. University funds may not be used to acquire ASP services from a vendor until an Authorized Representative has approved the appropriate Risk Assessment documents. Failure to comply will result in SMS, on behalf of the University, seeking to terminate the offending contract under its terms and conditions with all costs of termination being borne by the offending Unit.

If risks are not regularly assessed and accepted, the security of University owned records and assured availability of data could be compromised.

Related Information