When acquiring or using a free or paid Cloud Service, you need to ask yourself the questions below to ensure the Cloud Service meets your needs. To answer some of these questions, you may require assistance.
Depending on the purpose of the solution you are looking for, your initial contact is not the same.
| Primary use of the solution | Contact | Contact details |
|---|---|---|
| Teaching and Learning purposes | Contact Teaching and Learning Services for information onTeaching and Learning Technologies | tls [at] mcgill.ca |
| Supporting or enabling research |
Contact Digital Research Services for information on research data management, research software, or research computing |
drs [at] mcgill.ca |
|
Administrative or support purposes |
Contact your portfolio or account manager |
For more information, see: |
For general questions about the use of Cloud Services, contact . (login required)
When do you need to ask yourself these questions?
-
Prior to acquiring the Cloud Service
-
When using the Cloud Service
-
At renewal of the Cloud Service
Prior to acquiring the Cloud Service:
Is your proposed solution really a Cloud Service?
Validate that the solution you are considering is in fact a Cloud Service. A Cloud Service is delivered remotely by an external provider via the internet. It differs from an “on-premise” solution that is installed on ƻԺ’s own servers and behind our own firewall. On-premise solutions are not subject to the same considerations as cloud solutions.
What types of ƻԺ data will you use in the cloud?
When your data is stored in the cloud, the cloud provider typically also has access to this data. For this reason, depending on the level of sensitivity of the data that will be used, cloud solutions must be assessed to ensure they provide protection as required by Quebec and/or Canadian law.
For more information on the different data types, visit Cloud 101or for more details, review the Standard on Enterprise Data Classification.
For assistance, please contact the appropriate group (see the contact details table at the top of this page).
For researchers:
As a researcher, you are responsible to assess cloud solutions from a compliance and risk perspective. If you require assistance to perform this due diligence you may request support from IT services by filling out the .
Did you confirm that you can indeed use your data in the cloud?
You will need to obtain approval from the appropriate Data Trustee - that is, the person that has been designated as responsible for the data you would like to put in the Cloud Service. See the Data Trustee contact list to determine whose approval you will require.
To learn more about the role of the data trustee, refer to the Policy on Enterprise Data Governance.
To request Data Trustee approval, fill out the .
For more details on how to fill the form, visit the .
For assistance, please contact the appropriate group (for contact details, see the table at the top of this page).
For researchers:
If you are a researcher and you need a cloud service to support or enable your research, you are responsible yourself to assess cloud solutions from a compliance and risk perspective. In addition, researchers are identified as the Data Trustees for research data. This means that you perform the data assessment (step 2), the ITrisk assessment (step 4), and the contract assessment (step 5) yourself. If you require assistance to perform this due diligence, you may request support.
| Questions related to | Contact | Contact details |
|---|---|---|
| General research questions | Digital Research Services | drs [at] mcgill.ca |
| IT Risk assessment | IT Services | For assessment support, complete the(login to IT Support Site is required) |
| Contract assessment | Procurement | cloudservices.procurement [at] mcgill.ca. |
Does ƻԺ already have a similar solution in place that could meet your requirements?
There are many solutions already in use at ƻԺ. It will be important to verify if one of these solutions meets your needs. It will simplify the acquisition process and save you time.
For assistance, please contact the appropriate group (for contact details, see the table at the top of this page).
For Cloud Solutions, in particular, you may consult the approved Cloud Services(requires login) list. For more questions, send an email to itgovernance.its [at] mcgill.ca
What are your requirements?
Your requirements need to be complete, clear, precise and consistent. They need to identify what data will be stored, processed, transmitted or created in the new solution. Ask yourself the question if your data is considered “public” data. If it isn’t, we recommend you to contact the initial contact (see at the top of this page) and work with them to fill in the. In this form,you will be asked to clearly identify these requirements. This is the first step in the Cloud Service Acquisition process.
For more details on how to fill out the form, refer to the .
For assistance, please contact the appropriate group (for contact details, see the table at the top of this page).
As a researcher, you are responsible to assess cloud solutions from a compliance and risk perspective. If you require assistance to perform this due diligence you may request support from IT services by filling out the .
Most Cloud Services cannot be customized. Can you work within these constraints?
It is important to know that most cloud solutions have limited customization options. If your processes cannot be adjusted to fit within the functionalities of the cloud solution, we encourage you to look for alternatives.
For assistance, please contact the appropriate group (for contact details, see the table at the top of this page).
Have you researched alternative solutions that meet your needs?
We recommend that you explore more than one solution in case the vendor cannot comply with the regulatory obligations that ƻԺ needs to respect.
Also, there are many technology solutions already in use at ƻԺ, and one of them may already meet your needs.
Visit the approved Cloud Services list (requires login) or for assistance, please contact the appropriate group (for contact details, see the table at the top of this page).
Do you know what happens to your data when you decide to leave the cloud solution?
There are many reasons why you may decide to stop using your cloud solution: your evolving needs, market changes, compliance requirements, etc. A well-defined exit strategy will ensure business continuity and avoid vendor lock-in by allowing you to migrate your data to another service provider.
In considering the cloud solution, identify the ease or difficulty with which you can extricate yourself from the cloud solution should the need arise. Consider the following:
- How is the data stored, and will you be easily able to export, and migrate it to a different solution?
- How easy is it for you to obtain the data and subsequently store it elsewhere?
- Does the vendor have practices in place to destroy the data after you extract it?
- What assistance (and any associated costs) will the vendor provide in migrating data from the cloud to elsewhere? For example: data extracts in a standard industry format, support services.
Are you aware of the funding model for the acquisition of the Cloud Service?
Cloud Services at ƻԺ are considered an operational expense. You need to ensure that the recurring subscription costs for the use of the Cloud Service are budgeted.
Talk to your superior or your financial officer to ensure the costs for this Cloud Service are included in your department budget.
How soon do you need to start using the Cloud Service?
All free and paid Cloud Services (except those that solely involve public data) must first undergo an assessment process to ensure that by adopting a vendor’s solution ƻԺ will be able to comply with applicable Quebec and Canadian laws and regulations. These assessments involve information exchanges between the vendor and several departments within ƻԺ in order to assess the vendor’s ability to adequately safeguard the data within their cloud solution.
Obtaining and analyzing this information may take up to 3 months or more. You need to take this delay into account when planning for the acquisition of a cloud solution.
Refer to the Cloud Service Acquisition process to learn more about the different assessments that need to be done.
If possible, consider using a ƻԺ-approved Cloud Service. This can speed up the process significantly, as these solutions have already been approved.
For more questions, send an email to itgovernance.its [at] mcgill.ca
How do you pay for a cloud service once its use has been approved?
How you "pay" for a Cloud solution is separate and distinct from whether a Cloud solution is "authorized for use". Receiving approval to use a Cloud solution is a pre-requisite to pay for that solution. ճCloud Service Acquisition processprovides more details on how to obtain approval to use a Cloud solution.
ճpreferred method of paymentis to use ƻԺ Market Place to issuePurchase Orders, generally regardless of the invoice amount. Purchase Orders (PO) incorporate Procurement Standard Terms and Condtions, and thus, provide additional privacy protection compared to the use of the PCard. Under exceptional circumstances, Procurement may allow the use of PCards.
In addition, a Purchase Order provides ƻԺ with more visibility of Cloud solutions requested by the ƻԺ community and allows to rationalize how many different solutions are deployed at ƻԺ and to consolidate requests to be able to achieve better deals with suppliers.
When using a Cloud Service:
Do you have the resources and expertise to support the ongoing maintenance and monitoring of the Cloud Service and vendor?
You need to ensure that your unit has the capability and the capacity to support the ongoing maintenance and monitoring of the Cloud Service. It is strongly recommended to dedicate the right expertise and resources to these activities. It is important to understand the vendor's expectations regarding your involvement in any solution evolutions and your expectations regarding the vendor's service level responsibilities.
At renewal of a Cloud Service
What happens when you want to renew the Cloud Service?
Cloud Services do not need to undergo the assessment process upon renewal, unless one of the following factors is present:
- There have been issues regarding the level of service provided by the vendor
- The vendor changes processes, systems, or « flow of data » possibly impacting the assumptions used in the previous assessment conducted
- Any breach of contract related to security, performance, or privacy compliance
- The scope of use for the solution has or will change. This may include changes with the processes and/or the associated data (classification, volume, etc.)
- Significant changes to laws, regulations and industry standards that would necessitate a review and possibly a change (i.e. an amendment) to the contract
For assistance, please contact the appropriate group (for contact details, see the table at the top of this page).
Have you planned the time and budget for the renewal of your subscription?
Given that renewals of payable cloud solution subscriptions need to be accounted for in each fiscal year, work with your Fund Financial Manager (FFM) to identify these renewals as soon as possible in the fiscal year (i.e. start of fiscal year is May 1st). The renewal of the cloud solution subscription may require significant time to process if a risk assessment is required. Therefore, you should use the opportunity of the financial planning to ensure they are identified well in advance of the planned renewal date and factor in a minimum lead time of 3 months.
