Ҵýapp

Glossary

The terms below provide you definitions and examples of common terms and acronyms used in the context of Cloud Services.

Term Definition & Examples
Access location
  • An access location refers to a geographical location from where suppliers have access to McGill’s personal data (independent of whether they access the data or not). E.g. Montreal for support desk; Toronto for the development team; Calgary for infrastructure team; Travel locations (location is the one at the time of access).
  • Approved access locations are Canada, the United States, any Member state of the European Economic Area, or another country that has been vetted by Legal Services.
  • Suppliers include any subcontractors and/or third parties used to deliver desired solutions.
Approved Cloud solutions Cloud solutions that are subject to the Cloud Directive must be assessed from a privacy, an IT risk and a contract perspective. If the solution has passed these reviews, they may be approved for use at McGill. Some of these solutions may be approved for everyone at McGill, others may be approved with certain restrictions. For more information, see the Approved Cloud Services list (login required).
Cloud Services A Cloud Service is a service or solution that is provided to a customer remotely as a service, by an external provider, and accessed over the internet. Cloud Services can be free or paid. It contrasts with on-premise solutions.
Contract assessment

The contract assessment serves to review contractual protections and conditions, particularly in relation to organizational and individual liability, financial terms, warranty, intellectual property, and other points as needed. It verifies that the obligations of the supplier (and its possible subcontractors) offer generally acceptable protections to the University with regard to the above and that the University can in turn meet its obligations (including toward any 3rd party). The contract assessment, necessary to ensure due diligence, is based on the risk level associated with the acquisition of the Cloud service. It can range from a basic review (for Public data) to a basic review and IT Clauses assessment (for Protected and Regulated data).

  • Basic review:
    • A basic review focuses on the review of certain areas of concern for the University in the Terms & Conditions, such as:
      • Intellectual Property (IP)
      • Liability
      • Financial terms
      • Privacy
      • Renewal/termination
      • Unusual clauses
  • Basic review and IT Clauses assessment: This review focuses on a review of all elements in the Terms & Conditions and the associated agreements.

For more information refer to the section "Steps to follow to perform the assessments" in the Cloud Process How-to page.

Data assessment The data assessment evaluates if the intended use (purpose) of the data in the cloud service is appropriate; it assesses whom the data is collected from in relation to the purpose, and verifies what types of users will be authorized to access the data.
Data subscription A data subscription refers to a model where a customer must pay a recurring price at regular intervals for access to data.
Deferral A deferral refers to categories of solutions that IT Services or Procurement Services has approved for use without carrying out the IT risk assessment, the privacy assessment, or the contract assessment. A deferral is only provided for a specific duration and under special circumstances, therefore, the cloud solution will need to be assessed at a later stage.
Derogation

A derogation refers to a Cloud solution that has failed the privacy, the IT risk and/or the contract assessment, but under exceptional circumstances, a derogation has been granted to use the cloud solution under specific conditions and for a specific timeframe. This happens rarely and on a case-by-case basis only and it requires special written approval by the Contract Compliance Officer (CCO) and Chief Information Officer (CIO).

Directive

A directive sets aims - for a specific topic - that should be followed by every McGill community member impacted by the directive.

E.g., the Cloud Directive defines how to acquire and use Cloud Services for McGill institutional data.

Hosting location
  • A hosting location refers to a geographical location where suppliers store/process or physically keep McGill’s personal data​. E.g. Ireland for main data centre; Germany for backup data centre​.
  • Approved hosting locations are Canada, the United States, any Member state of the European Economic Area, or another country that has been vetted by Legal Services. ​
  • Suppliers include any subcontractors and/or third parties used to deliver desired solutions.

IaaS

(Infrastructure as a service)

IaaS is a form of cloud computing that provides infrastructure resources, remote - as a service - over the internet. With IaaS, the vendor manages the infrastructure whereas McGill manages the data, application, database and operating system (see PaaS and SaaS).
Institutional Data All data owned or licensed by the University. Institutional Data is either Regulated Institutional Data, Protected Institutional Data or Public Institutional Data.
IT Risk assessment

The IT Risk assessment verifies the likelihood that a cloud solution impacts data confidentiality, integrity and availability. It is the process of identifying security risks and assessing the threat they pose. It also measures how well a cyberattack or data breach could be managed (security resilience)​. The ultimate goal of the IT risk assessment is to mitigate risks to prevent security incidents and compliance failures. The IT risk assessment, necessary to ensure due diligence, is based on the risk level associated with the acquisition of the Cloud service, and can range from a limited assessment to a full assessment of the Cloud service.

  • Limited assessment
    • The limited assessment risk review is done based on third party reviews, such as BitSight or SecurityScorecard. The following risks are reviewed:
      • Risk of systems being compromised
      • Risk of diligence
      • Risk related to user behavior such as file sharing or exposed credentials
      • Risk of public disclosure
  • Full assessment:
    • The full assessment evaluates the following topics:
      • The supplier and its products/services in scope
      • Third parties that the supplier depends on
      • The geographic regions where the supplier hosts its services or can access McGill data from
      • The high-level architecture diagram of the supplier’s complete solution
      • The flow of data between McGill University and the supplier indicating any location and third party where data will be stored
      • The suppliers’s approach to managing IT Operations, incl. data backup management, technical vulnerability management, release management.

For more information refer to the section "Steps to follow to perform the assessments" in the Cloud Process How-to page.

On premise solutions On-premises solutions are installed and run on computers within the walls of McGill, rather than a remote solution managed by a service provider. This contrasts with Cloud Services.
PaaS (Platform as a service) PaaS is a form of cloud computing that provides resources remotely - as a service - over the internet. With PaaS, the vendor manages the infrastructure, operating system and database whereas McGill manages the data and application (see IaaS and SaaS).

PCI

(Payment card industry)

The Payment Card Industry (PCI) regulations govern the use of all cardholder data. It applies to all merchant organizations, which store, process and transmit payment cardholder data.

E.g., a credit card number

Personal Information

Information concerning a natural person that allows the person to be identified as provided for in applicable Canadian and Quebec privacy legislation

E.g., student records, human resource records, donor information, and personal health information).

PHI

(Personal Health Information)

Personal health information refers to medical and/or pharmaceutical data related to an individual.
Privacy addendum To comply with Quebec laws, a Privacy Addendum will have to be added to the Standard Terms and Conditions of Purchase when the acquisitions of goods and services by McGill University involve the contractor gaining some level of access to personal information of members of the McGill University community. By signing the Privacy addendum, the supplier/contractor commits to protecting McGill’s Personal Information according to Quebec Privacy Law. The supplier also agrees to respect that data is hosted and accessed from locations that provide equivalent protection to what is afforded by Quebec privacy law.
Privacy assessment The privacy assessment verifies if Personal Information is protected. It assesses if the jurisdictions,  where the data is hosted and accessed from, provide equivalent protection to what is afforded by Quebec privacy law.
Protected Institutional (enterprise & research) Data

McGill confidential information, other than regulated institutional data, is referred to as Protected Institutional data.

Examples where confidentiality is required: Contracts or strategic directions

Public Institutional (enterprise & research) Data

When protection of information is not required, because data is not confidential, we refer to it as Public Institutional data.

E.g., a blog on a McGill website

Regulated Institutional (enterprise & research) Data

When protection of information is mandated by law, regulation or industry requirement, we refer to it as Regulated Institutional data.

E.g., Personal information, Student/employee records, Passwords, Legal files

Rejected Cloud solutions Cloud solutions that are subject to the Cloud directive may be rejected for use at McGill, in particular when the supplier doesn’t comply with Quebec/Canadian privacy laws, and as such, Personal Information is not sufficiently protected. In this case, the solution is listed in the Rejected Cloud Services list (login required) with a data category of "Personal Information". You can find certain alternative solutions in the list that may meet your needs.
Renewal

A renewal is a Cloud solution that has been previously in use, and where the contract will expire.

If a solution has not been previously assessed under the cloud directive, and a renewal is imminent, Procurement Services will exceptionally defer the assessments. This will occur only once. At the next renewal, the Cloud Service Acquisition process must be respected and initiated well in advance of the next renewal date.
Research data See “Scope” section 1.2 in Policy on Enterprise data governance
Restricted subset of Regulated data of low sensitivity (LTI=Learning Tools Interoperability)

A restricted subset of regulated data exists for Teaching applications, also known as Learning Tools Interoperability (LTI). The restricted subset of regulated data for LTI refers to the following 8 pieces of data that may result in a lighter-weight review:

  • Student name
  • McGill Username
  • McGill email
  • McGill student ID
  • User’s D2L ID
  • User’s D2L role
  • Courses enrolled
  • Program enrolled

SaaS

(Software as a Service)

SaaS is a form of cloud computing that provides resources remotely - as a service - over the internet. With SaaS, the vendor manages the infrastructure, operating systems, databases and applications whereas McGill manages the data (see IaaS and PaaS).
Back to top