View Document

IT Hardware and Software - Cloud and Managed Services Procedure

This is the current version of this document. You can provide feedback on this document via the 'Feedback' tab above.

Section 1 - Purpose / Objectives

(1) The Cloud and Managed Services Procedure provides an assessment and approval framework for Cloud Computing solutions and services. The framework provides a risk based approach to the use of cloud computing to ensure a suitable transition is made to the cloud or a managed service provider.

(2) Cloud Storage and Managed Services supports the IT Hardware and Software Policy .

(3) This Procedure should be read in conjunction with the Information Security Policy and Records Management Policy .

Top of Page

Section 2 - Scope / Application

(4) This procedure applies to:

  1. Victoria University staff and post-graduate students.
  2. Delivery of shared services not hosted or managed by the University.
  3. Departments considering the use of cloud storage systems in lieu of corporate IT systems.

(5) This Procedure does not apply to VU staff and affiliates who wish to use external file synchronisation and sharing (cloud storage services) tools through a personal subscription for performing their work at VU. See Cloud Personal Storage Guidelines .

Top of Page

Section 3 - Definitions

(6) Nil

Top of Page

Section 4 - Policy Statement

(7) Nil

Top of Page

Section 5 - Procedures

A. Roles/Responsibilities

Roles Responsibility
VU Department Develop a Cloud Managed Services Risk Management Plan and Risk Assessment for Cloud Service Provider.
ITS Provide consultancy services to assist in the development of the Cloud and Managed Services Risk Management Plan.

B. Procedures

Cloud and Managed Services

(8) The strategic decision is to use Clouding Computing or Managed Services as a preferred model where there is a clear demonstration of cost savings and overall business value for the University.

(9) There is a growing trend within the industry to obtain Information and Communication Technology (ICT) systems and applications managed in the cloud due to the low costs and simple access methods using the Internet.

(10) Without a defined framework the University can be exposed to the following risks:

  1. Loss of University information;
  2. Noncompliance to Federal and State based legislation;
  3. Increased usage costs.

(11) VU Departments considering the use of cloud and managed services systems in lieu of corporate IT systems must complete a full procurement process, including a full risk assessment and consideration of options.

Cloud Managed Services Risk Management Plan

(12) Contracts with Cloud providers or IT managed service providers cannot be entered without a risk based assessment being undertaken.

(13) All commercial and organisational risks need to be assessed, outlining any compliance, contractual and reputational impacts to the University by developing a Cloud Managed Services Risk Management Plan:

  1. Cloud Managed Services Risk Management Plan
  2. Cloud & Managed Services Risk Assessment Criteria

(14) Architectural design is to be included in the assessment process and approved by ITS.

(15) ITS provide consultancy services to assist in the development of the "Cloud and Managed Services" Risk Management Plan.


(16) Consultation with the following areas in VU must be undertaken during the assessment process:

  1. IT Security and Assurance team (Information Technology Services)
  2. Records Services team (Records and Archives Services)
  3. Legal Services team for the provision of Legal advice (Legal Services)
  4. Web Services team to ascertain the impact on usability standards for services provided online (Web Services).


(17) Initial approval by the business owner supported by a Deputy or Pro-Vice-Chancellor.

(18) Final approval by the Pro-Vice Chancellor and CIO /Direct reports required before contracts can be signed.

Cloud and Managed Services Register

(19) Cloud and managed services register to be updated.

Top of Page

Section 6 - Guidelines

(20) Nil