An Information Risk Assessment (privacy and security impact assessment) conducted by Information Security Services and the Secretariat concluded that cloud hosting of employee email would meet applicable privacy legislation and University policy. Recommendations to improve general awareness and understanding of information and communication resource privacy and security standards at Waterloo were provided to Information Systems & Technology (IST); a detailed review and assessment of these recommendations, such as enhancing related training opportunities, will be completed.
Accessing the Information Risk Assessment documents
Please use the buttons below to access the Information Risk Assessment (IRA) documents, including the initial intake form and the privacy and security assessments. Recommendations were made by both the University Privacy Officer and the Information Security Services group. These pieces have been pulled out from the IRA documents and listed below, with a response or action noted for each.
You will be required to log in to view the IRA documents. Please use either of the following ID/name options (where username is eight (8) characters or less), followed by your WatIAM password:
- nexus\username, or
- username@Nexus
Information Risk Assessment recommendations and responses
The following recommendations (and corresponding responses) are the outcome of an initial Information Risk Assessment for the Microsoft Office 365 employee email project. The risks and/or recommendations made will continue to be reviewed as the project progresses and updates or additions to the below tables may be made.
Privacy recommendations and responses
| Recommendation | Response | Last updated |
|---|---|---|
As part of apprising the Waterloo campus community about the various facets of this initiative, users (i.e., the defined client groups) should be made aware of:
|
IST has linked to Microsoft's Privacy Statement on the FAQ page. IST has added contact details for the University Privacy Officer to the FAQ page. IST has clarified data will be stored in Canadian data centres on the FAQ page. |
August 7, 2019 |
| Any and all information submitted or data created by the user through their use of the platform is expected to be in accordance with applicable legislation, as well as university policy and guidelines. For example, while personal information can pass through the Office365 platform in a multitude of ways, the Guidelines for Secure Data Transmission outline the appropriate paths that should be followed as described here: | IST fully supports and operates in accordance to the Guideline for Secure Data Transmission. | August 7, 2019 |
| It will be important to ensure that any appropriate processes are in place within the Office365 platform for records disposition according to outlined WatClass. Moreover, users of Office365 would benefit from reminders and education about, as well as instruction in strategies for maintaining records according to WatClass. Waterloo Records Manager, Chris Halonen (x38284), is to be contacted for discussions around this. | IST will work with the University Records Manager as recommended. | August 7, 2019 |
| Contracts associated with any third party should be reviewed for legal considerations. Campus resources such as Procurement and Contract Services, as well as Legal Services are often involved in such contract review processes. A summary of contractual safeguards is listed below. As well, Appendix A provides a list of important contractual elements for consideration. Once available, agreements/contracts can also be submitted to Waterloo’s Privacy officer for review against these named privacy contractual elements. | Contracts will continue to be reviewed according to the established schedule (approximately every three years). | August 7, 2019 |
For the project team to conduct an environmental scan in order to understand the privacy and security vulnerabilities that may have been experienced through existing use within the undergraduate population at our institution, as well as by other post-secondary institutions who have already adopted Office 365. The undersigned received some feedback from privacy officers at other post-secondary institutions as follows:
|
Consultations were held with four Ontario universities (Toronto, Queen’s, Ottawa and Western) who have recently moved to Office 365 for employees, to learn of their experiences and any challenges encountered. The Information Security Services (ISS) team was included in these consultations and is therefore aware of any security-related concerns that may have been noted, as well as the privacy-related feedback received and shared by the Privacy Officer. Having implemented Office 365 for students, adequate enforcement of security policies and monitoring, and the availability of security controls (e.g. two-factor authentication) are in place. | August 7, 2019 |
| The project charter outlines the important roles, tasks, as well as timelines associated with the Change Management Group. With regard to the training and support element, among other things, the campus community should be educated about the difference between the “old” and the “new”. In particular, given the increased seamlessness, collaboration, sharing, and inter-connectivity of services, then emphasis should be placed on things such as ensuring appropriate permissions and access (e.g., identified user groups, read-only, password protection of files, etc.), sharing information on a strictly necessary need-to-know basis, awareness of important policies (e.g., Policy 46), reminder of information and privacy practices and resources https://uwaterloo.ca/privacy/. | If Office 365 is implemented, a pilot project would be planned, from which IST would learn more about the specific training and communications elements required. These pieces would then be integrated into the service deployment plan. | August 7, 2019 |
| To ensure to revisit privacy and security assessment when contemplating the addition of any new tools within the Office 365 platform. | IST currently reviews privacy and security implications before enabling any new feature or application within the Office 365 environment, and will continue to do so. | August 7, 2019 |
Security recommendations and responses
|
Risk level |
Recommendation |
Response |
Last updated |
|---|---|---|---|
|
High |
Office 365 / Azure AD is known to have delays (of up to 24 hours, or potentially longer) for providing logs for security events. Currently, with the on-premise environment, the security operations team has access to real time log information. While it may be possible to mitigate some risk using the Office 365 security features/policies such as conditional/risk-based access or other methods, with the Office 365 environment, unpredictable log delays can prevent the ISS security operations teams (SOC) from taking immediate actions for important security events. Additionally, given the potentially large volume of logs to be processed, the project team should take into considerations that UW’s SIEM infrastructure has sufficient capacity to handle the large volume of logs from the Office 365 environment. References: |
IST will explore the native capabilities of Office 365 further, consult with Universities that depend exclusively on Office 365 logging capabilities, and further clarify the implications of the log access delay inherent in Office 365 as we understand it. |
August 7, 2019 |
|
High |
With Office 365 / Azure AD, there is a greater interdependency between Office 365 (cloud / SaaS), Azure AD (cloud / IDaaS), UW’s Active Directory (on-premise) and Sailpoint (on-premise) environments which increases overall complexity and broadens the scope of the IAM environment/architecture as a whole. Historically, cloud-based integrations with UW’s IAM environment for larger solutions such as Workday have been challenging for IST. The project team can reduce the risk, for example, by clarifying the roles/responsibilities for the Azure AD Identity as a Service (IDaaS) model, review the scope and sufficiently detail the IAM architecture / identity management lifecycle while taking a more formalized/systematic approach to change control that includes maintaining up-to-date documentation as well as appropriate testing/validation. See also attached cloud service types overview. |
IST has implemented Office 365 for students, including the required integrations. As integration requirements evolve, IST is positioned to respond as needed. |
August 7, 2019 |
|
Medium |
The project charter indicates that “This movement is attributed to the fact that Microsoft has recently opened data centres in Canada, thus removing a security concern about data being accessible to the US due to the Patriot Act.”, however given that the vendor is primarily a US-based entity, this statement may be misinformation and may not be entirely true. The project team should clarify with UW legal / privacy before proceeding regarding data locations, applicable laws (e.g. US Patriot Act, US Cloud Act, etc.), as well as, any other potential license restrictions such as US embargoes/sanctions that may affect UW users (faculty, staff, students) using the platform. |
Microsoft conforms with privacy best practices and international standards such as ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud. When law enforcement organizations demand access to data stored by Microsoft, Microsoft refers them to their customer (unless Microsoft is prohibited by law enforcement to notify their customer). It will then be up to the University to determine how to address such requests. This process is similar to what happens today with on premise storage of data. |
August 7, 2019 |
|
Medium |
Although the project charter describes change management, the focus appears to be primarily from a business perspective. Currently IST does not adhere to a formal change management ITSM framework such as ITIL. The Office 365 environment is complex, quickly changing and requires new/different roles and skills than the current on-premise environment. Although IST may already have some experience with the Office 365 environment for students, it is unclear if there will be sufficient change management in-place and training/transition for staff (within IST and on campus) that traditionally have expertise with on-premise environments. For example, if appropriate change management is not in place and/or staff are not appropriately trained this may have an impact security. |
IST has implemented Office 365 for students, and as such has both the implementation and operational skills required. Moving employee email to the cloud would eliminate the remaining on-premises email infrastructure, significantly simplifying the overall environment, in terms of operations, client support, and change management. IST is committed to adequate ongoing training, as needed, for staff. |
August 7, 2019 |
|
Medium |
While the project charter describes developing a high-level conceptual architecture, given the large scope/complexity of the initiative, it is unclear based on the project charter if security will be considered as part of the architecture that aligns with Office 365 security recommendations and best practices. The project team could reduce the risk by ensuring a security architect with Office 365 experience is a project resource and a sufficiently detailed security architecture for UW’s adoption of Office 365 is developed. Additionally, to reduce the risk, the project team should consider incorporating security checkpoints/reviews. A suggested list of security checkpoints and artifacts is attached. |
IST has implemented Office 365 for students, which included consideration of security architecture. Moving employee email to the cloud and eliminating the on-premises email infrastructure enables a simpler overall architecture, and less complex security architecture. |
August 7, 2019 |
|
Low |
Although the project charter describes a deployment plan, if the project proceeds, it is unclear how IT operational activities will be maintained/managed on an ongoing basis. The project team should ensure there is a strategy in place for ongoing IT operations, there are sufficient IT operational resources with appropriate roles/responsibilities (e.g authentication/access control administrators, change administrators, configuration administrators, compliance administrators, etc.) to avoid any potential gaps that could impact security. |
IST has implemented Office 365 for students. Moving employee email to the cloud and eliminating the on-premises email infrastructure will reduce our operational resource requirements. Other universities consulted, some with smaller IT departments than IST, have reported reduced operational requirements after having moved all of their email to Office 365. |
August 7, 2019 |
|
Low |
Given the large scope/complexity of the Office 365 cloud environment, it is unclear if the project team has taken into consideration the use of a Cloud Access Security Broker (CASB) to enforce security policies and for monitoring that is typically recommended for such cloud-based environments. |
IST has implemented Office 365 for students, and has adequate enforcement of security policies and monitoring in place. As enforcement/monitoring requirements evolve across Waterloo’s significant on-premises and cloud based services, IST is positioned to respond to these as needed. |
August 7, 2019 |
