WIXLIB

Government of Alberta Cloud Services PolicyApproved By:Effective Date:Deputy Minister CouncilReview Date:December 6, 2017Issued By:July 1, 2018Contact:Office of the Corporate Chief e of the Corporate CIODecember 2017Page 1 of 9

1. Policy NameGovernment of Alberta (GoA) Cloud Services Policy2. Policy StatementIt is the policy of the Government of Alberta (GoA) that the Information Management andTechnology service delivery model include Cloud Services.3. PurposeThe purpose of the GoA Cloud Services Policy is to provide clear direction and establish theprinciples and guidelines to enable adoption of Cloud services. Adoption of Cloud Services isimportant for the GoA to transition to a Digital Government and transform service delivery.The expected outcomes are increased clarity and agility in the process of acquiring, deployingand managing Cloud Services as well as better risk management as it relates to information,contracts, fees and services.4. ScopeThis policy applies to all departments in the GoA and applies to government-wide, sector, anddepartment solutions. It includes any form of Cloud Service(s), which includes Public andPrivate Cloud and Infrastructure, Platform, and Software as a Service (or any related variationof as-a-service model).5 Guiding Principles Right Cloud ApproachThe GoA will adopt a Right Cloud approach when investing in new projects orapplication / infrastructure renewal efforts. This approach means selecting the mostsuitable combination of Public Cloud, Private Cloud or Non-Cloud; and Infrastructure,Platform or Software as a Service based on business needs and evaluation of risks. Security and PrivacyCloud Services will ensure that data and information is protected from unauthorizedaccess, use, disclosure, disruption, modification, inspection, recording, or destruction. AccessibilityCloud Services will provide the right, opportunity, and means of finding, viewing, using,and retrieving data and information to those authorized to do so in order to fulfill GoA’slegislative requirements. Government-wide ApproachOffice of the Corporate CIODecember 2017Page 2 of 9

Adoption of Cloud Services will take a government-wide approach to ensure that wherecommon service needs exist, common service delivery options are pursued to providethe GoA with the best value for services provided and minimize duplicate services.6 Policy Details6.1 Cloud Services Governance and Management6.1.1 The GoA will adopt a “Right Cloud Approach” which means prior to acquiring CloudServices, the business owner of the proposed service must complete a Right CloudSuitability Assessment to select the most suitable combination of Public Cloud, PrivateCloud or Non-Cloud; and Infrastructure, Platform or Software as a Service.6.1.2 A Cloud Services Broker, residing in Service Alberta, will be used by all departments toacquire and manage the Cloud Services that are best suited to fulfil their businessobjectives, minimize risk to the GoA as well as minimize duplicate services andinfrastructure across the GoA.6.1.3 The Cloud Services Broker will provide oversight for all Cloud Services used by the GoAto provide government-wide visibility into costs, benefits and risks and to ensurealignment with a one-government approach to service delivery.6.1.4 The following matrix establishes authority to approve a Right Cloud SuitabilityAssessment and use of a Cloud Service in the GoA:Level of AuthorityDeputy Minister,Service AlbertaCorporate ChiefInformation OfficerSector/MinistryChief InformationOfficerCloud Service Properties Information is classified at Protected C; GoA is accepting a limitation on third party liability; or Total Cost of the Cloud Service exceeds Corporate ChiefInformation Officer’s signing authority. Information is classified at Protected A or B and residesoutside of Canada; or Cloud service contract terms and conditions deviate from theGoA’s preferred terms and conditions. Total Cost of the Cloud Service must be within the CorporateChief Information Officer’s signing authority. Information is classified at Protected A or B and resides inCanada or information is classified as Public; and Total Cost of the Cloud Service is within the Sector CIO’sExpenditure Officer signing authority.6.2 Procurement and Vendor ManagementOffice of the Corporate CIODecember 2017Page 3 of 9

6.2.1 The GoA Cloud Services Broker will maintain an inventory of all Cloud Service providersapproved to provide services to the GoA and will provide a vendor managementfunction for GoA Cloud services to continually assess risks to the GoA and ensure thatthe GoA receives the expected value for those services.6.3 Contract Terms and Conditions6.3.1 The GoA will publish a Cloud Computing Contract Guideline to reflect the GoA’spreferred set of terms and conditions for Cloud Service agreements.6.3.2 GoA may accept a cap on third-party or direct liability. The amount of the cap andcircumstances where the cap will apply will be determined through a risk assessment.6.4 Information Management and Security6.4.1 The GoA will manage all major milestones of data and information that GoA will store inthe Cloud Service to ensure integrity including creation/collection, classification,organization, use, storage, retention, and disposition.6.4.2 Prior to adopting a Cloud Service, all information intended to be managed by the cloudservice must be classified according to the Data and Information Security ClassificationStandard. This classification will be used to determine the necessary security controls,including data encryption, specified in the Data Security in the Cloud Standard or othersecurity policies.6.4.3 GoA may adopt cloud services where data resides outside of Canada where permittedby legislation, where adequate security safeguards are in place to mitigate risks withstoring data outside of Canada and where subject to the approval matrix in section6.1.4.6.4.4 The business owner must assess information and security risks and ensure that GoAstandards are met. The assessment must consider information security, privacy, dataresidency, usage, retention and disposition, repatriation, availability business continuityplanning, emergency response and accessibility during the period of validity of thecontract and also in the event of a planned or unplanned termination of the cloudservices. The business owner must ensure that risks are reviewed annually tocontinually assess information and security risks and will report unmanaged risks to theCloud Services Broker.6.4.5 All GoA records residing within the Cloud Service be replicated or backed up and beaccessible to the GoA in the event the Cloud Service becomes inaccessible (e.g. due to adisaster event, termination of service) based on GoA’s business continuityrequirements.6.4.6 GoA must develop a business continuity plan for the Cloud Service and ensure that theplan is adequately tested.Office of the Corporate CIODecember 2017Page 4 of 9

6.5Accounting for Cloud Service Costs6.5.1 Prior to acquiring a Cloud Service, the business owner must determine the total cost ofCloud Services over the projected time period where GoA is expected to subscribe to theCloud Service, including any additional costs for configuration, data management andnetwork access.7Roles and ResponsibilitiesThe Deputy Minister Committee will own and be responsible for approving this policy and theDeputy Minister Corporate Services Innovation Committee is responsible for maintaining,reviewing, monitoring use and advising on this policy.8Monitoring and EvaluationThis policy will be evaluated based on: Where a business decision has been made to address a business solution with CloudServices GoA adopts the needed Cloud Services in an efficient manner; When considering digital transformation initiatives and Cloud Services are available, CloudServices are a viable and accessible option for GoA to consider; Risks associated with adoption of Cloud Services are understood and managed.9Effective DateThis policy is effective December 6, 2017.1011Review DateThis policy is scheduled for review 6 months after the Effective Date and annually afterwards.Associated Documents Acts and Regulationso Freedom of Information and Protection of Privacy Acto Government Organization Acto Records Management Regulation Policies, Standards and Directiveso Data and Information Security Classification Standardo Data Security in the Cloud StandardOffice of the Corporate CIODecember 2017Page 5 of 9

o Procurement Accountability Frameworko Procurement and Sole Sourcing Directiveo GoA ICT Capitalization Policy 12Frameworks and Guidelineso Cloud Computing Contract Guideline (to be created)o Right Cloud Suitability Assessmento Cloud Broker Management PlanAuthorityThis policy is approved by the Deputy Minster Council.December 6, 2017Office of the Corporate CIODecember 2017Page 6 of 9

Appendix: Definitions and AbbreviationsTermCloud Services orCloud ComputingServicesCloud Services BrokerMeaningIMT Service Delivery model where computing infrastructure, platform orsoftware is provided as a utility over the Internet, rather than as aproduct; and paid for on a subscription basis.A Cloud Services Broker is a business function within the GoA which actsas to enable GoA business units to receive services from a Cloud Serviceprovider. Cloud Services Brokers have the expertise to procure CloudServices, manage relationships with providers, manage billing, andmonitor consumption of services.A third party vendor that offers a Cloud Service to customerorganizations.A contractual agreement between GoA and a Cloud Services Provider toprovide a Cloud Service to the GoA for a fixed or open term.Cloud ServicesProviderCloud ServiceSubscriptionAgreementCloud Service Systems A contractual agreement between GoA and a vendor to integrate (e.g.Integration Agreement configure, transfer data, integrate with other GoA business solutions)Non-Cloud ServicesPublic Cloud ServicesPrivate Cloud ServicesIaaSOffice of the Corporate CIOGoA business solutions with one or more Cloud Service that the GoA willseparately establish a Cloud Service Subscription Agreement for. ACloud Service Systems Integration Agreement may also be used at thetermination of a Cloud Service Subscription Agreement to re-patriatedata from the Cloud Service back to the GoA or transfer to a new serviceprovider.Traditional Information Technology deployment model where allinfrastructure, platforms and applications are deployed in Data Centrespace owned, leased or co-located by the GoA.A Cloud Services deployment model in which tenancy may be shared bythe GoA with multiple customers in public and private sector in multiplejurisdictions and from multiple industry verticals.A Cloud Services deployment model in which tenancy is restricted to asingle organization, in this case the GoA.Infrastructure as a Service. The capability provided to the consumer is toprovision processing, storage, networks, and other fundamentalcomputing resources where the consumer is able to deploy and runarbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,and deployed applications; and possibly limited control of selectnetworking components (e.g., host firewalls). (Definition by NIST – USDecember 2017Page 7 of 9