ISO Procedure for Annual Cloud Service Review

This is the procedure for modification, testing, distribution and operation of the ISO Qualtrics online review form that determines triggers for risk assessment reviews for cloud services.

Procedures for Annual Cloud Service Review

Procedure Description: Defines the process for updating, testing, distributing the Qualtrics review form, data collection and correction, recording and reporting results.

The annual cloud service review

 Date  Modification Type
 Modified by
 Approver
2/20/2019  Created in KB
 bribbeck  



 



 



 



 



 



 

Scope:  All Rice Cloud Services

Operating Standards:
  • For each cloud service an owner/steward is defined in the RT database
  • In Qualtrics an associated Contact List is used to display form information about the cloud service for each Owner/Steward
  • Each Spring (February-ish) the form is prepared, distributed to the Owner/Stewards.
  • The data gleaned from the survey is updated and reviewed to determine a risk review options for existing cloud services.
Communications and documentation:
  • Cloud risk assessments will be provided to the service owner and OGC.  A notification to purchasing is done as a courtesy.  These are stored in Box, reviewed and documented at LINK.
  • Premise systems risk assessments are completed at system start up and reviewed when changed.  These documents are communicated to the service owners and stored with the system documentation (Docs) or inventory.
Step by Step Process to complete a risk assessment

REQUIREMENTS: 
  1. Access to Qualtrics
  2. Access to RT Cloud Service Catalog
PROCESS:Annual Pre-distribution process                                                 
    Steps 1-3  (this can take up to a week to complete so plan accordingly)                                            
  1. Validate data alignment between database in RT and Contacts list in Qualtrics (2019 New Cloud Service Owners) create new Contacts list with updated data if data is not in sync with database.  The RT Database is authoritative                                           
  2. Verify that 9 services per owner is a sufficiently large enough for the largest owner of services, if not modify Look and Feel and Survey flow by adding additional functions.
    1. If scaling the form is require, follow the scale up instructions in the highlighted areas of Look and Feel and Survey Flow and remember to add the scale elements to the Qualtrics Contacts.
  3. Testing
    1. If modifications were made,test all functions and logic in changes.  Use copy block and question to avoid mistakes in question format.  Modify display and flow logic by folowing highlighted template instructions for Look and Feel and Survey Flow
    2. Verify Font, logic and flow consistency
    3. Check Spelling and Grammar                                        
    4. Test normal one sitting completion and exit then return functionality                                        
    5. Check data collection validation to ensure that user selections produce appropriate responses (test using any pre-formulated response that tests all functions)                                        
    6. Test distribution message content and delivery                                        
    7. Test end of survey response messages                                        
    8. Update any reminder messages                                        
    9. When testing is completed, send notification to all cloud stewards of pending communication regarding survey                                        
  4. Distribution day functions                                            
    1. Turn Off Ballet Stuffing <Survey Option> used during testing                                        
    2. Delete all testing data <Data & Analysis>                                        
    3. Delete all test messages                                        
    4. Set an expiration date in <Survey Options>                                        
    5. Delete any Rt tickets created during testing                                        
    6. Use <Projects - Distributions> to send survey to all service owners                                        
    7. Monitor email, RT and responses to track user progress.  Keep notes on any feeback or problems.  You may not be able to fix some errors once the survey is operational, UNLESS IT IS JUST BROKEN                                         
    8. Start collecting any change / no change data and updating RT Database review date and change information.  Update Contacts in Qualtrics                     
    9. When changing service owners of existing services, resend form invite to new service owners.                                    
Week 1                                            
  1. Send reminder emails from <Projects - Distributions> Included TIME FRAME FOR COMPLETION                
  2. Get counts of completed forms, Look for communication failure, keep track of those not responding - update weekly report to CISO                                        
                                                
Week 2   
  1. Send Second reminder emails from <Projects - Distributions> Included TIME FRAME FOR COMPLETION                
  2. Get counts of completed forms, Look for communication failure, keep track of those not responding - update weekly report to CISO                           
  3. Start calling non-respondent, identify supervisors       
Week 3   
  1. Send FINAL reminder from <Projects - Distributions> Included TIME FRAME FOR COMPLETION               
  2. Get counts of completed forms, Look for communication failure, keep track of those not responding - update weekly report to CISO                                       
  3. Report non-respondent to administration for higher level communication                                       
Final Cleanup                                               
  1. Add any new cloud services are per standard procedures                                       
  2. Close out form once last respondents complete the form                                       




Keywords:Cloud, Service, Review, Security, ISO, Qualtrics,   Doc ID:89839
Owner:Barry R.Group:Rice University
Created:2019-02-20 09:38 CDTUpdated:2019-02-20 09:39 CDT
Sites:Rice University
Feedback:  0   0