What's a CAQ?

 

checklist-g0a3ba4037_1920

16 March 2022

Did you know you may need to fill in a Cloud Assurance Questionnaire (CAQ) and submit it to dts.cyber.security.and.risk@lse.ac.uk BEFORE commissioning an external (non-LSE) cloud provider to handle personal data? 

A CAQ is not just for cloud storage systems. You should also consider completing one if you and your project team want to use a cloud application that would store and process your data. There are many types of cloud computing, but the three most common covered by a a CAQ are SaaS, IaaS, and PaaS. 

A CAQ asks questions about the provider's cyber security posture for the Project Team to consider before commissioning. Part A is completed by the Project Team, and Part B by the cloud provider. 

  • You should also read the cloud provider's Terms of Service and Privacy Policy to check for GDPR compliance
  • Learn what data they handle, where the data is physically stored, how long the data is kept for, and what the data is used for.

A CAQ isn't always necessary: if the SaaS would only be optional (not a requirement) for teaching or researching, and if the cloud provider's privacy policy meets the level of assurance necessary for the School's DPO; or if the SaaS is an added functionality to an existing cloud solution; or if its service is provided by Microsoft, AWS, or Saleforce, then you do not need to submit a CAQ. 

If you are carrying out a research project, please plan ahead. You may need to write a data management plan (DMP), and a CAQ will help you and your project team decide if a non-LSE cloud provider is an appropriate solution for your DMP.

  • Remember, you need to inform your research participants how their personal data may be used (for example, transcription apps may use your audio files to improve their voice recognition).

To summarise, always use LSE-provided storage and sharing facilities before considering an external cloud provider. DTS provides full support for OneDrive/SharePoint/Teams and filedrop. But if you think a external (non-LSE) cloud provider is necessary:

  • For academic research projects only: Write your DMP and share it with the Data Library, either directly within DMPOnline or by email at datalibrary@lse.ac.uk;
  • For research projects & PSS commissioned projects: Complete a CAQ! The project team and the cloud provider need to answer the questions. Please email the completed CAQ to dts.cyber.security.and.risk@lse.ac.uk who will share feedback about the cloud provider's cyber security posture. You and your team can then decide whether it's appropriate to commission this cloud provider.