Skip to content

Cloud Computing Use Inherent Risk Schedule

Schedule overview

1 Purpose

To provide the University community with a decision framework to help identify and understand the risks associated with Cloud Computing.

2 Scope

This schedule must be read in conjunction with the Engagement of Cloud Services Procedure and is subordinate to it.

This document is not intended to replace a comprehensive risk management process needed for deployment of a University-based Cloud Computing service.

3 Schedule

3.1 Cloud Computing Use Inherent Risk Matrix

Below is a Cloud Computing Use Inherent use Matrix based on the Information Asset and Security Classification Procedure.

Information Security Classification

Public Information

Internal Information

Restricted Information

Cloud System Category

Cloud Services procured by the University using a formal project management approach, in consultation with ICT Services, and consideration of the relevant legislation and University policies (e.g. QCIF eResearch Services, Office 365, Blackboard)




Established and widely used public Cloud Services - Data centre is located in Australia, EU countries, Canada Hong Kong, Malaysia, South Korea, New Zealand (eg. Telstra Cloud, Amazon Australia)




Established and widely used public Cloud Services - Data centre is located in the USA, China, Japan, India, Singapore, Philippines and Vanuatu (e.g. Dropbox, Google Docs, iCloud)



Not Acceptable

Emerging Cloud Computing providers


Not Acceptable

Not Acceptable

Table 1: Cloud Computing Use Inherent Risk Matrix

Where a proposed use of Cloud Computing is in the red section, contact the Manager (Enterprise Information Management) or ICT Services for information on possible solutions or options.

Where a proposed use of Cloud Computing is in the yellow section, the following issues/questions should be considered:

  1. Legislative or contractual compliance
    1. Does the cloud provider meet contractual or legislative obligations to protect or manage the data/information, e.g. Information Privacy Act 2009, Right to Information Act 2009, Public Records Act 2002, Defence Trade Controls Act 2012, Crime and Corruption Act 2001?
  2. Data breaches
    1. Has the provider given a sufficient commitment to data security?
    2. Can the provider protect data/information against unwelcome adverse access or retrieval by parties other than the University and authorised agents?
    3. Will the provider notify the University of security incidents?
  3. Data Integrity and availability
    1. Does the provider have mechanisms in place which prevents corruption or loss of data and guarantee both the integrity and availability of data/information?
    2. Can the provider quickly restore deleted data or information?
  4. Data Ownership
    1. Does the University retain legal ownership of the data or information?
    2. Does the University have the right to access, control, and delete data or information held in the cloud?
    3. Does the University have any control over subcontracting by the Cloud Computing provider?
  5. Public exposure
    1. What are the consequences if the data/information becomes publicly available?
  6. Failure of provider
    1. What are the consequences if the provider fails to deliver the service?
  7. University's risk appetite
    1. Will the consequence be within the University's risk appetite?

4 References


5 Schedule Information

Accountable Officer

Chief Information Officer

Responsible Officer

Chief Information Officer

Policy Type

University Procedure

Policy Suite

ICT Information Management and Security Policy

Approved Date


Effective Date


Review Date


Relevant Legislation

Copyright Act 1968 (Cwlth)

Crime and Corruption Act 2001

Defence Trade Controls Act 2012 (Cwlth)

Information Privacy Act 2009

Information Standard 18: Information Security

Information Standard 44: Information Asset Custodianship

Metadata Management Principles

Public Records Act 2002 (Qld)

Right to Information Act 2009 (Qld)

Policy Exceptions

Policy Exceptions Register

Related Policies

Administrative Access Scheme Policy

Business Continuity Policy

Contract Management Policy (under development)

Enterprise Architecture Policy

Enterprise Risk Management Policy

Intellectual Property Policy

Privacy Policy

Procurement Policy

Records and Information Management Policy

Right to Information Policy

Related Procedures

Administrative Access Scheme Procedure

Commercialisation of Intellectual Property Procedure

Information Asset and Security Classification Procedure

Intellectual Property Procedure

Records and Information Management Procedure

Right to Information Procedure

Related forms, publications and websites

A Guide to Implementing Cloud Services - Better Practice Guide

Cloud Computing Security Considerations

Negotiating the cloud - legal issues in cloud computing agreements

Privacy Impact Assessment

Privacy Threshold Assessment


Terms defined in the Definitions Dictionary


The term 'University' or 'UniSQ' means the University of Southern Queensland....moreThe term 'University' or 'UniSQ' means the University of Southern Queensland.

Definitions that relate to this schedule only

Cloud Computing

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.


Record No


Complying with the law and observing Policy and Procedure is a condition of working and/or studying at the University.

* This file is available in Portable Document Format (PDF) which requires the use of Adobe Acrobat Reader. A free copy of Acrobat Reader may be obtained from Adobe. Users who are unable to access information in PDF should email to obtain this information in an alternative format.