Roles and responsibilities when using external cloud services
In order to use external cloud services at ETH, the following roles have been defined:
Role
Service intermediaries procure external IT services (e.g., external cloud services) and are, in essence, responsible for contract management with the cloud provider.
Typically, service intermediaries are the central IT services, the IT support groups, but also professors who would like to provide a specific cloud service for the members of their group or for a neighbouring institute, or department heads or coordinators as well as unit or staff heads, etc.
Responsibilities
The service intermediary reviews the protection offered by the external cloud service for the ETH data to be relocated in the course of the contract management.
Based on this review, the service intermediary releases the external cloud service for the intended use for ETH members, i.e. publishes (via CISO) the terms of use of the cloud service.
Role
Information owners are responsible for the data that is collected and processed by them or on their behalf and essentially decide whether or not to locate their data out to external cloud services.
Nota bene: The decision to outplace ETH Zurich data is not the responsibility of the service intermediaries. They merely provide an external cloud service and release this cloud service for a specific purpose.
Responsibilities
Information owners assess whether an external cloud service released within ETH meets their protection requirements for their data. They assess the risk when outplacing their data to the designated cloud service.
They further check whether their data may be subject to export controls or whether a data protection impact assessment is necessary before the data is outplaced to the external cloud service.
Role
Users process data on behalf of the information owners.
Users are all members of ETH Zurich and third parties authorized to use ETH Zurich IT resources. Examples are guests, congress participants, affiliated organizations, library customers at the public workstations, employees of spin-off companies of ETH Zurich or other companies, provided that a corresponding contractual agreement exists, emeritus professors and retired employees.
Responsibilities
The use of external IT resources in support of day-to-day business (e.g., applications such as online translation services as well as others) that are not provided by ETH Zurich falls under the personal responsibility of the user. Confidential data or strictly confidential data may not be processed with such services.
External cloud services managed by ETH may be used for internal and possibly confidential data if these services have been released for such data by the relevant service intermediaries and information owners. In case of doubt, the user may contact the information owner.
Role
Providers are the partners offering external cloud services and products. The IT resources required for this are located outside ETH Zurich and are usually not managed directly by ETH.
Responsibilities
Providers disclose the (safety) technical and legal framework applicable to the services offered. Providers comply with contracts/agreements concluded with ETH, e.g., regarding information security and business continuity.