Frequently Asked Questions (FAQs)
Here are answers to some of the most common questions we receive. If you can’t find what you’re looking for, please do not hesitate to contact the NUS IT Cloud Policy team at NUSCloudPolicy@nus.edu.sg.
Local Software & Cloud-Like Features
No. If the software does not store or process University Data in the cloud, a cloud assessment is not required.
No. If all University Data stays on your computer or on NUS-managed local systems, a cloud assessment is not required.
Cloud Tools & Add-ons
No. As long as no University Data is involved, simply inform your University Unit Head (Data Steward) and keep a record of the correspondence for audit purposes.
No assessment is needed. Inform your University Unit Head (Data Steward) and keep a record of the correspondence for audit purposes.
Yes. If University Data will be uploaded, stored, or processed by a third-party service, a cloud assessment is required.
Partially. If the add-on does not store or process University Data in the cloud and all data is handled locally, a cloud assessment is not required. If any University Data is sent to or processed by external servers, a cloud assessment is required. To install the add-on, submit a request to NUS IT Care to enable its installation on your account.
Data Agreements & Purchased Data
If the agreement imposes obligations on the University, treat the data as University Data and submit a cloud assessment.
No, unless a data agreement or contract imposes obligations on the University regarding the data.
Treat it as University Data if there are contractual obligations. Submit a cloud assessment if necessary.
Vendor Applications & Cloud Hosting
Partially. A cloud assessment is not required for the NUS-owned customised application itself, but it is required for the cloud hosting platform.
Yes. Any subcontractors handling University Data require compliance with cloud assessment requirements. The System Owner should ensure contractual obligations and controls are implemented according to NUS IT standards, guidelines, and all applicable University policies.
Partially. If University Data is involved, a cloud assessment is still required for the cloud environment. Hosting on a private cloud does not exempt the service from assessment.
The System Owner is responsible for ensuring that University Data is protected, contractual obligations are met, and the cloud service is assessed according to NUS IT standards, guidelines, and all applicable University policies.
Each vendor handling University Data must be considered under the cloud assessment process. The System Owner should document responsibilities and ensure compliance for all vendors according to NUS IT standards, guidelines, and all applicable University policies.
No. University Data must not be uploaded, stored, or processed in the cloud before the assessment is approved.
Data Classification & Privacy Guidance
Start by consulting your University Unit’s Data Steward (Unit Head) or Data Manager for guidance on data classification specific to your project, in line with the NUS Data Management Policy. For further guidance:
Technical requirements: NUS IT Business Partner
Data privacy: ORMC DPO
Legal/contracts: OLA
Cloud policy and assessment: NUS IT Cloud Policy team
Consult your Unit Head or Data Steward. University Data generally includes all data created, collected, or managed as part of University activities, including research, student records, and administrative data. You can also refer to the NUS Data Management Policy.
A cloud assessment is not required for non-University data unless there is a data agreement or contract that imposes obligations on the University. In all cases, you should inform your Unit Head (Data Steward) and keep a record of the correspondence for audit purposes.
Yes. A cloud assessment is still required.
Compliance & Approvals
Submit a request to NUS IT Care with the add-on details. Ensure any University Data involved is compliant with cloud assessment requirements.
Yes. Any University Data processed or stored in the cloud requires a cloud assessment, even if the service has already been in use. Submit the assessment promptly and follow guidance from the NUS IT Cloud Policy team.
Cloud Re-assessment
A cloud service must be re-assessed in any of the following situations:
The classification of the data stored or processed by the cloud service has been upgraded to a higher sensitivity (e.g., from NUS Restricted to NUS Confidential).
There are significant changes to the cloud service, such as adding new modules, functionalities, or capturing additional data.
The cloud service provider changes their terms and conditions of service significantly.
Notwithstanding the above, if the cloud service is critical to the success of your project, the re-assessment shall be conducted every 2 years. As the System Owner, you are responsible to classify the business criticality of the cloud service and ensuring that re-assessment is duly conducted.
Yes. Significant changes to the application’s functionality, data collection, or processing will trigger a re-assessment.
Submit a new cloud assessment using the NUS Cloud Assessment application, and attach all required supporting documents. Note: Submitting a re-assessment follows the same process as submitting a new cloud assessment.
Cloud Security – Responsibilities & Guidance
The System Owner is responsible for ensuring the cloud service is configured securely, University Data is protected, and controls are implemented according to NUS IT standards, guidelines, and all applicable University policies.
System Owners must:
Maintain configuration and security settings of the cloud service.
For IaaS/PaaS: Apply patches and updates to mitigate vulnerabilities.
For SaaS: Ensure that the CSP’s patching and security updates are applied, and verify that configurations, access controls, and user permissions are correctly set.
Conduct regular checks to ensure the cloud service complies with NUS IT standards, guidelines, and all applicable University policies.
Report any security incidents or breaches to NUS IT immediately.
Yes. Cloud security is a shared responsibility. The CSP is responsible for securing the infrastructure (e.g., servers, networks), while the University (System Owner) is responsible for securing the data, accounts, access permissions, and configuration of services according to NUS IT standards, guidelines, and all applicable University policies. Please refer to Cloud Security Responsibilities and Guidance for more information.
Follow the published NUS IT Cloud Security Guidelines, regularly review the cloud service configuration, and ensure your team is aware of roles and responsibilities. Consult the NUS Cloud Assessment website for more information.
Cloud Signing-Up Information
No. Signing-up information provided by individual users during account creation is owned by the Cloud Service Provider (CSP) and is not included in the NUS cloud assessment process. Since users personally agree to the CSP’s terms of use and online privacy policies when signing up, this information is handled directly by the CSP.
If the department provides NUS email addresses to the CSP, you should indicate this in your cloud assessment submission. This ensures compliance and proper handling of NUS email addresses and other personal data, if any, including obtaining consent and permission from each user to share their information with the CSP and confirming that they agree to the CSP’s terms of use and online privacy policies.