Cloud Storage and Application Policy

No. 10-7

Date Approved: 05-05-15

 

I. PURPOSE
 
Cloud storage and applications are valuable resources that allow university employees to store large amounts of information and perform collaborative tasks more effectively.  However, there are risks that must be mitigated in order to properly secure the Data that is placed into and processed in the cloud.  The purpose of this policy is to provide the framework within which 91¶ÌÊÓƵ employees will be expected to operate for storage and processing of Data in cloud environments.
 
II. SCOPE
 
This Policy and any of its supporting documents apply to all 91¶ÌÊÓƵ faculty, staff, and anyone doing business with the university who has access to University Data.  Information that is not Sensitive Data and that is used solely for classroom instruction purposes (e.g. lecture notes, videos, PowerPoint slides for classroom teaching) is not covered under this policy.
 
III. DEFINITIONS
 
Business Information – Any data created and/or managed by:  1) University Systems, and/or 2) University employees within the scope of the employees’ work responsibilities and not including information used solely for classroom instruction purposes.
 
Cloud Application – A computer program that has some characteristics of both a desktop application and a web application. It is able to access University Data from multiple sources. For example, a cloud application may access Data that is stored directly on a user’s computer or Data that is housed in cloud storage. A cloud application may also access Data from other 91¶ÌÊÓƵ physical storage media which may be located either on or off premise.
 
Cloud Storage – A model of networked online storage where Data is stored in virtualized storage pools generally hosted by third parties and in locations not owned by the university.
 
Data – Information contained in either University computer systems, cloud storage, or as a physical copy that is utilized for University purposes.
  
Sensitive Information – Any electronic or physical Data which, if compromised with respect to confidentiality, integrity, and/or availability, could violate the privacy to which individuals are entitled or could have an adverse effect on 91¶ÌÊÓƵ interests or the conduct of university programs. Examples of such Data include, but are not limited to, the following: Data protected by the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), or other laws governing the use of Data, as well as Data that has been deemed by the university as requiring protective measures.
 
ISO - Information Security Office
 
University Systems – Computing devices and their related software created, owned, and/or licensed to the University that are used to store or process University data.
 
User - All persons and/or organizations that have access to University Data.
 
IV. REFERENCES
 
PPM 10-1, Information Security Policy
 
PPM 10-2, Acceptable Use Policy
 
20 U.S.C. § 1232g; 34 CFR Part 99 (FERPA)
 
15 U.S.C. § 6801 (GLBA)
 
Utah Code Title 63G Chapter 2 (GRAMA)
 
42 U.S.C § 1320d-6 (HIPAA)
 
V. POLICY
 
All Users who utilize cloud services for storage and/or processing of University Business Information and/or Sensitive Information must utilize only University approved and contracted cloud services for such activities.  Anyone wishing to utilize services outside of the University approved solution(s) must submit a copy of the contract for such services to the Information Security Office for review prior to purchase.  Users must also review rights and permissions requested by a Cloud Application prior to installation to ensure they do not put University data or systems at risk of being compromised.  If the user is unsure of the level of risk associated with the rights or permissions requested, they must contact the ISO for further guidance.  Additionally, cloud service users are required to comply with any additional requirements for the storage or processing of Sensitive Information prescribed in PPM 10-1, Information Security Policy, and PPM 10-2, Acceptable Use Policy.
 
HIPAA information may only be stored in or processed with cloud services for which there is a Business Associate Agreement signed by both the University and the cloud service provider in place.
 
VI. Exceptions
 
University employees who are unable to comply with this policy must file an exception.  Exceptions to this policy must be approved by the ISO based on academic or business need and reviewed by the ISTF.  The ISO will review exceptions annually for continued application and notify the exception holder of any concerns.