Common questions campus departments may have concerning procurement and management of "cloud" services:
- Having identified a service with attractive functionality, how do I find out whether there are similar services available or in use on campus?
- How do I determine if there is an existing contract in place with the supplier?
- How do I know if my intended use of service is in compliance with University policies?
- Who is responsible for my data?
- Where do I find additional Information about Cloud Services?
The distinction here is that just because there is a contract in place with a supplier doesn't mean that it is appropriate for all use cases.
An example is our Google agreement which will meet the overwhelming majority of our needs in the e-mail/calendar space, but that is not HIPAA compliant and as such is not a good fit for use cases where Protected Health Information is in play. For assistance with IT policy questions, contact firstname.lastname@example.org.
By engaging with a service provider, you have the responsibility as the Resource Proprietor for ensuring compliance with laws, regulations and policies, including standards (UC Business Finance Bulletin IS-2 and IS-3).
For example, if notice-triggering data is involved, the service (whether on or off campus) must meet the protective measures defined in the campus Minimum Security Standard for Electronic Information.
Information that is subject to state or federal regulations will have use and disclosure restrictions that must be maintained. Student records are protected by FERPA regulations. Medical records are protected by HIPAA, FERPA, and state laws.
The Resource Proprietor, in consultation with the Resource Custodian, is responsible for determining the level of risk (subject to law, regulation, and policy) and ensuring the implementation of appropriate security controls to address that risk. This puts responsibility for evaluation of the service's security controls (e.g., hardening, patching and monitoring) in the hands of the Resource Proprietor. Although not directly applicable to services outside of the campus network, the campus Minimum Security Standard for Networked Devices provides a useful set of baseline security requirements.
For evaluating cloud service providers that handle PL2 data on behalf of the University, the Information Security Office offers the Vendor Security Assessment Program (VSAP). The VSAP is intended to ensure that campus third-party service providers adhere to the same baseline level of security practices required for campus systems and applications that contain protected information and are managed and maintained by internal campus resources.
To request a VSAP evaluation for a PL2 system that is vendor managed, review the Details of the Vendor Security Assessment Program and then send an email request to email@example.com (link sends e-mail).
If there are particular services or types of services that you believe would add significant value, please contact David Willson (firstname.lastname@example.org).
For questions concerning IT policy, contact email@example.com.
For all other questions, contact firstname.lastname@example.org.