The purpose of this policy is to ensure that university sensitive data is appropriately and securely stored, accessed, or shared when using cloud computing and/or file sharing services or when using the services, software or hardware of third-party vendors and that sensitive data is appropriately protected from misuse or breach in compliance with applicable regulations, laws and university policy.

This policy applies to persons using third party service to access, transmit, store or share university sensitive (confidential or proprietary) data. Any such use must maintain the ability to protect the confidentiality, integrity and availability of the data in compliance with applicable regulations, laws and university policy.

Administrative Standards
 
Acquiring Cloud or Third Party Services
 
The University of Louisville contracts with and/or uses cloud and other third party services.  Use of these services require contractual provisions on use and protection of data. University faculty and staff must be very cautious when considering self-provisioned cloud services or enlisting other third parties to process, store, transmit, share or manage university data. Many of these services are free and users must agree to the terms of the providers EULA (End User License Agreement). These services may not meet federal, state or university compliance regulations and may be un-vetted environments with significant risks. Users should review applicable data regulations and consult with the appropriate area within the university to ensure the data is allowed to be housed in a specified cloud environment or shared with such external parties.
 
Individuals within the university community may not self-provision cloud services or use non-sanctioned, personally acquired services to store, process, share or manage university sensitive (confidential or proprietary) data as defined by the Information Management and Classification Standard.
 
Security controls of third parties that will have access to or will be responsible for processing, transmitting, or storing university sensitive (confidential or proprietary) data must be reviewed. If your division, school, department, or office has a business need to acquire cloud or other third-party services it must consult with the appropriate university areas such as IT, counsel, purchasing, information security and privacy to evaluate controls, to identify risks and to ensure terms of service or contracts contain the required provisions.  A request for review of external services must be submitted via the Information Security Vendor Assessment Form.

Use of external services for university sensitive information requires the approval of the data owner as well as University Counsel and the Information Security Office.

Internal Resource Options

If data storage is required, secure enterprise solutions are the recommended resource. Contact Enterprise ITS if you have questions regarding the use of these resources.

Data Classification

An important factor to consider when storing, transferring or sharing data outside the university is data classification. All data falls into one of the following classifications. Data with mixed classification should abide by the highest classification. It is important to note that some data requires the vendor to enter in to a third party agreement or business associate agreement in the area of HIPAA controlled data. Data users are responsible for complying with appropriate data use requirements. Refer to the Information Management and Classification Standard (pdf) and the Information Classification and Handling Guide (pdf) for additional guidance. 

• Sensitive - Confidential – Data whose unauthorized disclosure may result in a significant invasion of privacy, may expose the University to significant financial risk or result in negative impacts on the operations or reputation of the University. Data in any format collected, developed, maintained, or managed by or on behalf of the university, or within the scope of university activities that (1) would not be routinely published for unrestricted public access, (2) which was provided to the university by a third party under confidentiality obligation, or (3) where disclosure is prohibited by laws, regulations, contractual agreements or University policy. Examples include, but are not limited to laws/regulations such as HIPAA, FERPA, PCI-DSS, KRS 61.931-934 (HB5), GLBA financial data, or personal data such as medical records (ePHI), social security numbers, credit card numbers, driver licenses, financial information, non-directory student records, and regulated research or export controlled technical data.
• Sensitive - Proprietary - Data whose loss or unauthorized disclosure would cause adverse financial or reputational impact or lead to legal liability or otherwise impede the educational or business functions of the university. Examples include, but are not limited to, unclassified research work or protocols, strategy documents, draft documents prior to public release, financial information and information that would impair the security of the university physical or information environments.
• Public – Any data that does not fall in the other categories above, would be generally open to anyone without prior permission and would have no material adverse effect on the University community. Examples include but are not limited to advertisements, university catalogs, job postings, press releases.

Cloud computing is a computing model that allows for easy, on-demand computing resources (networks, servers, storage, applications and services) that can be quickly provisioned and de-provisioned with minimal interaction and is accessible to users via the internet. Cloud computing can be defined as the utilization of servers or information technology hosting of any type that is not controlled by the university. Examples include: Dropbox, Google Drive/Docs, third party email providers such as Gmail and other products that have not been sanctioned by the university.

The Dean of each School or Administrative Division Head is responsible for the promotion of these security policies and standards.

Procedures for complying with these policies and standards, as well as any additional school or division policies, standards and procedures will be developed and maintained by the designee for each school, division, or other subsidiary unit.  All school or division policies, standards and procedures should be well documented, up-to-date and meet the minimum requirements established in this policy and accompanying standards. Each school or division is expected to ensure compliance with these policies and standards as well as their own policies, standards and procedures.

Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology Services, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

Information Security Vendor Assessment Form

Information Management and Classification Standard (pdf)

Information Classification and Handling Guide (pdf)