Pol-Cloud Computing and 3rd Party Vendor Services

policy policy Cloud Computing and 3rd Party Vendor Services third modified Fri Sep 17 2021 16:16:50 GMT-0400 (Eastern Daylight Time)

UofL Logo

University of Louisville

OFFICIAL
UNIVERSITY
ADMINISTRATIVE
POLICY

POLICY NAME

Cloud Computing and 3rd Party Vendor Services

EFFECTIVE DATE

November 17, 2014

POLICY NUMBER

ISO-023 v2.2

POLICY APPLICABILITY

This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

REASON FOR POLICY

The purpose of this policy is to ensure that university sensitive data is appropriately and securely stored, accessed, or shared when using cloud computing and/or file sharing services or when using the services, software or hardware of third-party vendors and that sensitive data is appropriately protected from misuse or breach in compliance with applicable regulations, laws and university policy.

POLICY STATEMENT

This policy applies to persons using third party service to access, transmit, store or share university sensitive (confidential or proprietary) data. Any such use must maintain the ability to protect the confidentiality, integrity and availability of the data in compliance with applicable regulations, laws and university policy.

STANDARDS

Administrative Standards
 
Acquiring Cloud or Third Party Services
 
The University of Louisville contracts with and/or uses cloud and other third party services.  Use of these services require contractual provisions on use and protection of data. University faculty and staff must be very cautious when considering self-provisioned cloud services or enlisting other third parties to process, store, transmit, share or manage university data.  Many of these services are free and users must agree to the terms of the providers EULA (End User License Agreement).  These services may not meet federal, state or university compliance regulations and may be un-vetted environments with significant risks.  Users should review applicable data regulations and consult with the appropriate area within the university to ensure the data is allowed to be housed in a specified cloud environment or shared with such external parties.
 
Individuals within the university community may not self-provision cloud services or use non-sanctioned, personally acquired services to store, process, share or manage university sensitive (confidential or proprietary) data as defined by the Information Management and Classification Standard.
 
Security controls of third parties that will have access to or will be responsible for processing, transmitting, or storing university sensitive (confidential or proprietary) data must be reviewed. If your division, school, department, or office has a business need to acquire cloud or other third-party services it must consult with the appropriate university areas such as IT, counsel, purchasing, information security and privacy to evaluate controls, to identify risks and to ensure terms of service or contracts contain the required provisions.  A request for review of external services must be submitted via the Information Security Vendor Assessment Form.

Use of external services for university sensitive information requires the approval of the data owner as well as University Counsel and the Information Security Office.

Internal Resource Options

If data storage is required, secure enterprise solutions are the recommended resource. Contact Enterprise ITS if you have questions regarding the use of these resources.

Data Classification

An important factor to consider when storing, transferring or sharing data outside the university is data classification. All data falls into one of the following classifications. Data with mixed classification should abide by the highest classification. It is important to note that some data requires the vendor to enter in to a third party agreement or business associate agreement in the area of HIPAA controlled data. Data users are responsible for complying with appropriate data use requirements. Refer to the Information Management and Classification Standard (pdf) and the Information Classification and Handling Guide (pdf) for additional guidance. 

  • Sensitive - Confidential – Data whose unauthorized disclosure may result in a significant invasion of privacy, may expose the University to significant financial risk or result in negative impacts on the operations or reputation of the University. Data in any format collected, developed, maintained, or managed by or on behalf of the university, or within the scope of university activities that (1) would not be routinely published for unrestricted public access, (2) which was provided to the university by a third party under confidentiality obligation, or (3) where disclosure is prohibited by laws, regulations, contractual agreements or University policy. Examples include, but are not limited to laws/regulations such as HIPAA, FERPA, PCI-DSS, KRS 61.931-934 (HB5), GLBA financial data, or personal data such as medical records (ePHI), social security numbers, credit card numbers, driver licenses, financial information, non-directory student records, and regulated research or export controlled technical data.
  • Sensitive - Proprietary - Data whose loss or unauthorized disclosure would cause adverse financial or reputational impact or lead to legal liability or otherwise impede the educational or business functions of the university. Examples include, but are not limited to, unclassified research work or protocols, strategy documents, draft documents prior to public release, financial information and information that would impair the security of the university physical or information environments.
  • Public – Any data that does not fall in the other categories above, would be generally open to anyone without prior permission and would have no material adverse effect on the University community. Examples include but are not limited to advertisements, university catalogs, job postings, press releases.
DEFINITIONS

Cloud computing is a computing model that allows for easy, on-demand computing resources (networks, servers, storage, applications and services) that can be quickly provisioned and de-provisioned with minimal interaction and is accessible to users via the internet.  Cloud computing can be defined as the utilization of servers or information technology hosting of any type that is not controlled by the university.  Examples include: Dropbox, Google Drive/Docs, third party email providers such as Gmail and other products that have not been sanctioned by the university.

RESPONSIBILITIES

The Dean of each School or Administrative Division Head is responsible for the promotion of these security policies and standards.

Procedures for complying with these policies and standards, as well as any additional school or division policies, standards and procedures will be developed and maintained by the designee for each school, division, or other subsidiary unit.  All school or division policies, standards and procedures should be well documented, up-to-date and meet the minimum requirements established in this policy and accompanying standards. Each school or division is expected to ensure compliance with these policies and standards as well as their own policies, standards and procedures.

Policy Authority/Enforcement:  The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology Services, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

ADMINISTRATIVE AUTHORITY

Vice President for Risk, Audit, and Compliance

RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION

Information Security Office
502-852-6692
isopol@louisville.edu

HISTORY

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
 
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
 
Approved November 17, 2014 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
 
Revision Date(s):
1.0 / November 17, 2014 / Original Publication
1.1 / February 3, 2015 / Addition of MS 365 to Cloud examples
1.2 / September 3, 2015 / Addition of Syncplicity
2.0 / March 3, 2016 / Modify format for new template
2.1 / June 16, 2017 / Content review/update to MS 365 reference due to migration and University use approval
2.2 / September 4, 2018 / Content review and modification to address all third party services and use of personally acquired services for university business
2.2/ September 17, 2021/ Content update for clarification and to reflect current technology, regulatory and university environment

Reviewed Date(s): March 3, 2016; June 16, 2017, September 24, 2018, September 17, 2021

The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.