Hosted/Cloud Computing and Storage Standards
Date of Current Revision or Creation:ÌýDecember 1, 2020
The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to provide guidance in the use of hosted/cloud services. Hosted/cloud services are application and infrastructure resources, accessed via the Internet, that are available freely by companies or contractually provided by commercial providers to support a wide range of administrative, academic and instructional activities.
Definitions
"Click-to-accept" agreements are licensing contracts established between a vendor and a customer without signatures.
Information Security Officer (ISO) - The Â鶹´«Ã½ employee, appointed by the President or designee, who is responsible for developing and managing Â鶹´«Ã½'s information technology (IT) security program.
Institutional Data - Recorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form, characteristic, or source, the recorded information is a University record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of University business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to: personnel records, student records, academic records, financial records, patient records and administrative records. Record formats/media include but are not limited email, electronic databases, electronic files, paper, audio, video and images.
Hosted/Cloud Services are those that are hosted at and accessed from the Internet instead of from Â鶹´«Ã½ on-premises systems. Services include but are not limited to social networking, content hosting, blogs, wikis, office productivity tools (Google Apps, Hotmail, Evernote), file storage (Box.com, Office365 OneDrive), and on-demand computing resources (Amazon Web Services, Rackspace).
Non-Â鶹´«Ã½ Hosted/Cloud Services are those hosted/cloud services that are not contracted with the University but are licensed via a contract established directly with the customer. The contract may be a click-to-accept agreement without signature.
Â鶹´«Ã½-Provisioned Hosted/Cloud Services are those hosted/cloud services that have been approved by the University with a University-signed contract and made available to Â鶹´«Ã½ as part of our supported IT infrastructure.
Users - Individuals and organizations that access institutional data and information in order to perform their assigned duties or to fulfill their role in the University community.
Standards Statement
Â鶹´«Ã½ Provisioned Hosted/Cloud Services
These services are approved jointly by Procurement Services and Information Technology Services (ITS) for use. Such approval includes proper due diligence, including the completion of a risk review by ITS and the implementation of safeguards. The approval assumes on-going monitoring by the responsible unit and observance of the safeguards put in place.
The University may contract with vendors to deliver hosted/cloud-based applications and services for the benefit of campus users. Employees are not authorized to contract for hosted/cloud services, unless specifically approved to do so. Services may include "click-to-accept" agreements that have not been reviewed or approved by the University and may introduce security risks. By accepting such terms, the employee could be held personally liable.
Non-Â鶹´«Ã½ Provisioned Hosted/Cloud Services
The use of non-Â鶹´«Ã½ hosted/cloud services is prohibited whenever not in compliance with Â鶹´«Ã½ University Policy 3505 (Information Security) concerning confidential or restricted information, or with Policy 3700 (Records Management) concerning records retention.
University policies require the retention of information for operational and regulatory compliance needs. One such obligation is the duty to know what data is stored where and how it is preserved (e.g., backups). Not all hosted/cloud services provide adequate backups and, as such, are not suitable to host authoritative copies of institutional data. In addition Â鶹´«Ã½ cannot guarantee technical and administrative access controls for data stored using hosted/cloud computing and may not have access to the data stored in the cloud or on a hosted site.
This is not intended to keep faculty from using hosted/cloud services for instructional and research purposes when it does not involve official University records or protected private information.
User Responsibilities
Any use of hosted/cloud resources must be in compliance with all other University policies and procedures. It is the responsibility of the employee using such services to ensure that the use is consistent with those policies.
Users are required to take privacy and security into consideration when making decisions about when it is, and is not, acceptable to use hosted/cloud services. All University and campus policies, procedures, and guidelines apply to any University data, whether the data is stored on University systems, on Â鶹´«Ã½ Provisioned Hosted/Cloud Services, or on Non-Â鶹´«Ã½ Hosted/Cloud Services.
Users should be aware that there is no right to privacy for data in a hosted/cloud service approved for University use. The University may access, view, scan or listen to any electronic record or communication in a hosted/cloud service that supports University business. In addition, the University may periodically scan contracted hosted/cloud services to identify sensitive University data.
Users are required to ensure that all records whether instructional, administrative, or research are retained according to the Â鶹´«Ã½ Records Management Program.
Security Assistance
In the event the user is notified or becomes aware of a suspected or actual security breach involving Â鶹´«Ã½ data, the user should immediately report it to the IT Security Office.
If the user is unsure whether or not a file or data is "safe" to be placed online, please contact the ITS Security Office. If a user is interested in having a particular hosted/cloud-based service reviewed, an email can be sent to itshelp@odu.edu listing the name of the service and the reasons for a review. ITS will work with the user to review the service.
Enforcement
Failure to comply may result in disciplinary actions consistent with University policies and applicable law.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 1424 Policy on Intellectual Property
- University Policy 3500 Use of Computing Resources
- University Policy 3504 Data Administration and Classification Policy
- University Policy 3505 Information Security Policy
- University Policy 3700 Records Management
- IT Standard 02.3.0 Data Administration and Classification Standard
- IT Standard 09.1.0 Acceptable Use Standard
- IT Standard 10.1.0 Disciplinary Action Standard
- IT Guideline Best Practices in Protecting University Data
- IT Guideline Data Administration and Classification Reference Table
- IT Guideline Cloud Computing Guidelines for Faculty and Staff
History
Date | Responsible Party | Action |
September 2013 | IT Policy Office | Created draft |
August 2015 | IT Policy Office | Revised draft based on new data classification standard |
January 2017 | ITAC | Reviewed and approved |
December 2020 | IT Policy Office | Reaffirmed |