Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Statement and Purpose


Table of Contents


Cloud computing, sometimes referred to as the “cloud”, “cloud computing”, Software as a Service (SaaS), Infrastructure as a Service (IaaS), or Platform as a Service (PaaS), are is comprised of internet based information technology services available providing which provide for the gathering, storing, processing and , or sharing of information.  Cloud computing offers a number of advantages including low costs, high performance and quick delivery of services. Many cloud services, such as those offered by Amazon, Apple, DropBox, or Google, may be free to end-users. For the general user who wants a convenient, Internet-based solution for storing or sharing information, cloud computing may provide a reasonable option. However, without adequate controls, it also exposes individuals and the University to online threats risks such as data loss or theft, unauthorized access to corporate networks, and so onsystems/data, loss of business continuity, or running afoul of regulatory compliance.

This policy is meant to ensure that cloud services are NOT used without proper legal review by the Office of Risk Management (ORM) and validation by Computer and Information Systems. It is imperative that  (CIS). University faculty and staff not use  purchase or use cloud services accounts or enter into cloud service contracts for the storage, manipulation storing data or exchange of University-related communications or Institutional Data without proper a review of risk and compliance and alignment with the University's technology strategy. 


Infonote

The Gramm, Leach, Bliley Act (GLBA) holds SPU responsible for contractually ensuring regulatory compliance with any service provider handling Regulated Data.


Entities Affected By This Policy

All University faculty and staff.

Policy Scope

This policy pertains to all external cloud services, e.g. cloud-based email, document storage, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), etc. Personal accounts are excluded. If you are not sure whether a service is cloud-based or not, please contact

the IT department.Download Policy as PDF

Entities Affected By This Policy

All University faculty and staffCIS.


Table of Contents
maxLevel2
indent20px
excludeTable of Contents



Panel
borderColorgrey
borderStylesolid

Policy Version: 1.0

Responsible Office: Computer and Information Systems
Responsible Executive:
  AVP for Information Technology

Effective Date: July 1, 2019
Last Updated:  
July October 1, 20192021



Use of Cloud Computing Services


Computer and Information Systems CIS remains committed to enabling employees to do their jobs as efficiently as possible through the use of technology. Cloud computing services are often preferred to University hosted information technology systems. The following guidelines are intended to establish a process whereby University employees can use cloud services without jeopardizing Institutional Data and computing resources.

While cloud computing services, especially free ones, may mention computer security and confidentiality standards, they tend not to guarantee that the data you place there will be secure or treated confidentially in order to shield themselves from liability should your data be misused, stolen, or otherwise inappropriately accessed.

Note

The AVP for Information Technology is responsible for securing Institutional Data and decides controls what data may or may not be safely stored in the Cloudby cloud service provider.

  • Security and Alignment
    Use of cloud computing services for work purposes must be formally authorized by Computer and Information Systems. CIS, in partnership with the Office of Risk Management, will certify that security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendorAccess Controls
    Access controls for any service must either tie into the University's authentication services or the client department must have documented practices to manage access, permissions, and employee transitions.  See NIST 800-171 section 3.1 for access control compliance requirements.
  • Contracts and Terms of Services Review
    For any cloud services that require users to agree to terms of service, such agreements must be reviewed by the Office of Risk Management and ORM and approved by Computer and Information Systems in CIS in accordance with the Enterprise Software Acquisition policy.
  • University Technology Policy
    The use of such services must comply with existing Computer Acceptable Use Policy and Institutional Data Policy.  Employees may not share log-in credentials with co-workers. See Password Policies and Guidelines.
  • Business Continuity / Administrative Access
    CIS keep and requires an administrative credential for all cloud services to be stored by CIS in a centrally managed and encrypted password vault for business continuity purposes.
  • Regulatory Compliance
    The use of such services must comply with all laws and regulations governing the handling of personally identifiable information, corporate financial data, or any other data owned or collected by the University.
  • Personal Cloud Services
    Employees may not use personal cloud services for the storage, manipulation, or exchange of University-related communications or Institutional Data

  • Security
    Use of cloud computing services for work purposes must be formally authorized by CIS, who, in partnership with ORM, will certify that security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendor.


Note

Do not confuse

approved

personal cloud services such as OneDrive with approved cloud services such as OneDrive for Business

with personal 

, which is protected by enterprise grade security and is under signed contract with the University.   


Protecting Sensitive and Regulated Data


Confidential Data and Institutional Data Data must not be stored, shared, or otherwise processed by a cloud computing service, unless the University enters into a legally binding agreement with Seattle Pacific University to protect and manage the data according to standards and procedures approved by the University and in accordance with the regulatory environment governing University operations.

Should you ever need to store or shareshare Institutional Data in a manner not currently provided within the University's approved and secured computing environment (see the Regulated Data Chart), please contact CIS and we , who will work with you to identify and provide a solution that meets your needs.

Related Policies and Procedures