University of Arkansas at Little Rock
Policy Name: Cloud Services
Policy Number: LR 208.6
Effective Date: December 1, 2020
Revised Dates: May 1, 2019, September 15, 2020
Most Recent Review Date: September 15, 2020
Purpose
The purpose of this policy is to ensure that UA Little Rock Protected or UA Little Rock Sensitive data is appropriately stored or shared using public cloud computing and file-sharing services. Cloud computing and file sharing, for this purpose, is defined as the utilization of servers or information technology hosting of any type that is not controlled by, or associated with, UA Little Rock IT Services for services such as, but not limited to, social networking applications (i.e. blogs and wikis), file storage (i.e. Dropbox, Microsoft OneDrive, Google Drive), and content hosting (publishers textbook add-ons). A list of acceptable and unacceptable cloud services is listed in the appendix at the end of this policy.
Scope
This policy applies to all users accessing and using third-party services capable of storing or transmitting protected or sensitive electronic data that are owned or leased by UA Little Rock, all consultants or agents of UA Little Rock, and any parties who are contractually bound to handle data produced by UA Little Rock, and by University contractual agreements and obligations.
Definition of Terms
Sensitive Data: Sensitive data is a blanket term used to designate classes of data with a high level of security that the University is legally or contractually required to protect. Sensitive data refers to any element of data that is uniquely or in aggregate protected by federal regulations (ex: HIPAA, FERPA), categorized as PII or PHI, or any other data that has been identified as business critical or business-sensitive data, such as financial records or intellectual property of UALR.
Policy
This policy endorses the use of cloud services for file storing and sharing 1) with vendors who can provide appropriate levels of protection and recovery for University information, and 2) with specific restrictions on the storage of University Protected Information.
While cloud storage of files can expedite collaboration and sharing of information anytime, anywhere, and with anyone, some guidelines should be in place for the kind and type of university information that is appropriate for storing and sharing using these services. Even with personal use, one should be aware of the level of protection available for your data using such a cloud service.
Federal and State laws and regulations place a premium on institutions’ ability to understand the risks of IT services and systems and make appropriate determinations about risk tolerance. Some cloud providers, for instance, might mine data for marketing purposes.
There are information security and data privacy concerns about the use of cloud computing services at the University. They include:
- University no longer protects or controls its data, leading to a loss of security, lessened security, or inability to comply with various regulations and data protection laws Loss of privacy of data, potentially due to aggregation with data from other cloud consumers.
- University dependency on a third party for critical infrastructure and data handling processes.
- Potential security and technological defects in the infrastructure provided by a cloud vendor.
- University has limited service level agreements for a vendor’s services and the third parties that a cloud vendor might contract with.
- University is reliant on vendor’s services for the security of some academic and administrative computing infrastructure.
General Data Protection Terms
The University requires data protection terms in a contract with a cloud-computing vendor. This creates a minimum level of security for University data. A minimum level of security ensures that the University data is kept confidential, is not changed inappropriately, and is available to the University as needed.
The University should consider the following contract terms to ensure a minimum level of information security protection:
- Data transmission and encryption requirements
- Authentication and authorization mechanisms
- Intrusion detection and prevention mechanisms
- Logging and log review requirements
- Security scan and audit requirements
- Security training and awareness requirements
This section needs specific UA Little Rock policy on how each issue/item is to be handled by all UA Little Rock personnel/ units/ Departments and those affiliated with the institution.
Exit Strategy
Cloud services should not be engaged without developing an exit strategy for disengaging from the vendor or service and integrating the service into business continuity and disaster recovery plans. The University must determine how data would be recovered from the vendor.
Policy
Use of cloud computing resources must comply with all other University policies and procedures
Using a third-party cloud service to handle institutional data does not absolve users from the responsibility of ensuring that the data is securely and adequately managed.
Storing UA Little Rock protected and sensitive data on a cloud service is not allowed without approval from the CIO.
No contractual agreement may be entered into for cloud computing services without having been approved by the CIO.
For any cloud services that require users to agree to terms of service, such agreements must be reviewed and approved by the CIO.
Personal cloud services accounts may not be used for the storage, manipulation, or exchange of University-related communications or University-owned data.
Source: Board of Trustees Policy 285.1
Status: Active
Approved By: Christina Drale, Chancellor, 11/3/20
Originator: Vice Chancellor for Finance and Administration
Custodian: Information Technology Services