Main Nav

Hello everyone!
 
We are in the process of putting a commercial cloud storage solution in place at Weber State University and I was wondering if any of you have put together policies concerning the use of cloud storage at your university that you could share.  Off the top of my head I can come up with several topics that would need to be addressed in such a policy (e.g. storage of sensitive information, personal files, security, administrative access, etc.).  How have you handled this with your cloud storage solutions?
 
Thanks,
Vern
 
 
Vern Morgan
IT Policy and Planning Administrator
Weber State University
 
Tel:  801-626-7201
********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

Comments

Hi neighbor!    Our only cloud policy statement is a single line imbedded in our Information Security policy (#558) which is a local result of the Utah Board of Regents policy R345 "Information Technology Resource Policy" which we all live under here in Utah.

Our statement is:  "Offsite storage, processing or backup of PSI/CID must use service providers evaluated and approved by the responsible data steward in consultation with OIT. OIT is directed to publish standards that conform to this policy."

Of course, our published standards are in "idle draft" mode right now.


Bob Bayn              (435)797-2396           IT Security Team
Office of Information Technology,     Utah State University
    three common hazardous email scams to watch out for:
     1) "phishing" for your email password
     2) unfamiliar transaction report from familiar business
     3) attachment with no explanation in the message body

You might want to take a look at the NIST guidance that just came out this week.

 

http://www.govinfosecurity.com/nist-issues-long-awaited-cloud-guidance-a-4810

 

NIST Issues Long-Awaited Cloud Guidance

SP 800-146 Describes Cloud's Strengths, Weaknesses

NIST has published its long-awaited cloud computing guidance, Special Publication 800-146: Cloud Computing Synopsis and Recommendations, that addresses risk management and other security matters.

The National Institute of Standards and Technology says the new guidance explains cloud computing systems in plain language and provides recommendations for information technology decision makers, including chief information officers, information systems developers, system and network administrators, information system security officers and systems owners.

 

[...]



Ruth Ginzberg, CISSP, CTPS
Sr. I.T. Procurement Specialist
University of Wisconsin System

rginzberg@uwsa.edu
608-890-3961


From: "Vern Morgan" <vernmorgan@WEBER.EDU>
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Sent: Friday, June 1, 2012 11:12:02 AM
Subject: [POLICY-DISCUSSION] Cloud Storage Policy

Hello everyone!
 
We are in the process of putting a commercial cloud storage solution in place at Weber State University and I was wondering if any of you have put together policies concerning the use of cloud storage at your university that you could share.  Off the top of my head I can come up with several topics that would need to be addressed in such a policy (e.g. storage of sensitive information, personal files, security, administrative access, etc.).  How have you handled this with your cloud storage solutions?
 
Thanks,
Vern
 
 
Vern Morgan
IT Policy and Planning Administrator
Weber State University
 
Tel:  801-626-7201
********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.


********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

Vern,

 

We typically require a strong contract with the vendor (a Business Associate Agreement, if protected health information may be involved), a security risk assessment, and approval by a data steward.

 

Chris Kidd

University of Utah

 

Interesting that the FierceGovernmentIT report notes sharing of resources is a top cloud storage concern: “For [infrastructure as a service] clouds, different VMs may share hardware via a hypervisor; for [platform as a service], different processes may share an operating system and supporting data and networking services; for [software as a service], different consumers may share the same application or database.”  I wonder how many of us are thinking about our cloud providers sharing of resources?

Stephen Benedict JD C.P.M.
Director IT Procurement Services
University of California Office of the President
1111 Franklin St. #10207
Oakland, CA 94607
(510) 987 0880

Policy at Syracuse University requires the signature of the CIO for all computing contracts, so any contract for cloud storage would fall under that umbrella.  The contract review process includes an evaluation of the service provider (we ask them to complete a security questionnaire) as well as the contract terms and conditions, all dependent upon the nature of the data – confidential, enterprise, public.

June

June C Szymanski

Associate CIO / Information Technology and Services / Syracuse University

1-133 CST, Syracuse, NY  13244 T 315.443.5387 F 315.443.2775

jcszyman@syr.edu

For those wanting to learn more about cloud computing contracts, UCLA offers a useful course on this subject.  The next session will be held here in July.  For details see https://www.uclaextension.edu/r/Course.aspx?reg=y4094

 

====================================

 

Thomas Trappler, ASM

Director, UCLA Software Licensing

 

Email: trappler@oit.ucla.edu

Phone: 310-825-7516

Twitter: @ThomasTrappler

 

I have a draft policy that I can share off line if you'd like.
 
Thanks
 
Jim

 
James Pardonek, CISSP, CEH
Information Security Officer
Loyola University Chicago 
1032 W. Sheridan Road | Chicago, IL  60660

(
: (773) 508-6086
>>> "Trappler, Thomas" <trappler@OIT.UCLA.EDU> 6/1/2012 12:39 PM >>>

For those wanting to learn more about cloud computing contracts, UCLA offers a useful course on this subject.  The next session will be held here in July.  For details see https://www.uclaextension.edu/r/Course.aspx?reg=y4094

 

====================================

 

Thomas Trappler, ASM

Director, UCLA Software Licensing

 

Email: trappler@oit.ucla.edu

Phone: 310-825-7516

Twitter: @ThomasTrappler

 

Ours is exactly the same as Chris's, and the policies state that.

Theresa

If I may, there are excellent resources available in the Educause/I2 Information Security Guide that will help.  The Cloud resources are in the Hot Topics section.

Thanks,

Carol


Carol Myers, CISSP
Director College Technology
Paradise Valley Community College

Beginning June 25, 2012, my new email address will be carol.myers@paradisevalley.edu



Message from baptistam@macewan.ca

Vern
 
The Conference Board of Canada recently published a report on the Cloud. Although it reflects a Canadian context and is outside of post-secondary, often these reports provide some good points to consider. Please note: members receive the report for free, while the public price is $175.00 - membership is easy to attain.
 

Who's Afraid of the Cloud?
This report will spell out the benefits and risks of the cloud for smaller and midsize businesses, based on interviews with a group of chief information officers and experts in cloud technology and common privacy and security concerns.
 
 
 

 
 
Margo Baptista, BAdm, MA Leadership
Senior Manager Board Operations
MacEwan University
10700 104 Avenue
Edmonton, AB T5J 4S2
780-497-5402 phone
780-497-5405 fax
baptistam@macewan.ca

Please visit our websites:
www.macewan.ca
www.macewan.ca/boardofgovernors
>>> Chris Kidd <chris.kidd@UTAH.EDU> 6/1/2012 10:42 AM >>>

Vern,

 

We typically require a strong contract with the vendor (a Business Associate Agreement, if protected health information may be involved), a security risk assessment, and approval by a data steward.

 

Chris Kidd

University of Utah

 

Message from ellisj@mail.strose.edu

Just a heads-up. I joined the Conference Board of Canada but when I tried to download cloud document I got the following message:

The Conference Board of Canada is prohibited, by its licensing agreement with The Conference Board Inc. in New York from distributing this content to customers outside Canada. Contact the Conference Board Inc. at (1) 212 339-0345 to access this research report.

-          John

John R. Ellis

Executive Director Information Technology Services

The College of Saint Rose

432 Western Avenue

Albany, New York 12203

518-454-5166

ellisj@strose.edu

www.strose.edu

ITS.strose.edu