What security requirements apply to the use of cloud services and other third party services?

All uses of cloud services are subject to the CSU Cloud Storage and Services (ISO Domain 8: Asset Management Standard).

In order to use a third party service that stores or processes Level 1 Data or Level 2 Data:

• You must receive approval from the Data Owner or Data Authority, whose role is defined in Section 7.1 of the SSU Information Security Management Program, in order to store or process the data using the third party service.
• There needs to be a contract in place through purchasing (even if the service is free) that includes the appropriate IT Supplemental Provisions.
• The service, and your use of the service, must comply with the CSU ISO Domain 15: Supplier Relationships Standard.
• If this third party service is a cloud service then it must comply with the CSU Cloud Storage and Services (ISO Domain 8: Asset Management Standard).
• The process described in the SSU Cloud Procurement Standard must be followed for the purchase of the service.

 

What is the Cloud Procurement Standard and how does it apply to me?

In order to comply with CSU IT Security Policies, Sonoma State has implemented an Information Security standard to manage the risks of storing University data in the cloud.

Our goal is simply to mitigate risk and to protect student data. We are not focusing on a free phone “APP” is being used for instructional purposes, which does not contain confidential student data (level 1 or 2 data).

Cloud computing and storage is defined as the utilization of IT services provided by a 3rd party and NOT provided by servers in the local datacenter. Examples of cloud services include web-based email, web-based file storage, and other web-based services that are hosted by a vendor rather than being run locally on campus.

To protect the campus from liability, only Purchasing is authorized to enter into contracts with vendors. This includes "Click to Accept" contracts for free or trial services.

Please try to start the procurement process early because we must verify sufficient security and evaluate a vendor's practices and contract language, which can be time consuming. We recommend beginning the process 6 months before you need to use the service, if possible.

When the renewal comes due for a cloud service that was previously procured, the requester is asked to complete the Purchasing document called Department Usage Checklist. IT and Purchasing will perform the necessary compliance checks. Once reviewed, IT will then return the forms either approved or denied. If approved, the department will need to fill out an EREQ for Purchasing. If denied, IT will work with the department and Purchasing on alternatives.

Department trainings are available. Please contact Evan Ferguson at evan.ferguson@sonoma.edu or Jenifer Barnett at jenifer.barnett@sonoma.edu.