What security requirements apply to the use of cloud services and other third party services?

All uses of cloud services are subject to the CSU Cloud Storage and Services (ISO Domain 8: Asset Management Standard).

In order to use a third party service that stores or processes Level 1 Data or Level 2 Data:

 

What is the Cloud Procurement Standard and how does it apply to me?

In order to comply with CSU IT Security Policies, Sonoma State has implemented an Information Security standard to manage the risks of storing University data in the cloud.

Our goal is simply to mitigate risk and to protect student data. We are not focusing on a free phone “APP” is being used for instructional purposes, which does not contain confidential student data (level 1 or 2 data).

Cloud computing and storage is defined as the utilization of IT services provided by a 3rd party and NOT provided by servers in the local datacenter. Examples of cloud services include web-based email, web-based file storage, and other web-based services that are hosted by a vendor rather than being run locally on campus.

To protect the campus from liability, only Purchasing is authorized to enter into contracts with vendors. This includes "Click to Accept" contracts for free or trial services.

Please try to start the procurement process early because we must verify sufficient security and evaluate a vendor's practices and contract language, which can be time consuming. We recommend beginning the process 6 months before you need to use the service, if possible.

When the renewal comes due for a cloud service that was previously procured, the requester is asked to complete the Purchasing document called Department Usage Checklist. IT and Purchasing will perform the necessary compliance checks. Once reviewed, IT will then return the forms either approved or denied. If approved, the department will need to fill out an EREQ for Purchasing. If denied, IT will work with the department and Purchasing on alternatives.

Department trainings are available. Please contact Andru Luvisi at luvisi@sonoma.edu or Jenifer Barnett at jenifer.barnett@sonoma.edu.