Roane State Community College
> RSCC Policy GA-18-11; Cloud Computing
RSCC Policy GA-18-11; Cloud Computing
Roane State Community College
Policy Number: GA-18-11
Subject: Cloud Computing
This policy outlines best practices and approval processes for using cloud-computing services to support the processing, sharing, storage, and management of institutional data.
- Cloud computing offers a number of advantages including low costs, high performance and quick delivery of services. However, without adequate controls, it also exposes individuals and organizations to online threats such as data loss or theft, unauthorized access to corporate networks, and so on.
- Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually provided by companies such as Apple, Google, Microsoft, and Amazon, enable customers to leverage powerful computing resources that would otherwise be beyond their means to purchase and support. Cloud services provide services, platforms, and infrastructure to support a wide range of business activities. These services support, among other things, communication; collaboration; project management; scheduling; and data analysis, processing, sharing, and storage. Cloud computing services are generally easy for people and organizations to use, they are accessible over the Internet through a variety of platforms (workstations, laptops, tablets, and smart phones), and they may be able to accommodate spikes in demand much more readily and efficiently than in-house computing services.
- This cloud computing policy is to ensure that cloud services are NOT used without the Chief Information Officer’s (CIO) knowledge. It is imperative that employees NOT open cloud services accounts or enter into cloud service contracts for the storage, manipulation or exchange of company-related communications or company-owned data without the CIO’s input. This is necessary to protect the integrity and confidentiality of Roane State Community College data and the security of the corporate network.
- Roane State Community College’s IT department remains committed to enabling employees to do their jobs as efficiently as possible with technology. The following guidelines are intended to establish a process whereby Roane State employees can use cloud services without jeopardizing company data and computing resources.
- This policy applies to all employees in all departments of Roane State Community College, no exceptions.
- This policy concerns cloud computing resources that provide services, platforms, and infrastructure that provide support for a wide range of activities involving the processing, exchange, storage, or management of institutional data. This policy does not cover the use of social media services. This policy pertains to all external cloud services, e.g. cloud-based email, document storage, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), etc. Personal accounts are excluded. If you are not sure whether a service is cloud-based or not, please contact the IT department.
- Cloud Computing – The delivery of computing services over a proprietary network or the internet. Services include infrastructure services, development platforms and software applications.
- Infrastructure-as-a-Service (IaaS) – Vendor provides computing resources such as servers (both physical and virtual), storage, networking components and other hardware such as firewalls or load balancers. The provider is responsible for the operating system and hardware while the customer is responsible for the application or software running on the service. Examples: RackSpace, Amazon, IBM, HP.
- Platform-as-a-Service (PaaS) – Vendor provides an environment where the customer or developer can build and deliver web-based services over the Internet. Examples: Microsoft Azure, Bungee Labs, Google App Engine.
- Software-as-a-Service (SaaS) – Vendor hosts software applications and the data for the customer. No part of the software resides on the user’s computer. Examples: SalesForce, NetSuite, Google Apps, Office 365, Gmail, Hotmail, Yahoo.
- The CIO must formally authorize use of cloud computing services for work purposes. The CIO will certify the cloud-computing vendor will adequately address that security, privacy and all other IT management requirements.
- For any cloud services that require users to agree to terms of service, such agreements must be reviewed and approved by the CIO.
The use of such services must comply with Roane State Community College’s existing Acceptable Use Policy/Computer Usage Policy/Internet Usage Policy/BYOD Policy (Access the complete detailed RSCC Policy GA-18-08, Data and Personally Identifiable Information Security, at www.roanestate.edu/policies/.)
- Employees must not share log-in credentials with co-workers. The IT department will keep a confidential document containing account information for business continuity purposes.
- The use of such services must comply with all laws and regulations governing the handling of personally identifiable information, corporate financial data or any other data owned or collected by Roane State Community College.
- The CIO in conjunction with the Data Stewards will decide what data may or may not be stored in the Cloud.
- Personal cloud service accounts may not be used for the storage, manipulation or exchange of company-related communications or company-owned data.
- Cloud Services
|Approved Cloud Services
||Unapproved Cloud Services
|RSCC Office 365
|ExaVault (Secure File Sharing)
||Amazon Cloud Drive
|Azure (as part of MEP/Shared Services)
When using one of the approved cloud services for institutional information, use it only for institutional information classified as shown below. Pay special attention to access levels when sharing files and folders with other collaborators to ensure that data is not inappropriately shared. You may not use your personal cloud services account to collect, process, or store data covered by laws such as HIPAA, FERPA, FISMA, and GLBA.
- Data Classification
|Regulated Institutional Data
||All Institutional data that is governed by privacy or information protection mandates required by law, regulation, contract, binding agreement, or industry requirements.
Cannot use self-provisioned cloud services to store, process, share, or otherwise manage regulated institutional data without working with TTS Contract and Licensing Services to develop the appropriate contractual safeguards.
Can only use a contractually (locally or centrally) provisioned cloud service once you have confirmed with your Data Owner and CIO that the service is appropriate for confidential institutional data. Not all centrally and locally provisioned services are designed to handle regulated data.
|Confidential Institutional Data
||Institutional data that is meant for a very limited distribution—available only to members of the Roane State community on a strictly need-to-know basis.
Should not use self-provisioned cloud services to store, process, share, or otherwise manage confidential institutional data without ensuring that a service’s safeguards are appropriate for confidential institutional data.
Should only use a centrally or locally provisioned cloud service once you have confirmed with your Information Steward that the service is appropriate for confidential institutional data. Not all contractually provisioned services are designed to handle confidential data.
|Administrative Institutional Data
||Institutional data that is meant for a limited distribution; available only to members of the Roane State community that need the institutional data to support their work. This institutional data derives its value for Roane State, in part, from not being publically disclosed.
Should not use self-provisioned cloud services to store, process, share, or otherwise manage administrative institutional data without ensuring that a service’s safeguards are appropriate for administrative institutional data.
Should only use a centrally or locally provisioned cloud service once you have confirmed with your Information Steward that the service is appropriate for administrative institutional data. Not all contractually provisioned services are designed to handle administrative data.
|Public Institutional Data
||Institutional data that is meant for members of the Roane State community and in some cases wide and open distribution to the public at large. This institutional data does not contain confidential information.
May use self-provisioned cloud services to store or manage public institutional data with caution. Should ensure that using these cloud services does not violate any licensing agreements.
May use contractually provisioned cloud services to store or manage public institutional data.
- Responsible Party
The Assistant Vice President for Information Technology is responsible for the development and maintenance of this policy for issuance by the Vice President of Business and Finance.
Original Date Effective: 06/26/2017
Original Approval By: Christopher L. Whaley, President
Office Responsible: Vice President for Business & Finance
© Roane State Community College
Roane State Community College is a TBR and AA/EEO employer and does not discriminate against students, employees, or applicants for admission or employment on the basis of race, color, religion, creed, national origin, sex, sexual orientation, gender identity/expression, disability, age, status as a protected veteran, genetic information, or any other legally protected class with respect to all employment, programs and activities sponsored by Roane State. View full non-discrimination policy.
Report Fraud, Waste and Abuse
Digital Millennium Copyright Act of 1998