Cloud Oversight and Governance Policy

Purpose

The purpose of this policy is to outline the processes necessary for implementing a comprehensive Governance and Oversight program for cloud and third-party vendors so that risk exposures are monitored, and timely follow-up can be performed.  This policy covers both the onboarding of new cloud and third-party vendor services as well as monitoring of the Information Security and Privacy controls of the vendor during the life of the contract.

Examples of third-party cloud technology services include:

• Cloud Services
  • Software-as-a-Service (SaaS)
  • Infrastructure -as-a-Service (IaaS)
  • Platform-as-a-Service (PaaS)
  • Network-as-a-Service (NaaS)
• Web Hosting
• Application Hosting
• Database Hosting
• Cloud Data Backup
• Offsite Cloud Storage

Procedure

CSU must assess, and take steps to mitigate, the risk of unauthorized access, use, disclosure, modification, or destruction of confidential institutional information. This standard only applies to third-party cloud technology service agreements where there is a potential for high risk to the institution. The Data Classification policy defines the criteria for the different categories of risk including High.

In conjunction with CSUs on boarding software processes, the following activities shall be performed:

Onboarding of New Software including Cloud Services

Project Management: Oversees the process to onboard software, including assigning the functions that need to be done to complete the onboarding.

Information Security and Privacy Program Office: Will be requested by Project Management to assess the risks associated with third-party cloud services. CSU must ensure that the security of a vendor’s cloud solution provides comparable protection to a premises-based solution including the need to ensure confidentiality, integrity, availability, security, and privacy.

Annual Review Process for Vendor Oversight

CSU must annually review the most recent control assessment reports as well as the providers’ compliance with IT security, privacy, and availability of deliverables in the contract. They must also reassess the risk of the cloud solution to ensure that the solution continues to provide adequate protection to institutional information assets.

Any exception to this procedure requires the approval of the Vice President of Information Technology & Chief Information Officer or designated appointee.

Commensurate with the risk, request and, if available, obtain, review, and document control assessment reports performed by a recognized independent audit organization. Examples of acceptable control assessment reports include (but are not limited to):

• AICPA SOC2/Type2
• PCI Security Standards
• ISO 27001/2 Certification
• HECVAT
• FedRAMP

Contracts

The Information Security addendum should be included with all third-party contracts and signed by the vendor.

Third-party contracts should include the following as applicable:

• Requirements for recovery of institutional resources such as data, software, hardware, configurations, and licenses at the termination of the contract.
• Service level agreements including provisions for non-compliance.
• Provisions stipulating that the third-party service provider is the owner or authorized user of their software and all of its components, and the third-party’s software and all of its components, to the best of third-party knowledge, do not violate any patent, trademark, trade secret, copyright or any other right of ownership of any other party.
• Provisions stipulate that all institutional data remains the property of the institution.
• Provisions that require the consent of the institution prior to sharing institutional data with any third parties.
• Provisions that block the secondary use of institutional data.
• Provisions that manage the retention and destruction requirements related to institutional data.
• Provisions that require any vendor to disclose any subcontractors related to their services.
• Requirements to establish and maintain industry standard technical and organizational measures to protect against:
  • accidental destruction, loss, alteration, or damage to the materials;
  • unauthorized access to confidential information
  • unauthorized access to the services and materials; and
  • industry known system attacks (e.g., hacker and virus attacks)
• Requirements for reporting any confirmed or suspected breach of institutional data to the institution.
• Requirements that the institution be given notice of any government or third-party subpoena requests prior to the contractor answering a request.
• The right of the Institution or an appointed audit firm to audit the vendor’s security related to the processing, transport, or storage of institutional data.
• Requirement that the Service Provider must periodically make available a third-party review that satisfies the professional requirement of being performed by a recognized independent audit organization
• Provide evidence of their business continuity and disaster recovery capabilities to mitigate the impact of a realized risk.
• Requirement that the Service Provider ensure continuity of services in the event of the company being acquired or a change in management.
• Requirement that the contract does not contain the following provisions:
  • The unilateral right of the Service Provider to limit, suspend, or terminate the service (with or without notice and for any reason).
  • A disclaimer of liability for third-party action.