Information Technology Standard 02.8.0

Hosted/Cloud Computing and Storage Standards


Date of Current Revision or Creation: December 1, 2020


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to provide guidance in the use of hosted/cloud services. Hosted/cloud services are application and infrastructure resources, accessed via the Internet, that are available freely by companies or contractually provided by commercial providers to support a wide range of administrative, academic and instructional activities.

Definitions

"Click-to-accept" agreements are licensing contracts established between a vendor and a customer without signatures.

Information Security Officer (ISO) - The Old Dominion University employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion University's information technology (IT) security program.

Institutional Data - Recorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form, characteristic, or source, the recorded information is a University record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of University business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to: personnel records, student records, academic records, financial records, patient records and administrative records. Record formats/media include but are not limited email, electronic databases, electronic files, paper, audio, video and images.

Hosted/Cloud Services are those that are hosted at and accessed from the Internet instead of from ODU on-premises systems. Services include but are not limited to social networking, content hosting, blogs, wikis, office productivity tools (Google Apps, Hotmail, Evernote), file storage (Box.com, Office365 OneDrive), and on-demand computing resources (Amazon Web Services, Rackspace).

Non-ODU Hosted/Cloud Services are those hosted/cloud services that are not contracted with the University but are licensed via a contract established directly with the customer. The contract may be a click-to-accept agreement without signature.

ODU-Provisioned Hosted/Cloud Services are those hosted/cloud services that have been approved by the University with a University-signed contract and made available to ODU as part of our supported IT infrastructure.

Users - Individuals and organizations that access institutional data and information in order to perform their assigned duties or to fulfill their role in the University community.

Standards Statement

ODU Provisioned Hosted/Cloud Services

These services are approved jointly by Procurement Services and Information Technology Services (ITS) for use. Such approval includes proper due diligence, including the completion of a risk review by ITS and the implementation of safeguards. The approval assumes on-going monitoring by the responsible unit and observance of the safeguards put in place.

The University may contract with vendors to deliver hosted/cloud-based applications and services for the benefit of campus users. Employees are not authorized to contract for hosted/cloud services, unless specifically approved to do so. Services may include "click-to-accept" agreements that have not been reviewed or approved by the University and may introduce security risks. By accepting such terms, the employee could be held personally liable.

Non-ODU Provisioned Hosted/Cloud Services

The use of non-ODU hosted/cloud services is prohibited whenever not in compliance with ODU University Policy 3505 (Information Security) concerning confidential or restricted information, or with Policy 3700 (Records Management) concerning records retention.

University policies require the retention of information for operational and regulatory compliance needs. One such obligation is the duty to know what data is stored where and how it is preserved (e.g., backups). Not all hosted/cloud services provide adequate backups and, as such, are not suitable to host authoritative copies of institutional data. In addition ODU cannot guarantee technical and administrative access controls for data stored using hosted/cloud computing and may not have access to the data stored in the cloud or on a hosted site.

This is not intended to keep faculty from using hosted/cloud services for instructional and research purposes when it does not involve official University records or protected private information.

User Responsibilities

Any use of hosted/cloud resources must be in compliance with all other University policies and procedures. It is the responsibility of the employee using such services to ensure that the use is consistent with those policies.

Users are required to take privacy and security into consideration when making decisions about when it is, and is not, acceptable to use hosted/cloud services. All University and campus policies, procedures, and guidelines apply to any University data, whether the data is stored on University systems, on ODU Provisioned Hosted/Cloud Services, or on Non-ODU Hosted/Cloud Services.

Users should be aware that there is no right to privacy for data in a hosted/cloud service approved for University use. The University may access, view, scan or listen to any electronic record or communication in a hosted/cloud service that supports University business. In addition, the University may periodically scan contracted hosted/cloud services to identify sensitive University data.

Users are required to ensure that all records whether instructional, administrative, or research are retained according to the ODU Records Management Program.

Security Assistance

In the event the user is notified or becomes aware of a suspected or actual security breach involving ODU data, the user should immediately report it to the IT Security Office.

If the user is unsure whether or not a file or data is "safe" to be placed online, please contact the ITS Security Office. If a user is interested in having a particular hosted/cloud-based service reviewed, an email can be sent to itshelp@odu.edu listing the name of the service and the reasons for a review. ITS will work with the user to review the service.

Enforcement

Failure to comply may result in disciplinary actions consistent with University policies and applicable law.

Procedures, Guidelines & Other Related Information

History

Date Responsible Party Action
September 2013 IT Policy Office Created draft
August 2015 IT Policy Office Revised draft based on new data classification standard
January 2017 ITAC Reviewed and approved
December 2020 IT Policy Office Reaffirmed