Cloud Security Policy | St. George's University

Cloud Security Policy

August 3, 2018

Purpose

This policy describes secure practices for St. George’s University’s, University Support Services, and any other operating units of Medforth Global Healthcare Education Group LP identified by management (collectively, Enterprise) use of cloud software and storage services. It also highlights security risks introduced by storing sensitive data in the cloud and mandates the protection of data stored by Cloud Service Providers (CSPs) with appropriate technological controls.

Scope

This policy applies to all Enterprise data stored or processed by third-party cloud applications, and to all external cloud services, including cloud-based email and document storage.

Background

The Enterprise’s outsources certain technological services and data storage to third party CSPs. Cloud computing offers multiple advantages, but without adequate controls, it also exposes the Enterprise to additional risks, such as data loss, or unauthorized access to corporate networks. Because conventional security policies designed for other technologies do not always map well to the cloud environment, these environments require additional consideration and analysis in order to ensure security and control objectives are met. The Enterprise Security Division must determine what kinds of data are appropriate for storing and sharing via cloud services, and how to protect that data. Those recommendations must be approved by the Cyber Security Committee.

Policy Statement

Classification
The Security Division must define which classifications of data can be stored in the cloud, and what technologies and controls must be enforced to protect data of each classification. Data types are classified in the Enterprise’s Data Classification Policy. Each class of data that has been deemed appropriate for storage in the cloud must be protected in accordance with the Enterprise’s Data Protection Policy. Evaluations of what is acceptable for cloud storage must be reviewed periodically to take into account shifting risk landscapes and changing amounts of trust in the security of cloud vendors.

Governance
The Cyber Security Committee must approve any deployment or use of cloud-based services for Enterprise systems or data. Enterprise is responsible for ensuring that proper security measures are enforced for any cloud storage service offered to faculty, staff, and students. The Security Division must define an official process for vetting vendors of cloud platforms. This process must involve an assessment of the security posture of any vendors whose cloud platforms will be housing Enterprise data, and the acquisition of contractual terms and conditions from those vendors to take reasonable steps to maintain control and protection of Enterprise data housed on their platforms. Additionally, the Enterprise Office of Information Technology (IT) must have administrative access to all cloud applications.

Acceptable Use
All employees, faculty, staff, and students who utilize cloud services for data storage must do so in accordance with this policy and any supporting documentation. Before storing Enterprise data in the cloud, users must consult the Enterprise’s Data Classification Policy to identify whether that storage method is acceptable. Enterprise data must only be stored in Enterprise approved third-party cloud applications. Additional cloud solutions must be proposed through IT and approved by the Cyber Security Committee.

Related Documents