Cloud Security Policy
February 28, 2022
Purpose
This policy describes secure practices for St. George’s University’s, University Support Services (collectively, Enterprise) use of cloud software and storage services. It also highlights security risks introduced by storing non-public information (data) in the cloud and mandates the protection of data stored by Cloud Service Providers (CSPs) with appropriate technological controls.
Scope
This policy applies to all Enterprise data stored or processed by third-party cloud applications, and to all external cloud services, including cloud-based email and document storage.
Background
The Enterprise outsources certain technological services and data storage to third party CSPs. IT Leadership must determine what kinds of data are appropriate for storing and sharing via cloud services, and how to protect that non-public information. Data classifications can be found in the Data Classification Policy.
Policy Statement
Governance
IT leadership must approve any deployment or use of cloud-based services for Enterprise systems or data. Enterprise is responsible for ensuring that proper security measures are enforced for any cloud storage service offered to faculty, staff, and students. IT Security must define a process for vetting vendors of cloud platforms. This process must involve an assessment of the security posture of any vendors whose cloud platforms will be housing Enterprise data, and the acquisition of contractual terms and conditions from those vendors to take reasonable steps to maintain control and protection of Enterprise data housed on their platforms. Additionally, the Office of Information Technology (IT) must have administrative access to all cloud applications.
Acceptable Use
All employees, faculty, staff, and students who utilize cloud services for data storage must do so in accordance with this policy and the Acceptable Use Policy. Enterprise data must only be stored in Enterprise approved third-party cloud applications. Additional cloud solutions must be proposed through IT Security.