Information Technology Policies

X-99.21(A)

UMB POLICY REGARDING CLOUD COMPUTING FOR CONFIDENTIAL OR REGULATED DATA

Information Technology   |   Approved July 1, 2015


Responsible VP/AVP

Peter J. Murray, PhD


Applies to Staff


Policy Statement

Vice President in Charge: Chief Information Officer and Vice President of Information Technology

           

I.          Purpose:

The purpose of this Policy is to set forth requirements with respect to outsourcing Confidential or Regulated Data to a cloud computing service provider. This Policy is adopted to comply with USM IT Security Standards, and any successor standards or policies of the University System of Maryland. 

II.        Definitions:

CIO: The Chief Information Officer and Vice President of Information Technology, or designee (e.g. the CISO)

CISO: The Chief Information Security Officer of UMB.

Cloud Security Alliance: The Cloud Security Alliance (CSA) is a nonprofit organization that promotes best practices for securing cloud computing and provides information on the ability of cloud computing to secure other forms of computing.

Cloud Security Alliance Cloud Controls Matrix (CSA CCM): A code of practice adopted by the Cloud Security Alliance designed to provide fundamental security principles in assessing the overall security risk of a cloud provider.

Confidential or Regulated Data: as defined in the UMB Data Classification Policy.

Level 2 – Confidential - Critical data, systems, applications or services related to or supporting the commitment or management of UMB financials, student data, research, and those systems containing sensitive information (i.e. name, SSN or other combination or personal identifiers) which if compromised could be used to commit identity theft.

Level 3 – Regulated - Highest risk data, systems and applications or services that have externally mandated IT compliance requirements such as those containing information covered by HIPAA or PCI. Failure to comply with these externally mandated IT Security requirements would result in serious financial, legal and/or reputational harm to individuals and/or the University.

FedRAMP (Federal Risk and Authorization Management Program): A process to assess and authorize cloud computing products and services that was adopted by the U.S. Office of Management and Budget.

Meaningful Use: Objectives and measures established by the Centers for Medicare and Medicaid Services (CMS) with respect to certified Electronic Health Records (EHR).

ISO27001/2: Information security standards for an information security management system (ISMS), which is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

IT Administrator: The administrator or academic officer of a UMB unit or school who, as determined by the applicable vice president or dean, is responsible for management and oversight of the IT resources located in, or used by authorized users affiliated with, that unit or school.

SOC 2® Type 2 Report: An independent audit report by an accredited third-party certified public accounting firm in accordance with Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®), which is established by the American Institute of Certified Public Accountants (AICPA).

III.       Policy:

A.        Preliminary Assessment of Risk. Before outsourcing any Confidential or Regulated Data to a cloud service provider, the IT Administrator and CISO must assess the risks associated with the service, the need to ensure data integrity, and the level of accessibility that must be maintained. Confidential or Regulated Data may not be moved to the cloud if the IT Administrator and/or CIO regard the risk as too great to accept.

B.        Contract Life Cycle Activities. The following activities must be performed during the life cycle of the cloud computing service regarding Confidential or Regulated Data by the IT Administrator and CISO (in conjunction with the Department of Procurement Services and Office of University Counsel, if applicable):

1. Preliminary Activities:

a. Identify security, privacy, legal, and other organizational requirements for cloud services to meet, as a criterion for selecting a cloud provider. Include, if applicable, in an assessment/analysis document the requirements for recovery of Confidential or Regulated Data at the termination of the contract. 

b. Assess the risks associated with the third-party cloud service. Ensure that the cloud security provides comparable protection to a premises-based solution, including the need to ensure confidentiality, integrity, availability, security, and privacy.

c. Prior to contracting with a cloud service provider, obtain, review, and document control assessment reports. Examples of acceptable control assessment reports are set forth below.

2. Initiating Activities:

a. Ensure that all contractual requirements are explicitly recorded in the service agreement, including privacy and security provisions, and that they are agreed to by the cloud provider.

b. Involve the Department of Procurement Services and the Office of University Counsel in the review of the service agreement and in any negotiations about the terms of service.

3. Periodic Activities:

a. Review the control assessment reports that are submitted during the term of the contract.

b. Assess the performance of the cloud provider and the quality of the services in order to ensure that all contract obligations are being met, and in order to manage and mitigate risk.

c. Reassess the risk to ensure that the cloud solution continues to provide adequate protection to UMB’s Confidential or Regulated Data.

4. Concluding Activities:

a. Alert the cloud provider about any contractual requirements that must be observed upon termination, e.g. recovery of UMB’s data and software.

b. Revoke all physical and electronic access rights assigned to the cloud provider and recover physical tokens and badges in a timely manner.

C.        Cloud Service Provider Requirements. In order for Confidential or Regulated Data to be outsourced to a cloud service provider, the provider must satisfy either of the following requirements:

1. Certification. The cloud service provider must have received official certification issued by an independent and accredited certification body of successful completion of a formal audit process under any of the following:

  • FedRAMP;
  • Meaningful Use (if appropriate, e.g. regarding Regulated Data); or
  • ISO 27001/2.

Any certified service provider must agree by contract to maintain its certification during the term of the contract.

2. Control Assessment Reports. Prior to entering into the service agreement, the cloud provider must deliver a control assessment report, the substance of which must be acceptable to the IT Administrator and the CIO. Examples of acceptable control assessment reports include (but are not limited to):

  • SOC® 2 Type 2 Report
  • Cloud Security Alliance Cloud Controls Matrix

Relevant successor industry audits, reports, or standards relating to control policies, procedures, security, and availability will also be acceptable.    

The cloud provider must also agree by contract (a) to provide an annual control assessment report during the term of the contract, and (b) to maintain all controls, policies, procedures, security, and availability standards to satisfy the criteria upon which the control assessment report was based.

D.        Cloud Computing Contract Requirements. Any cloud computing contract regarding Confidential or Regulated Data must contain provisions that:

  1. Require recovery of UMB’s software and data upon termination of the contract.
  2. Provide remedies for non-compliance.
  3. Stipulate that the service provider is the owner or authorized user of its software and all of its components, and that the service provider’s software and all of its components (to the best of the service provider’s knowledge) do not violate any patent, trademark, trade secret, copyright or any other right of ownership of any other party.
  4. Stipulate that all UMB data and software remains the property of UMB. 
  5. Require the consent of UMB prior to sharing UMB data with any third parties. 
  6. Block the secondary use of UMB data.
  7. Manage the retention and destruction requirements related to UMB data.
  8. Require the service provider to establish and maintain industry standard technical and organizational measures to protect against:
    • Accidental damage to, or destruction, loss, or alteration of UMB’s data;
    • Unauthorized access to UMB’s data;
    • Unauthorized access to the services and UMB’s data; and
    • Industry known system attacks (e.g., hacker and virus attacks).
  9. Require the service provider to report to UMB any confirmed or suspected breach of UMB data
  10. Require the service provider to give notice to UMB of any government or third-party subpoena requests prior to the service provider answering a request.

Optional provision: If reasonably feasible, the contract should contain a provision that grants rights to UMB or an appointed audit firm to audit the service provider (and any sub-vendor or affiliate that processes, transports, or stores UMB data).

E.         Pre-Existing Cloud Computing Contracts. Any contract with a cloud service provider regarding Confidential or Regulated Data which is in effect as of the effective date of this Policy may not be renewed unless it satisfies the provisions of this Policy, including without limitation the Cloud Service Provider Requirements (Section III.C).

F.         No Other Cloud Computing Contracts Permitted. No UMB school, academic unit, faculty, staff, or student may agree to any cloud computing contract or license regarding Confidential or Regulated Data (whether by “click-through” license or otherwise), unless the provisions of this Policy are complied with. This applies, for example, to any website that requires a user to click to indicate acceptance of the site’s terms and conditions.

IV.       VIOLATIONS

Violations of this Policy may result in disciplinary action.

V.        WAIVERS

Any waiver from the requirements of this Policy may only be granted by the President or CIO.

Fill out my online form.