ITS Security Policy 115 - Cloud and Infrastructure Services

Summary

This policy outlines Clackamas Community College’s requirements for cloud service usage, ensuring data security through risk assessments, contractual agreements, and compliance monitoring. It establishes guidelines for cloud service agreements, shared hosting environments, and vendor risk assessments to protect sensitive data.

Body

Status: TDX Submitted Draft
Last Revision Date: 13 July 2022

Statement of Purpose

The advent of cloud computing has introduced new and largely unresolved challenges for information security. As the custodian of Clackamas Community College’s critical data, the college is obligated to protect that data wherever it is stored. However, when data is stored in a cloud system, the controls and protections available may vary significantly from those applied to on-premises resources.

It is important to note that utilizing a cloud service provider does not absolve Clackamas Community College of its responsibility to protect the data, even in cases of negligence or criminal activity by the provider. The college must ensure that risks associated with using a cloud vendor are properly identified before engagement and that these risks align with the institution’s acceptable risk tolerance. Furthermore, Clackamas Community College must ensure that appropriate information security controls (risk-based) are documented and properly configured. Contracts must also be in place to protect the institution’s interests.

This policy ensures that appropriate due diligence and controls are in place whenever a relationship with a cloud vendor is established.

Policy Summary

Clackamas Community College shall not use cloud services for controlled sensitive data unless a contractual agreement exists between the college and the service provider. This agreement must be reviewed and approved by the Purchasing Manager and the Chief Information Officer (CIO) to safeguard the security and confidentiality of the data.

Policy

Cloud Services

  1. No unauthorized representative shall enter into a cloud service agreement on behalf of Clackamas Community College.

  2. Clackamas Community College Authorized Representatives who enter into an agreement for a cloud service shall:

    • Ensure that contracts obligate the vendor to adhere to appropriate security standards for data storage, processing, and handling. Contracts must specify compliance obligations (FERPA, PCI, etc.) where necessary.

    • Evaluate data ownership and ensure that data belongs to Clackamas Community College or the student.

    • Ensure that a Non-Disclosure Agreement (NDA) is in place when applicable.

Shared Hosting Environment

  1. All entity or customer data hosted on shared hosting environments shall be managed and protected according to its classification. If Clackamas Community College-managed entities are permitted to run their own applications, these applications shall run under a unique ID provided by the college.

  2. All scripts used by Clackamas Community College-managed entities must be created and executed under the ID provided by the college.

  3. The user ID of application processes shall only have the privileges necessary to perform its intended function.

  4. Each entity shall have read, write, or execute permissions only for files and directories it owns or for necessary system files, as restricted through file system permissions and access control lists.

  5. Data owners are responsible for determining if their data is sharable by group. Users within an entity shall not have write access to shared system binaries.

  6. To prevent entities from monopolizing server resources and exploiting vulnerabilities, restrictions shall be in place for system resource usage, including disk space, bandwidth, memory, and CPU.

  7. Logs must be available for review by the owning entity, with log locations clearly communicated.

  8. Viewing of log entries shall be restricted to authorized entities only.

  9. In the event of a compromise, an investigation shall be conducted promptly in accordance with the Incident Response Plan and Procedures.

Service Provider Risk Assessment

  1. A documented process for engaging service providers must include proper due diligence before engagement.

  2. If controlled sensitive data is shared with service providers, contracts must include:

    • An initial risk assessment of the service provider before engagement, with the level of detail based on the risk involved. This assessment may include NDA/confidentiality sign-offs, access controls, background investigations, and reviews of the provider's formal risk assessment reports (Request for “Affiliate” Access to Clackamas Community College Resources).

    • An agreement acknowledging the service provider’s responsibility for the security and privacy of Clackamas Community College’s confidential data in its possession.

    • Procedures for identifying security vulnerabilities.

    • Management approval for all service provider contracts.

    • Provisions allowing for compliance monitoring and breach reporting requirements.

    • Maintenance of a list of service providers, including contact information.

    • A monitoring program assessing the service provider’s security posture at least annually, providing an overall risk assessment of the provider relationship.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Details

Details

Article ID: 144654
Created
Wed 6/29/22 5:20 PM
Modified
Fri 3/7/25 11:55 AM