Body
Security Policy Goals [Link]
Statement of purpose
The advent of Cloud computing has created new and largely unsolved challenges for information security. As custodian of CCC’s critical data CCC is obligated to protect that data wherever it is stored. However, when data is stored in a Cloud system the controls and protections available may vary significantly from the controls and protections available to on-premises resources It is important to note that utilization of a cloud service provider does not absolve CCC from the responsibility to protect the data, even in the event of negligence or criminal activity perpetrated by the Cloud Service Provider. CCC must ensure that risks of using a Cloud vendor have been properly identified before engaging with the provider and that the identified risks are within the acceptable risk tolerance of CCC’s leadership. CCC shall also ensure that the appropriate information security controls (risk based) are documented and properly configured. CCC shall ensure that appropriate contracts are in place to protect CCC’s interests.
This policy seeks to ensure that the appropriate due diligence and controls are in place any time we enter into a relationship with a Cloud vendor.
Scope statement
This policy applies to all third-party Cloud relationships that CCC enters into, regardless of whether such relationships are through the central ITS department or directly by faculty and staff. Impacted personnel are all staff, faculty, and students, as well as vendors, affiliates, and any other external party that could engage with a third-party cloud service provider on behalf of CCC.
Cloud relationships include SaaS, IaaS, PaaS, and other Cloud-based product offerings – as well as Cloud storage services such as DropBox.
Policy summary
Clackamas Community College (CCC) shall not use Cloud services for controlled sensitive data unless a contractual agreement exists between CCC and the service provider that has been reviewed and approved by, Purchasing Manager, and CIO, thus protecting the security and confidentiality of data for which CCC is custodian.
This policy shall be subject to and superseded by applicable regulations and laws.
Policy
Cloud services
No unauthorized representative shall enter into a cloud service agreement on behalf of Clackamas Community College.
CCC Authorized Representative who enter into an agreement for a Cloud service shall:
- Ensure that contracts obligate the vendor to follow appropriate security standards for the data stored/processed/handled. Where necessary, contracts shall specify how compliance obligations (FERPA, PCI, etc.) are to be met.
- Evaluate the data ownership and ensure the data belongs to CCC or the student.
Ensure, when applicable, that there is a Non-disclosure Agreement (NDA) in place. Shared hosting environment
- All entity or customer data hosted on shared hosting environments shall be managed and protected in A manner appropriate to the data’s classification. If CCC managed entities are allowed to run their own applications, these application processes shall run using the unique ID of the entity provided by CCC. (For example: the account to be provided to the vendor by CCC).
- All scripts used by a CCC managed entity shall be created and run as ID provided by CCC.
- The user ID of application processes shall be granted only the privileges needed to complete the intended process.
- Each entity shall have read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, etc.).
- Data owners shall be responsible for determining if data is sharable by group. Entity’s users shall not have write access to shared system binaries.
- To ensure that each entity cannot monopolize server resources to exploit vulnerabilities (error, race and restart conditions resulting in, for example, buffer overflows), restrictions shall be in place for the use of system resources such as disk space, bandwidth, memory and CPU.
- Logs shall be available for review by the owning entity and the log locations must be clearly communicated to the owning entity.
- Viewing of log entries shall be restricted to the authorized entity.
- In the event of a compromise, a timely investigation of related servers shall be conducted according to the Incident Response Plan and Procedures.
SERVICE PROVIDER RISK ASSESSMENT
- There shall be a documented process for engaging service providers that includes proper due diligence prior to engagement.
- If controlled sensitive data is shared with service providers, then contractually the following shall be required:
- Initial risk assessment of the service provider prior to engaging, the level of detail dependent upon the risk of the relationship. This risk assessment may include NDA/confidentiality sign-offs, access controls, and background investigation reviews, as well as review of service provider formal risk assessment reports (Request for “Affiliate” Access to CCC Resources)
- An agreement that includes acknowledgement that the service provider is responsible for the security and privacy of CCC confidential (customer) data in the possession of the provider.
- Procedures in place for identifying security vulnerabilities.
- Management approval for all service provider contracts.
- Allowance for monitoring of compliance of security control requirements and identified reporting requirements for possible breaches and non-compliance situations.
- Maintain a list of service providers, along with contact information.
- Implement a monitoring program that assesses the service provider’s security posture on at least an annual basis and that provides overall risk assessment of the service provider relationship.
Exemptions
None.
Exceptions
Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).
Policy violation [Link]
Complaint procedures [Link]
Governing standards, policies, and guidelines [Link]
Definitions [Link]
Responsible executive
Chief Information Officer
Last revision date
7-13-2022 srw (Final Draft)