Campus Computing News

Question Cloud

Legal and Compliance Issues Around Cloud Computing Services at UNT 

By Charlotte Russell, Senior Director, Management and Risk Services, Chief Information Security Officer and Dr. Philip Baczewski, Senior Director of Academic Computing and User Services and Deputy Chief Information Officer for University Information Technology

Cloud Computing Services are becoming more accessible and are very convenient since they often provide "free" amounts of storage or other services with no direct charge. However, as discussed in last month's issue of Benchmarks Online, users of these services should employ caution regarding what kinds of information they commit to cloud services. In most cases, no University data should be stored on cloud services without the appropriate vendor agreements in place that provide for safeguarding UNT data and information. 

Legal Issues

Recently, representatives from the Office of General Counsel, IT Compliance, and Information Security met to review language in Texas Administrative Code (TAC), Chapter 202, which governs information security standards for higher education. After a review of the language in the code, all offices agreed that rules regarding data protection apply to 3rd parties, i.e., vendors and cloud computing services. Vendors must adhere to state standards regarding encryption of confidential data, application of non-disclosure agreements, and adherence to University imposed standards. Examples of applicable services include those offered by Dropbox, Google Docs, and other services that provide data storage or offer management of information. University units are required to ensure that vendors agree, in writing, to these protection standards.

In addition, UNT Purchasing Policy 4.0 imposes restrictions on acceptance of contractual terms and similar types of “acceptable use”, “terms of use”, or “click-through” agreements.  Only authorized agents of the University are permitted to obligate the University to contractual terms.  Users are not authorized to use personal accounts on third party services for University business.

State of Texas information security standards and University policies governing data protection are numerous, however, the following are applicable to this particular issue:

TAC 202.75 (2)(B): 

(2) Confidentiality of data and systems.

(B) Information resources assigned from one institution of higher education to another, or from an institution of higher education to a contractor or other third party, shall be protected in accordance with the conditions imposed by the providing institution of higher education.

TAC 202.75 (4)(A) and (B):

(4) Encryption. Encryption requirements for information storage devices and data transmissions, as well as specific requirements for portable devices, removable media, and encryption key standards and management shall be based on documented institution of higher education risk management decisions.   

 (A) Confidential information that is transmitted over a public network (e.g.: the Internet) must be encrypted.

 (B) Confidential information stored in a public location that is directly accessible without compensating controls in place (e.g.: FTP without access control) must be encrypted.

TAC 202.77 (c):

(c) Each institution of higher education head or his/her designated representative and information security officer shall establish a strategy for the use of written non-disclosure agreements to protect information from disclosure by employees and contractors prior to granting access.

UNT Purchasing Services Policy 4.0:

4.0.2 Only the Board of Regents, the Chancellor, and the President have the authority to incur any obligation or enter into a contract, agreement, or purchase on behalf of the University of North Texas unless this authority has been specifically delegated to a designee by one of them in writing. ( SEE POLICY 10.4 ) No commitment for materials, equipment, or services may be made without an approved purchase order or negotiated written contract signed by one of these authorized agents. The designated agents for signing purchase orders on behalf of the University of North Texas are the Chancellor, the President and their designees.

 UNT Computer Use Policy 3.10:

Authorized Use: The University of North Texas provides computer resources for the purpose of accomplishing tasks related to the University's mission. It should be noted that the use of some of the computers, networks, and software located on or off the University campus may be dedicated to specific research, teaching missions or purposes that limit their use or access.

In other words ...

As a rule of thumb, it may be acceptable to store personal data on cloud services. Likewise, cloud services may be useful to exchange non-proprietary (no UNT ownership) research or scholarly information, but care should be taken to read and understand any terms of use and end users agreements must not obligate UNT to any legal or contractual terms. University business data or information should never be stored on cloud services unless the appropriate agreements and standards, as described above, are already in place.

Questions regarding compliance with these regulations and policies may be directed to Rachel Burlage, UNT/UNTS IT Compliance Officer.