TECH TALK. September 25, 2014

Transcription

1 TECH TALK September 25, 2014

2 Cloud Services Guidance for Campus Tech Talk

3 UAB IT is offering interim guidance to members of the UAB campus community who wish to use 'cloud' applications & services available on the Web, including file storage, web conferencing, and content hosting. These tools, which we collectively refer to as "cloud computing" should be fully understood before they are used. Additional policies, recommendations and guidance for the use of specific products will be coming in early 2015.

4 Why is this interim guidance necessary? Need to begin communicating issues and concerns to campus in a formal manner and on a regular basis Areas of concern have been brought forward from the UA System Internal Audit Office related to: Governance and Management of Cloud Computing Services Cloud Computing Discovery Data Classification Contract Management

5 Why is this interim guidance necessary? Use of free services by individuals is increasing; Issues with reimbursement requests where paid services are subscribed to by an individual (not through a UAB contract) Contracts not reviewed by appropriate UAB areas as agreement is between the cloud provider and the individual not UAB Data ownership and control of sensitive data Personal liability Institutional reputation/liability risk

6 Why is this interim guidance necessary? Use of cloud services may conflict with UAB policies and guidelines (even with a contract in place) Sensitive data considerations. For UAB, sensitive data includes (but is not limited to) individually identifiable information, Social Security numbers, credit card numbers, driver license numbers, protected health information proprietary research data, privileged legal information, and data protected by law, such as student and patient records. UAB Data Protection and Security Policy UAB HIPAA Policy

7 Why is this interim guidance necessary? Use of cloud services may conflict with UAB policies and guidelines (even with a contract in place) Record retention policies UAB branding policies Web accessibility standards Contract routing and execution policies

8 What is the interim guidance? Recognizing that the campus community has a need for the type of services available via the cloud: We all have a responsibility to understand the significant institutional and individual liability that the use of cloud services presents It is important that the liability/risk is communicated to management before using any cloud service or tool The safest method to store/host/process sensitive data is by using technology within the UAB computing environment. UAB provides researchers with 1TB of free storage that allows for document sharing.

9 What is the interim guidance? Contracts should be between UAB and the cloud provider not between the individual and the cloud provider. Free individual subscriptions should be avoided as there is no oversight or review at any point by UAB administration. Paid individual subscriptions where the individual makes payment by credit card and then seeks reimbursement from UAB require the individual sign an affirming statement in order to be reimbursed.

10 Affirming Statement By signing this reimbursement request, I hereby certify that the services/products for which I am requesting reimbursement are not used to host, store, transmit or otherwise process any information or data that is classified (or should be classified due to the nature of the information/data) as HIPAA (patient), PHI (personal health information), PII (personally identifiable information), FERPA (student) or other such 'protected' or 'sensitive' data such as social security numbers, credit card numbers, proprietary research data, privileged legal information, data protected by law, etc.. Additional information and definitions can be found in UAB's Data Protection and Security Policy at I also understand that I may be asked to verify this certification through audits or reviews conducted at UAB's discretion. Signature If the above statement cannot be signed, please contact UAB Procurement or Expense Review for further guidance.

11 What is the interim guidance? Be familiar with and follow all UAB policies and standards Follow other Best Practices listed in the Interim Guidance document that will be communicated to campus in October Contact UAB Contracts or UAB IT for further guidance

12 Next steps: Update coming to the Data Protection and Security Policy; will include new data classifications Updated guidance coming as to specific cloud services and their appropriate use based on the new data classifications Where appropriate, more due-diligence during contract reviews to include information security/risk assessment prior to contract execution Coordination with HIPAA Security Officer and Privacy Officer to ensure a coordinated message to Campus and the Health System