Cloud Storage Policy (Draft for consultation)

Similar documents
Bring Your Own Device Policy

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

OneDrive for Business Frequently Asked Questions

Document title. Using Cloud Based Storage Services. Introduction

Newcastle University Information Security Procedures Version 3

Cloud Software Services for Schools

TELEFÓNICA UK LTD. Introduction to Security Policy

Third Party Security Requirements Policy

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015

CLOUD SERVICES RHUL CODE OF PRACTICE. Cloud Services RHUL Code of Practice

Information Security Policies. Version 6.1

Summary Electronic Information Security Policy

Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Draft Information Technology Policy

Arkivum s 500% Lifetime Guarantee

The Cloud. IIA Seminar, York April 30 th

Information Security Policy

White Paper. Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments

Cloud Software Services for Schools

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

Intel Enhanced Data Security Assessment Form

Cloud Software Services for Schools

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited

Cloud Software Services for Schools

Cloud Software Services for Schools

Information Governance Framework. June 2015

Scotland s Commissioner for Children and Young People Records Management Policy

Data Protection Act Guidance on the use of cloud computing

Abertay Data Storage Policy

Big Data Analytics Service Definition G-Cloud 7

ISO27001 Controls and Objectives

Privacy and Cloud Computing for Australian Government Agencies

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

CLOUD ATTACHED STORAGE. Protect your data, protect your business

IT Data Security Policy

Indicative Requirements for Cloud Service Providers. connect communicate collaborate

itg CloudBase is a suite of fully managed Hybrid & Private Cloud Services ready to support your business onwards and upwards into the future.

INFORMATION TECHNOLOGY SECURITY STANDARDS

Small businesses: What you need to know about cyber security

EA-ISP-001 Information Security Policy

Records Management Policy & Guidance

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

INFORMATION SECURITY MANAGEMENT POLICY

2015 USER GROUP CONFERENCE

How To Choose A Cloud Service From One Team Logic

Cloud Computing in a Government Context

Data Security Policy

Services Providers. Ivan Soto

Bring Your Own Devices (BYOD) Information Governance Guidance

What are the benefits of Cloud Computing for Small Business?

INFORMATION SECURITY POLICY

Information Security Policy for Associates and Contractors

Online File Sharing for Business

Mapping the Technical Dependencies of Information Assets

Storage, backup, transfer, encryption of data

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Information governance strategy

Ashley Clarke Hosted Desktop. Business Name

Information Governance and Assurance Framework Version 1.0

Service Children s Education

Services Policy

Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology

GLOSSARY OF TECHNICAL TERMS

Cloud (educational apps) software services and the Data Protection Act

Guardian365. Managed IT Support Services Suite

Cyber and Data Security. Proposal form

Storing and securing your data

ISO 27002:2013 Version Change Summary

Corporate Information Security Policy

1 Description of the service(s)

CloudDesk - Security in the Cloud INFORMATION

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

University of Liverpool

Data Security Policy. 1. Document Status. Version 1.0. Approval. Review By June Secure Research Database Analyst. Change History. 1 Version 1.

Mobile Device Management. Simplified centralised Mobile Device Management solutions for the UK education sector.

Records Management and Security Procedure. Approved by: Executive Management Team Version: 1.2 Date:

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

This white paper from Stylusinc describes how enterprises benefits by migrating to Microsoft Office 365 and how it is bringing about a sea change in

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

developing your potential Cyber Security Training

Information security policy

UNCLASSIFIED. UK Archiving powered by Mimecast Service Description

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

Ixion Group Policy & Procedure. Remote Working

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data

August Report on Cloud Computing and the Law for UK FE and HE (An Overview)

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Office 365 for small businesses

This policy outlines different requirements for the use of PSDs based on the classification of information.

IBM G-Cloud Microsoft Windows Active Directory as a Service

Information security due diligence

Information Management Policy for The Treasury Department

Transcription:

(Draft for consultation) Please note that this draft is under consultation with stakeholders in colleges and university services, before refinement and approval by the appropriate University Committee. If you have comments or feedback, please contact Information Security co-ordinator Chris.Edwards@glasgow.ac.uk 1. Summary... 2 2. Purpose... 2 3. Cloud Storage Definition... 2 4. Scope... 2 5. Cloud Storage Characteristics and Risks... 2 5.1 Consumer orientated... 3 5.2 Business orientated... 3 6. Policy... 4 6.1 Objectives... 4 6.2 Consumer orientated Cloud Storage... 4 6.3 Business orientated Cloud Storage... 5 7. Information Sharing... 5 8. Synchronising information... 6 9. Legislation, Policy and Guidance... 6 10. List of approved Business Orientated Cloud Storage providers... 6

1. Summary Confidential University data must not be stored on consumer-oriented cloud services. It may, where the relevant risks have been addressed, and under certain circumstances, be stored on business-oriented cloud services. However, data concerning living individuals may not be stored on any cloud service, unless the University has approved the cloud provider in question for the purpose. 2. Purpose This Policy defines the University s position on the use of Cloud Storage as it relates to the potential storage of University data. The Policy sets out a clear definition of Cloud Storage and the types of University data which may be stored together with any additional safeguards which must be adhered to. 3. Cloud Storage Definition For the purposes of this policy, Cloud Storage is defined as: Public Cloud Storage Services provided by an external supplier and made available to organisations, or individuals, on terms and conditions, which are defined by the external supplier. Cloud Storage and associated files reside outwith the organisation s domain (Data Centres) and is usually accessed via a web interface and various synchronisation options, which facilitates the sharing of files and makes data available over a range of computers and other mobile devices. Examples of Public Cloud Storage providers include: DropBox Box Microsoft (SkyDrive/OneDrive) Apple (icloud) Oracle IBM Google 4. Scope This policy applies to all University data i.e. information which arises in University teaching, research and administration, and applies to all staff, students and other parties who have access to University data. Any exceptions must be documented and approved by the Information Policy and Strategy Committee. This policy does not override policies covering data owned or provided by other organisations, and individuals must adhere to any other relevant policies including those stipulated by the organisation providing the data. In situations where that policy differs from this one, the stronger of the two requirements must be respected, unless both organisations have agreed otherwise. 5. Cloud Storage Characteristics and Risks Cloud storage may be characterised as consumer orientated or business orientated. page 2

5.1 Consumer orientated Consumer orientated Cloud storage is commonplace and is often made available free of charge to individuals via a user registration process or bundled with many service offerings and initial hardware purchases. Individuals access their Cloud storage via a number of options including; Web Browser Desktop synchronisation client Drive mapping or equivalent Mobile app This means that individuals have access to their storage across a range of devices providing a wide choice of access technologies and data sharing options. However when signing up with a cloud storage provider the individual must accept the provider s Terms and Conditions and any associated service level agreement. This presents a number of risks to the security, confidentiality and availability of the individual s data; in particular: There is no guarantee on data protection, retention or backup The Cloud provider may store data outwith the UK/EU and not be bound by UK/EU laws relating to the protection of personal data. Individuals should read carefully the Terms and Conditions governing the use of their Cloud storage with particular reference to; o Circumstances leading to account termination and potential loss of data. o Provider s liability for negligence with respect to misuse, exposure, loss or damage of data o Confidentiality of data with respect to Providers data mining activities and potential resale of o information for advertising, user tracking and user profiling purposes. Considerations about who actually owns the data and therefore has full rights over it. Some cloud providers may assert ownership of any data stored in the provider s cloud, or reserve the right to do so in future. The financial stability of Cloud Storage providers should be considered to avoid a potential end of service with no or little notice. 5.2 Business orientated There are several Cloud storage providers who offer services specifically tailored for business use. Organisations contract with their preferred cloud storage provider for specific services and manage the accounts for the individuals within their organisation who they wish to have access to Cloud Storage. Authorised individuals access their allocated Cloud storage via a number of options including; Web Browser Desktop synchronisation client Drive mapping or equivalent Mobile app This means that authorised individuals have access to their allocated storage across a range of devices providing a wide choice of access technologies and data sharing options. The Business orientated Cloud storage services address many of the risks associated with the consumer versions, in particular The terms and conditions and service level agreement is tailored to business needs page 3

The organisation retains full ownership of their data Security, confidentiality and availability of data are sometimes assured via industry standard accreditations e.g. ISO 27001, EU Safe Harbour. Data retention and backup arrangements are defined There is no advertising built from data mining or other uses of Business data The Cloud provider s liability relating to negligence, misuse, lose or damage of data is better defined From a corporate and legal perspective several issues remain, which need to be considered and addressed before deciding on the type of information that is suitable for Cloud Storage via an external provider. In particular: Research data management, where either the organisation providing the data, or the funding body have specific requirements for where it must reside e.g. in the UK, or in the University itself. Data Protection Act, governing the storage and management of personal information The University s policy on confidential data Risks associated with automatic data synchronisation between Cloud storage and corporate/personal devices Also, agencies of foreign governments may potentially have access to data in cloud storage, and this may be a concern for storing certain types of information. 6. Policy 6.1 Objectives Safeguard the security, confidentiality, integrity and availability of the University s information assets. Ensure compliance with national and international laws governing the storage and guardianship of data Ensure compliance with contractual commitments relating to the storage and guardianship of data Ensure that University employees and other partners understand the University s requirements relating to the storage and guardianship of data 6.2 Consumer orientated Cloud Storage Allowed Only non-confidential information which the University has placed in the public domain or would release into the public domain, for example under Freedom of Information, may be stored within Consumer orientated Cloud Storage. Any allowable information stored within Consumer Orientated Cloud Storage should also have copies held within the University, and therefore not comprise the only copy. Not Allowed The University forbids the use of consumer orientated Cloud Storage for the following information assets: Information which the University considers private and would not make available to the public, or might be exempt from release under Freedom of Information Personal data i.e. that which concerns living individuals and hence falls under the Data Protection Act Information relating to contractual undertakings between the University and third parties Information relating to research outcomes, prior to publication Information relating to the normal business of the university including, emails, minutes of meetings, reports, budget statements, audit reports, proposals, project plans, project progress reports, strategic reviews etc. page 4

6.3 Business orientated Cloud Storage The University accepts that business-orientated Cloud Storage can provide solutions for a wide range of strategic objectives including: Ease of information sharing between individuals within the University Ease of sharing of information between individuals within the University and other partners outwith the University Ability to access information whilst away from the University via a range of device types Security, confidentiality and availability of Information assets Allowed The University permits the storage of public, private and confidential information within businessorientated Cloud Storage as long as the following conditions are met: The information is not personal data (i.e. relating to living persons). The activity is in accordance with the University s policy on confidential data. The service-specific contract and service level agreement (SLA) must satisfy the University s requirements for information guardianship. The University s legal and contractual obligations must not be compromised Where the Service specific contract and SLA does not guarantee the timely recovery of lost or damaged data then any allowable information stored within Business Orientated Cloud Storage should be copies of information held elsewhere within the University and therefore not the only version. The University must retain management control of the user accounts associated with cloud storage subscriptions Not Allowed The University does not permit the storage of the following types of information on businessorientated cloud storage services: Personal data as defined by the Data Protection Act Information subject to specific requirements on storage location e.g. must be held within the University s own data centres Further details about the University s requirements and legal commitments can be found under the Legislation, Policy and Guidance section below Clarifications and advice on Allowable use is available from the Data Protection and Freedom of Information Office and IT Services via the IT Services help desk. 7. Information Sharing The following restrictions apply to the sharing and synchronisation of University data. Where there is a requirement to share information with others then it is important that individuals who enable the sharing of data do so with the following safeguards: Grant access to the specific Folders and files that are required to support the Collaboration or information sharing and ensure that no other folders or files are made available. Inform all individuals involved in the collaboration or information sharing that they have a duty of care for the information provided and must honour all security requirements as well as privacy or confidentiality commitments. page 5

8. Synchronising information Synchronising information to and from Allowable Cloud Storage can provide significant advantages in terms of information availability and speed of access. Synchronising information across a range of devices requires the following safeguards: Individuals must ensure that the devices involved in the synchronisation process are protected as far as possible from unauthorised access or loss. Mobile devices must have a PIN code or equivalent enabled. Individuals must ensure that the devices involved in the synchronisation process are protected as far as possible from malware and are kept up to date with vendor supplied security patches. Individuals must ensure that any private or sensitive University information is further protected via strong data encryption. Laptops must have Full Disk Encryption configured before data is synced. 9. Legislation, Policy and Guidance Data Protection and Freedom of Information Office (University of Glasgow) Policy and Guidelines on Confidential Data in (University of Glasgow) Data management Support for Researchers (University of Glasgow) Guidance on the Use of Cloud Computing (Information Commissioners Office) 10. List of approved Business Orientated Cloud Storage providers The University will maintain and publish a list of approved Business Orientated cloud Storage providers to ensure that Colleges and University services staff choose the most appropriate supplier for their specific purposes. The list will be maintained by IT Services and published on the University web site. For the purposes of this draft policy the current list of approved suppliers is as follow. Arkivum (Current service) For Research Data Management archive at project closure. The Arkivum Research Data management services were contracted via an open procurement conducted on behalf of the UK academic institutions by JISC. Microsoft OneDrive for Business (In development at University of Glasgow release September 2015) OneDrive for business is part of the Office 365 suite of services which deliver a rich set of Business class collaboration solutions. The complete suite of services has been reviewed by the JISC on behalf of UK Academic Institutions leading to advantageous changes to Contract terms and the supporting Service Level Agreement. In addition Office 365 has been approved by the UK Government to hold or transact public sector data for business conducted at the OFFICIAL level of Security Classification. Draft Document Control Draft (rev 1.209) for comment (2015-04-23) Layout revision (2015-05-26) page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information