Scribd
Upload
5 views3 pages

Cloud Computing Policy

The Cloud Computing Security Policy outlines the security requirements for using cloud services to protect the confidentiality, integrity, and availability of the University’s information. It mandates formal agreements with third-party providers to ensure compliance with University policies and privacy legislation, particularly when handling confidential or personal information. All University staff and faculty must adhere to these guidelines and obtain necessary permissions when utilizing cloud computing services.

Uploaded by

wahedwaziri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views3 pages

Cloud Computing Policy

The Cloud Computing Security Policy outlines the security requirements for using cloud services to protect the confidentiality, integrity, and availability of the University’s information. It mandates formal agreements with third-party providers to ensure compliance with University policies and privacy legislation, particularly when handling confidential or personal information. All University staff and faculty must adhere to these guidelines and obtain necessary permissions when utilizing cloud computing services.

Uploaded by

wahedwaziri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Policy Name: Cloud Computing Security

Originating/Responsible Department: Information Technology Services (ITS)


Approval Authority: Senior Management Committee
Date of Original Policy: May 2015
Last Updated: May 2015
Mandatory Revision Date: May 2020
Contact: Chief Information Officer (CIO)

Policy:
The confidentiality, integrity and availability of the University’s information must be preserved when
stored, processed or transmitted by a third party cloud computing provider.

Purpose:
This Policy defines the security requirements on the use of cloud computing in order to protect
confidential and personal information being processed, stored or transmitted by cloud computing
services.

Scope:
This Policy applies to the use of public cloud computing (i.e. offsite) by University staff and faculty.

Procedures:
Cloud computing is the provision of services and applications through shared services or resources.
These can be:
 Internal with the infrastructure owned and operated by the University (private)
 External to the University (public, remotely hosted)
 A combination of both public and private clouds

Private cloud computing must comply with University policies.

Public cloud computing and applications introduce risks that must be considered in the selection of
cloud computing providers. Risks include but are not limited to the:
 Loss of information confidentiality and potential brand damage to Carleton; e.g., data
breaches
 Non-compliance with federal and provincial privacy legislation
 Cloud computing providers unilateral change of their terms of service
 Loss of information; e.g., disappearance of cloud provider, with no backup at the University
 Loss of information ownership
 Availability of information; e.g., Denial of Service
 Loss of control over information; e.g., information stored in non-University cloud accounts
 Inability to investigate the loss of information confidentiality or availability
 Inability to satisfy timely information requests for legal, investigatory or compliance purposes

Page 1 of 3
 Hijacking of cloud computing account or service
 Inability of the University to control information access controls

To address these and other risks, formal agreements are required with third party service providers.

Third Party Agreements


Formal agreements with third parties where confidential or personal information are involved are
required to ensure these services are provided in compliance with University policies and privacy
legislation. This applies also to the personal information being exchanged with third parties for the
purposes of service provisioning. These agreements must include the following requirements on the
use of cloud computing for the storage, processing or transmission of confidential or personal
information:
 Clear confidentiality, integrity and availability requirements
 Limitations on the use of information
 Information ownership must remain solely with the University
 Suitability requirements on the third party, including the provision of independent audit
attestations on information security controls
 Provisions governing the return and destruction of information in the third party’s possession
 Provisions on the protection of information in accordance with the Ontario Freedom of
Information and Protection of Privacy Act (FIPPA)
 Provisions on the protection of information in accordance with the Personal Information
Protection and Electronic Documents Act (PIPEDA)
 Information Security incident reporting requirements

Where personal information is involved, a Privacy Impact Assessment must be performed prior to the
exchange of information and awarding of a contract.

Roles and Responsibilities


All engaged by the University are responsible to:
 Ensure that the confidentiality of sensitive and personal information is protected by only using
approved features and functionality from approved cloud computing service providers
 Obtain permission from information owners prior to using cloud computing to process, store
or transmit University information
 Ensure that new cloud services or applications procured are used in compliance with
University policy as well as privacy legislation (FIPPA, PIPEDA)

ITS is responsible for:


 Providing guidance on security requirements for third party contracts

The Carleton University Privacy Office is responsible for:


 Providing guidance on third party agreements including applicable laws governing the
protection of personal information; e.g.; FIPPA, PIPEDA.

Department Chairs, Directors and Management are responsible for:


 Ensuring that University policies are adhered to during the procurement and use of third party
cloud computing

Page 2 of 3
Compliance
Non-compliance to this Policy may result in disciplinary action.

Contacts:
Chief Information Officer, ITS

Links to Related Policies:


https://carleton.ca/secretariat/policies/
 Information Security Policy
 Information Technology (IT) Security Policy
https://www.carleton.ca/privacy/policies/
 Carleton’s Privacy Policies
https://carleton.ca/its/about-its/policies/
 Guidelines for the Use of Cloud Computing

Page 3 of 3

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy