Cloud Computing Policy Page 1 of 3

Effective Date: 3/1/2015

POLICY ON CLOUD COMPUTING

Name: Cloud Usage Policy

Originating Department: Information Technology Services

Responsibility: Chief Information Officer (CIO)

Executive Responsible: Vice President Finance and Operations

Revision Date(s): None

Effective Date: 3/1/2015

1. INTRODUCTION

Cloud computing is defined as the utilization of servers or information technology hosting of any type that

is not controlled by, or associated with, the University for services such as, but not limited to, social

networking applications (i.e. blogs and wikis), file storage (assignment drop box), and content

hosting (publishers text book add-ons).

This policy pertains to all external cloud services, e.g. cloud-based email, document storage, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), etc..

Cloud computing offers a number of advantages including low costs, high performance and quick delivery of services. However, without adequate controls, it also exposes individuals and organizations to online threats such as data loss or theft, unauthorized access to institutional networks, and raises concerns around privacy and security (see Guidelines)..

2. DATA PROTECTED BY THIS POLICY

The following data are covered by this Policy:

student record data,

personnel data,

financial data (budget and payroll),

student life data,

departmental administrative data,

legal files,

research data,

proprietary data, and

defined forms of data that pertain to, or support the administration of the University.

Cloud Computing Policy Page 2 of 3

Effective Date: 3/1/2015

3. POLICY

CBU does not permit the use of public cloud storage for Cape Breton University business unless authorized by the CIO.

Use of cloud computing services for university purposes must be formally authorized by the CIO. The CIO will certify that security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendor.

For any cloud services that require users to agree to terms of service, such agreements must be reviewed and approved by the CIO.

Employees must not share cloud log-in credentials with others.

The use of such services must comply with CBU’s existing Information Technology Usage Policy.

The use of such services must comply with all laws and regulations governing the handling of personally identifiable information, corporate financial data or any other data owned or collected by Cape Breton University as a public institution in the Province of Nova Scotia, Country of Canada.

Personal cloud services accounts may not be used for the storage, manipulation or exchange of prohibited forms of communication or CBU-owned data.

4. RISKS

The main risks when files are stored in public cloud storage are that:

The University can no longer guarantee the quality of access controls protecting the data.

The location where the data is stored may not be guaranteed as remaining in Canada, and so may not meet federal PIPEDA and/or Provincial PIIDPA legislation for personal data.

In many cases, public cloud storage requires that files be associated with an individual's personal account. Should that individual suddenly become ill, be absent for other reasons or leave CBU, the University will lose access to the data.

Cloud services generally limit their liability for negligence, resulting in little or no recourse should the provider misuse, lose or damage information stored in the cloud.

Few cloud providers guarantee they will not access the information stored within their service, leading to concerns over privacy and intellectual property rights.

Some if not all providers do not guarantee that the user's ownership of the data stored in the cloud will be retained. This is primarily to enable the providers to move data around to their different server locations without your prior approval but opens further questions about intellectual property rights.

Using cloud storage client software to synchronize files between work and personal devices could result in sensitive information being held inappropriately on personal equipment.

Cloud Computing Policy Page 3 of 3

Effective Date: 3/1/2015

5. EXIT STRATEGY

Cloud services should not be engaged without developing an exit strategy for disengaging from the vendor or service and integrating the service into business continuity and disaster recovery plans. The University must determine how data would be recovered from the vendor.

6. RELATED DOCUMENTS

1. PIPEDA (federal) 2. PIIDPA Legislation (Province of Nova Scotia) 3. IT Usage

7. NON-COMPLIANCE

It is your responsibility to take privacy and security into consideration when making decisions about when it is, and is not, acceptable to use cloud computing services. All University and campus policies, procedures, and guidelines apply to any University data, whether the data is stored on University or non-University systems. Failure to comply may result in disciplinary sanctions consistent with current collective bargaining agreements, University policies, and applicable law.

The employee’s immediate Manager and the Chief Information Officer will be advised of any breaches of this policy and will be responsible for appropriate remedial action