8.22 Cloud Computing

This is not the current policy. For the latest, click here.

---

I. POLICY STATEMENT

The process for selection of a Cloud Service Provider and the establishment and administration of the related Cloud Service contract must ensure adequate security controls are in place that are commensurate to the information security risks involved in the applicable contract.

---

II. RATIONALE

---

This policy establishes requirements for selection of a Cloud Service Provider and establishment and administration of the related Cloud Service contract to ensure compliance with applicable UTSA policies and standards, Texas Administrative Code TAC 202 C, and UT System policy UTS165

---

III. SCOPE

---

This standard applies to UTSA’s acquisition of services from a Cloud Services Provider and its use.

---

IV. WEBSITE ADDRESS FOR THIS POLICY

---

http://www.utsa.edu/hop/chapter8/8-22.html

---

V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS

---

UTSA or UT System Policies or the Board of Regents' Rules & Regulations

1. UT System Policy UTS165: Standard 11.2: Safeguarding Data - Non-University Third-Party Storage Services
2. UTSA HOP policy 8.12, Information Resources Use and Security Policy
3. UTSA HOP policy 8.13, The Organization and Appropriate Use of the Internet at UTSA
4. UTSA HOP policy 8.14, Data Owner Policy
5. UTSA HOP policy 8.15, Acceptable Use Policy
6. UTSA HOP policy 8.16, Information Security Administrator Policy
7. UTSA HOP policy 8.17, Information Security Incident Response
8. OIT Standard for Cloud Services
9. Data Classification Guidelines
10. President-Delegated Authorities

Other Policies & Standardss

1. Texas Administration Code, TAC 202 Section 202 C, Information Security Standards for Institutions of Higher Education

---

VI. CONTACTS

---

If you have any questions about HOP policy 8.22 – Cloud Computing contact the following office(s):

The Office of the Information Security at 210-458-7974 / informationsecurity@utsa.edu 
The Business Contracts Office at 210-458-4065
The Purchasing Office at 210-458-4060

---

VII. DEFINITIONS

---

Cloud Services – Services that maintain, store, or process data on a network of remote technology platforms and servers outside of UTSA’s direct control.

Cloud Services Provider – A third party provider of Cloud Services.  At UTSA, these providers will host information resources that process or store University Records on servers or in facilities outside of UTSA control.

Data Classification – The category of data based on data risk categories outlined in the official University Data Classification Guidelines.

Data Owner – The UTSA College, department, or individual that requests Cloud Services or administers the data and performance related to the contract with the Cloud Services Provider.

Hosted Data – University Records that are stored or will be stored in Cloud Services.

Information Security Administrator (ISA) – A UTSA departmental or College employee who, in close cooperation with UTSA’s Office of Information Security, provides assistance to the Data Owner with the implementation and administration of information security initiatives and Data Owner security needs.

President-Delegated Authority – Those individuals with a written delegation of authority from the President of UTSA to execute and deliver contracts on behalf of the University.  Only these delegated individuals can execute and commit the University to a contract.

Sensitive Data – University Records with a Data Classification of Category I or Category II under the University Data Classification Guidelines.

University Records - All data or information held on behalf of the university or created as a result and/or in support of university business, including paper records.   NOTE: Pursuant to UTSA HOP 8.15, UTSA does not assert an ownership interest in the content of exclusively personal information or documents stored on UTSA information resources as part of a User’s incidental use.

User - Any individual granted access to University Information Resources and/or University Records.

---

VIII. RESPONSIBILITIES

---

1. Data Owner
   1. Ensures selection, use, and administration of its Cloud Services is consistent with this policy and other applicable UTSA policies, standards, and procedures. 
   2. Ensures the Hosted Data is categorized and designated under the appropriate Data Classification.
   3. Provides required information necessary for completion of the risk assessment described in this policy.
2. Office of Information Security (OIS)
   1. Disseminates any applicable security criteria for use in selecting a Cloud Service Provider.
   2. Performs risk assessments of Cloud Services Providers in accordance with this policy, and provides determinations and recommendations based on risk assessments.
   3. Coordinates with the Business Contracts Office (BCO) in determining appropriate confidentiality terms and conditions for Cloud Services contracts, taking into consideration the risk level of the contract and the Data Classification involved with the Cloud Services.   
3. Purchasing Office
   1. For Cloud Services contracts with a total value exceeding the competitive procurement limit:
      1. coordinates with OIS in selection of Cloud Service Providers, and (if applicable) coordinates with BCO when establishing the contract involving Sensitive Data.
      2. provides OIS with access to the applicable Cloud Service purchase order contract.
4. Business Contracts Office (BCO)
   1. Coordinates with OIS in determining appropriate confidentiality terms and conditions for Cloud Services contracts submitted to BCO, taking into consideration the risk level of the contract and the Data Classification involved with the Cloud Services.
   2. Provides OIS with access to the applicable Cloud Service contract.

---

IX. PROCEDURES

---

1. Cloud Services Risk-Assessments
   1. In determining whether to implement and utilize Cloud Services, Data Owners must collaborate with or follow processes developed by the Office of Information Security (“OIS”) to establish the risk of the specific proposed Cloud Services.  If the Cloud Services will include Sensitive Data, selection of the recommended Cloud Service Provider must include a risk assessment of the Cloud Service Provider’s data security characteristics.  The risk assessment will be facilitated by OIS, and will include certain data fields to be completed by the Data Owner and/or the selected Cloud Service Provider.

      The Purchasing Office and Business Contracts Office will assist in ensuring compliance with this Section.

2. Cloud Service Administration
   1. Data Owners are responsible for ensuring that use of Cloud Services is consistent with UTSA policies, standards, and procedures, as well as the business terms of the contract with the Cloud Service Provider.
   2. Only President-Delegated Authorities may bind the University to a contract.  The term contract specifically includes web-based “click-to-accept” terms of use agreements, which are commonly utilized by Cloud Service Providers.  A University contract without an authorized, delegated signature may be invalid and unenforceable.  BCO maintains UTSA’s list of President-Delegated Authorities.
   3. University Records must not be stored on personally procured third-party Cloud Services (UTS165: Standard 11.2: Safeguarding Data - Non-University Third-Party Storage Services).
   4. Owners must ensure that the Cloud Services maintains a mechanism to allow OIS or an ISA to retrieve University Records in the event the Cloud Service User (or Users) is no longer associated with the University. 

---

X. SPECIAL INSTRUCTIONS FOR INITIAL IMPLEMENTATION

---

None

---

XI. FORMS AND TOOLS/ONLINE PROCESSES

---

None

---

XII. APPENDIX

---

None