Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 11 - Information Technology
Previous Publication Date: October 31, 2018
Publication Date: August 2, 2022
Policy Reviewed Date: November 27, 2023
Policy Owner: VP for Information Technology


11.07 Cloud Computing


I. POLICY STATEMENT


This policy establishes requirements for the selection of a Cloud Service Provider and the establishment and administration of the related Cloud Service contract to ensure compliance with applicable The University of Texas at San Antonio (UTSA) policies and standards, Texas Administrative Code TAC 202 C, and The University of Texas System (UT System) Information Technology Resources Use and Security Policy (UTS 165)


II. RATIONALE


The process for selection of a Cloud Service Provider and the establishment and administration of the related Cloud Service contract must ensure adequate security controls, as defined within the OIS Standard for Cloud Computing and TX-RAMP, are in place that is commensurate to the information security risks involved in the applicable contract.


III. SCOPE


This policy applies to UTSA’s acquisition of any and all services from a Cloud Services Provider and the use of cloud services.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter11/11.07.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


  1. University of Texas System Policies or the Board of Regents' Rules & Regulation
    1. UT System Policy UTS 165: Standard 11.2: Safeguarding Data - Non-UTSA Third-Party Storage Services.
    2. UTSA HOP policy 11.01, Information Technology Resources Use and Security Policy.
    3. UTSA HOP policy 11.02, Data Owner Policy.
    4. UTSA HOP policy 11.03, Acceptable Use Policy.
    5. UTSA HOP policy 11.04, Information Security Incident Response.
    6. UTSA HOP policy 11.10, The Organization and Appropriate Use of the Internet at UTSA.
    7. UTSA Office of Information Security (OIS) Standard for Cloud Services.
    8. Data Classification Guidelines.
    9. President-Delegated Authorities.
  2. Other Policies and Standards
    1. Texas Administration Code (TAC) Chapter 202, Subchapter C, §§ 202.70-202.77, Information Security Standards for Institutions of Higher Education.
    2. Texas Government Code § 2054.0593, Cloud Computing State Risk and Authorization Management Program
    3. Texas Government Code § 2054.003, Paragraph (13), Definitions

VI. CONTACTS


If you have any questions about Handbook of Operating Procedures policy 11.07, Cloud Computing, contact one of the following offices:

  1. Office of Information Security
    210-458-7974
    informationsecurity@utsa.edu
  2. UTSA Tech Solutions
    210-458-4555
    TechCafe@utsa.edu  

VII. DEFINITIONS


  1. Cloud Services
    1. Services that maintain, store, or process Data on a network of remote technology platforms and servers outside of UTSA’s Information Technology Resources.
  2. Cloud Services Provider
    1. A third-party provider of Cloud Services. These providers will host Information Technology Resources that process or store Data outside of UTSA’s direct control.
  3. Data
    1. Information that is recorded - regardless of form or media – that is used to support the mission of UTSA, whether in an administrative or educational capacity.
    2. Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images), or other formats on UTSA Information Resources.
  4. Data Classification
    1. The category of data based on data risk categories outlined in the official UTSA Data Classification Guidelines.
  5. Data Owner
    1. The UTSA College, Vice President Unit, department, or individual that requests Cloud Services or controls the Data and performance related to the contract with the Cloud Services Provider.
  6. Data User
    1. An individual who is authorized by the Data Owner to access the Information Technology Resource, in accordance with the Data Owner's procedures and rules, whether done individually or through facilitation or responsibility for an automated application or process.
  7. Information Security Administrator
    1. A designated staff member or Data Custodian for each Department who, in close cooperation with the OIS, is assigned to implement and administer information security initiatives and assist other Data Custodians and/or Data Owners within the respective Department with any security needs.
  8. Information Technology Resources
    1. The procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This may include, but is not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting Data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices, pagers, distributed processing systems, network-attached and computer-controlled medical and laboratory equipment (e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.
  9. President-Delegated Authority
    1. Those individuals with a written delegation of authority from the President of UTSA to execute and deliver contracts on behalf of UTSA. Only these delegated individuals can execute and commit UTSA to a contract.
  10. Sensitive Data
    1. Data with a classification of Category I or Category II under UTSA Data Classification Guidelines.
  11. TX-RAMP
    1. Texas Risk and Authorization Management Program was established by the Texas Legislature (Senate Bill 475), now Texas Government Code section 2054.0593. TX-RAMP provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.

VIII. RESPONSIBILITIES


  1. Data Owner
    1. Ensures selection, use, and administration of its Cloud Services are consistent with this policy and other applicable UTSA and UT System policies, standards, and procedures.
    2. Ensures the Data is categorized and designated under the appropriate Data Classification.
    3. Provides the required information necessary for the completion of the risk assessment described in this policy.
    4. Initiates procurement of Information Technology Resource goods and services contracts and data sharing agreements by either the Business Contracts Office, the Procurement Office, or UTSA Tech Solutions.
  2. Office of Information Security (OIS)
    1. Disseminates any applicable security criteria for use in selecting a Cloud Service Provider.
    2. Performs risk assessments of Cloud Services Providers in accordance with UTSA and UT System policies and Security Standards and provides determinations and recommendations based on risk assessments.
    3. Coordinates with the Business Contracts Office, UTSA Tech Solutions, Procurement Office, and/or Chief Privacy Officer (CPO) in determining appropriate confidentiality terms and conditions for Cloud Services contracts, taking into consideration the risk level of the contract and the Data Classification involved with the Cloud Services.
  3. Business Affairs
    1. For Cloud Services contracts with a total value exceeding the competitive procurement limit, the Purchasing Office:
      1.1 coordinates with OIS and UTSA Tech Solutions in the selection of Cloud Service Providers, and (if applicable) coordinates with Business Contracts Office, OIS, and/or CPO when establishing the contract involving the sharing of Sensitive Data.
      1.2 provides OIS with access to the applicable Cloud Service purchase order contract.
    2. For Cloud Services contracts with a total value below the competitive procurement limit, the Business Contracts Office:
      2.1 Coordinates with OIS, UTSA Tech Solutions, and/or the CPO in determining appropriate confidentiality terms and conditions for Cloud Services contracts submitted to Business Contracts Office and coordinates with UTSA Tech Solutions and OIS to take into consideration the risk level of the contract, the security of the Data, and the Data Classification involved with the Cloud Services.
      2.2 Provides OIS with access to the applicable Cloud Service contract.

IX. PROCEDURES


  1. Cloud Services Risk-Assessments
    1. In determining whether to implement and utilize Cloud Services, Data Owners must collaborate with or follow processes developed by the OIS to establish the risk of the specific proposed Cloud Services.
    2.  If the Cloud Services will include Sensitive Data, selection of the recommended Cloud Service Provider must include a risk assessment of the Cloud Service Provider’s data security characteristics.
    3. The risk assessment will be facilitated by OIS and will include certain data fields to be completed by the Data Owner and/or the selected Cloud Service Provider.
    4. The Purchasing Office and Business Contracts Office will assist in ensuring compliance with this Section.
  2. Cloud Service Administration
    1. Data Owners are responsible for ensuring that the use of Cloud Services is consistent with UTSA and UT System policies, standards, and procedures, as well as the business terms of the contract with the Cloud Service Provider.
    2. Only President-Delegated Authorities may bind UTSA to a contract. The term “contract” specifically includes web-based “click-to-accept” and “click-wrap” terms of use agreements, which are commonly utilized by Cloud Service Providers. A UTSA contract without an authorized, delegated signature may be invalid and unenforceable. Business Contracts Office maintains UTSA’s list of President-Delegated Authorities.
    3. UTSA Records must not be stored on personally procured third-party Cloud Services (UTS 165 Standard 11.2: Safeguarding Data - Non-UTSA Third-Party Storage Services).
    4. Owners must ensure that Cloud Services maintains a mechanism to allow OIS or an Information Security Administrator to retrieve UTSA Records in the event the Cloud Service Data User (or Data Users) is no longer associated with UTSA.

X. SPECIAL INSTRUCTIONS FOR IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


None

XII. APPENDIX


None


XIII. Dates Approved/Amended


08-02-2022
10-31-2018