Hosted/Cloud Computing and Storage Standards
Date of Current Revision or Creation:ÌýDecember 1, 2020
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion 91¶ÌÊÓƵ Information Technology policies, other 91¶ÌÊÓƵ policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to provide guidance in the use of hosted/cloud services. Hosted/cloud services are application and infrastructure resources, accessed via the Internet, that are available freely by companies or contractually provided by commercial providers to support a wide range of administrative, academic and instructional activities.
Definitions
"Click-to-accept" agreements are licensing contracts established between a vendor and a customer without signatures.
Information Security Officer (ISO) - The Old Dominion 91¶ÌÊÓƵ employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion 91¶ÌÊÓƵ's information technology (IT) security program.
Institutional Data - Recorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the 91¶ÌÊÓƵ. Regardless of physical form, characteristic, or source, the recorded information is a 91¶ÌÊÓƵ record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of 91¶ÌÊÓƵ business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a 91¶ÌÊÓƵ record. 91¶ÌÊÓƵ records include but are not limited to: personnel records, student records, academic records, financial records, patient records and administrative records. Record formats/media include but are not limited email, electronic databases, electronic files, paper, audio, video and images.
Hosted/Cloud Services are those that are hosted at and accessed from the Internet instead of from ODU on-premises systems. Services include but are not limited to social networking, content hosting, blogs, wikis, office productivity tools (Google Apps, Hotmail, Evernote), file storage (Box.com, Office365 OneDrive), and on-demand computing resources (Amazon Web Services, Rackspace).
Non-ODU Hosted/Cloud Services are those hosted/cloud services that are not contracted with the 91¶ÌÊÓƵ but are licensed via a contract established directly with the customer. The contract may be a click-to-accept agreement without signature.
ODU-Provisioned Hosted/Cloud Services are those hosted/cloud services that have been approved by the 91¶ÌÊÓƵ with a 91¶ÌÊÓƵ-signed contract and made available to ODU as part of our supported IT infrastructure.
Users - Individuals and organizations that access institutional data and information in order to perform their assigned duties or to fulfill their role in the 91¶ÌÊÓƵ community.
Standards 91¶ÌÊÓƵment
ODU Provisioned Hosted/Cloud Services
These services are approved jointly by Procurement Services and Information Technology Services (ITS) for use. Such approval includes proper due diligence, including the completion of a risk review by ITS and the implementation of safeguards. The approval assumes on-going monitoring by the responsible unit and observance of the safeguards put in place.
The 91¶ÌÊÓƵ may contract with vendors to deliver hosted/cloud-based applications and services for the benefit of campus users. Employees are not authorized to contract for hosted/cloud services, unless specifically approved to do so. Services may include "click-to-accept" agreements that have not been reviewed or approved by the 91¶ÌÊÓƵ and may introduce security risks. By accepting such terms, the employee could be held personally liable.
Non-ODU Provisioned Hosted/Cloud Services
The use of non-ODU hosted/cloud services is prohibited whenever not in compliance with ODU 91¶ÌÊÓƵ Policy 3505 (Information Security) concerning confidential or restricted information, or with Policy 3700 (Records Management) concerning records retention.
91¶ÌÊÓƵ policies require the retention of information for operational and regulatory compliance needs. One such obligation is the duty to know what data is stored where and how it is preserved (e.g., backups). Not all hosted/cloud services provide adequate backups and, as such, are not suitable to host authoritative copies of institutional data. In addition ODU cannot guarantee technical and administrative access controls for data stored using hosted/cloud computing and may not have access to the data stored in the cloud or on a hosted site.
This is not intended to keep faculty from using hosted/cloud services for instructional and research purposes when it does not involve official 91¶ÌÊÓƵ records or protected private information.
User Responsibilities
Any use of hosted/cloud resources must be in compliance with all other 91¶ÌÊÓƵ policies and procedures. It is the responsibility of the employee using such services to ensure that the use is consistent with those policies.
Users are required to take privacy and security into consideration when making decisions about when it is, and is not, acceptable to use hosted/cloud services. All 91¶ÌÊÓƵ and campus policies, procedures, and guidelines apply to any 91¶ÌÊÓƵ data, whether the data is stored on 91¶ÌÊÓƵ systems, on ODU Provisioned Hosted/Cloud Services, or on Non-ODU Hosted/Cloud Services.
Users should be aware that there is no right to privacy for data in a hosted/cloud service approved for 91¶ÌÊÓƵ use. The 91¶ÌÊÓƵ may access, view, scan or listen to any electronic record or communication in a hosted/cloud service that supports 91¶ÌÊÓƵ business. In addition, the 91¶ÌÊÓƵ may periodically scan contracted hosted/cloud services to identify sensitive 91¶ÌÊÓƵ data.
Users are required to ensure that all records whether instructional, administrative, or research are retained according to the ODU Records Management Program.
Security Assistance
In the event the user is notified or becomes aware of a suspected or actual security breach involving ODU data, the user should immediately report it to the IT Security Office.
If the user is unsure whether or not a file or data is "safe" to be placed online, please contact the ITS Security Office. If a user is interested in having a particular hosted/cloud-based service reviewed, an email can be sent to itshelp@odu.edu listing the name of the service and the reasons for a review. ITS will work with the user to review the service.
Enforcement
Failure to comply may result in disciplinary actions consistent with 91¶ÌÊÓƵ policies and applicable law.
Procedures, Guidelines & Other Related Information
- Federal and 91¶ÌÊÓƵ Law
- 91¶ÌÊÓƵ Policy 1424 Policy on Intellectual Property
- 91¶ÌÊÓƵ Policy 3500 Use of Computing Resources
- 91¶ÌÊÓƵ Policy 3504 Data Administration and Classification Policy
- 91¶ÌÊÓƵ Policy 3505 Information Security Policy
- 91¶ÌÊÓƵ Policy 3700 Records Management
- IT Standard 02.3.0 Data Administration and Classification Standard
- IT Standard 09.1.0 Acceptable Use Standard
- IT Standard 10.1.0 Disciplinary Action Standard
- IT Guideline Best Practices in Protecting 91¶ÌÊÓƵ Data
- IT Guideline Data Administration and Classification Reference Table
- IT Guideline Cloud Computing Guidelines for Faculty and Staff
History
| Date | Responsible Party | Action |
| September 2013 | IT Policy Office | Created draft |
| August 2015 | IT Policy Office | Revised draft based on new data classification standard |
| January 2017 | ITAC | Reviewed and approved |
| December 2020 | IT Policy Office | Reaffirmed |