Guideline for Data Security in Cloud Services

I.  Purpose

The purpose of this document is to provide guidance for protecting university information resources from unauthorized access or disclosure when using cloud services.

II. Scope

This guideline is applicable to UNC Charlotte faculty and staff as well as other authorized users who utilize cloud services to access or store university information resources.  Every authorized user of university information resources has a responsibility to take appropriate measures to safeguard that information.

III. Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliance-group@uncc.edu.

IV.  Guidelines

Cloud Service Contracts

UNC Charlotte has contractual agreements with several cloud services including Google Apps for Education and Dropbox.  University authorized contractual agreements help ensure the protection of data confidentiality.  The Guideline for Data Handling offers assistance in determining whether or not it is permissible to maintain a specific type of data in a cloud service.  Only public data (Level 0) may be stored in a cloud service for which there is no formal contract with the university.

NOTE: All contracts for cloud services are required to be reviewed and approved by the Office of the CIO.

Sharing and permissions

Care should be taken when sharing and setting permissions for data stored in the cloud.  Data should be protected in such a way that only those who should be able to access it can do so.

Sharing data outside the university

There may be times when data needs to be shared with an authorized individual outside the university.  Google Drive and Dropbox can accommodate this but great care should be taken to ensure this action is not in violation of university policy, Federal or State law, or regulatory mandates.

Contractually protected grant and research data

Contracts for grants and research using contractually protected data will generally provide restrictions for where this data can be stored.  Researchers should work with their Data Security Officer and the Grants and Contracts Office to develop a Data Security Plan which may include the use of cloud services if allowed by the contract.

Data governed by Export Controls

Export Controls strictly governs the handling guidelines for certain types of data including requiring that data not be stored or transmitted outside of the United States.  Some cloud service providers span beyond the U.S.; therefore, it may not be appropriate to store certain types of data in a cloud solution.  General questions about using any cloud service for storage or transmission of data governed by Export Controls should be directed to the office of Research and Economic Development.

G Suite for Education

Google has some servers in countries outside of the U.S.; therefore Google’s G Suite for Education applications (Mail, Calendar, Drive, etc.) should not be used to store or transmit data governed by Export Controls.

Dropbox

Dropbox servers are housed within the U.S.; therefore, if contractual restrictions allow it and appropriate permissions are set, Dropbox may offer a suitable solution for the storing and transmitting of data governed by Export Controls.

Encryption

Additional protection may be applied to a document containing sensitive data by using encryption.  Encryption capabilities in current versions of Microsoft Word and Excel and Adobe Acrobat are good options for this.  Encryption keys/passwords should be communicated separately.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initial Draft   5/29/15
Information Assurance Committee Approval   6/12/15