Guideline for Data Security in Cloud Services

I. Purpose

The purpose of this document is to provide guidance for protecting university information resources from unauthorized access or disclosure when using cloud services.

II. Scope

This guideline is applicable to UNC Charlotte faculty and staff as well as other authorized users who utilize cloud services to access or store university information resources. Every authorized user of university information resources has a responsibility to take appropriate measures to safeguard that information.

III. Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. Guidelines

Cloud Service Contracts

UNC Charlotte has contractual agreements with several cloud services including Google Workspace for Education and Dropbox. University authorized contractual agreements help ensure the protection of data confidentiality. The Guideline for Data Handling offers assistance in determining whether or not it is permissible to maintain a specific type of data in a cloud service. Only public data (Level 0) may be stored in a cloud service for which there is no formal contract with the university.

NOTE: All contracts for cloud services are required to be reviewed and approved by the Office of the CIO.

Sharing and permissions

Care should be taken when sharing and setting permissions for data stored in the cloud. Data should be protected in such a way that only those who should be able to access it can do so.

Sharing data outside the university

Individuals intending to disclose Level 2 or 3 data externally (including aggregated data) are expected to know the relevant standards, policies, laws, contract terms or other obligations that apply to the disclosure. Level 3 data may not be disclosed externally without the permission of the data or system owner. Where Level 2 or 3 data includes student education records or personal health information protected by FERPA, HIPAA or other privacy laws, the data owner’s authorization may be required, unless the reason for the disclosure meets an exception to an authorization requirement. Access to disclosed Level 3 data should be restricted to authorized recipients. Processes should be developed to manage account provisioning/deprovisioning. Regular access reviews should be conducted per the University’s Guideline for User Access Management.

Contractually protected grant and research data

Contracts for grants and research using contractually protected data will generally provide restrictions for where this data can be stored. Researchers should work with their Data Security Officer to develop a Data Security Plan which may include the use of cloud services if allowed by the contract.

Data governed by Export Controls

Export Controls strictly governs the handling guidelines for certain types of data including requiring that data not be stored or transmitted outside of the United States. Some cloud service providers span beyond the U.S.; therefore, it may not be appropriate to store certain types of data in a cloud solution. General questions about using any cloud service for storage or transmission of data governed by Export Controls should be directed to the office of Research and Economic Development.

Google Workspace for Education

Google has some servers in countries outside of the U.S.; therefore Google Workspace for Education applications (Mail, Calendar, Drive, etc.) should not be used to store or transmit data governed by Export Controls.

Dropbox

Dropbox servers are housed within the U.S.; therefore, if contractual restrictions allow it and appropriate permissions are set, Dropbox may offer a suitable solution for the storing and transmitting of data governed by Export Controls.

Encryption

Additional protection may be applied to a document containing sensitive data by using encryption. Encryption capabilities in current versions of Microsoft Word and Excel and Adobe Acrobat are good options for this. Encryption keys/passwords should be communicated separately.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by the Information Assurance Committee 6/12/15
Updated 5/7/21