Cloud Based Storage

Division: 

Administration and Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Friday, February 3, 2017

Revised Date: 

Monday, November 16, 2020

Authority: 

ISO Domain 9: Access Control Policy

ISO Domain 8: Asset Management Policy

ISO Domain 16: Incident Management Policy

Information Security Responsible Use Policy

CSU Contracts and Procurement

Records Retention and Disposition Schedules

Objective: 

The purpose of this Policy is to provide guidance on usage of cloud based storage at SF State to comply with CSU and SF State policies and practice regarding governing privacy and security of information, and to protect confidential data in the event of loss or theft of data.

Statement: 

Purpose

Cloud based file sharing and storage services are offered to SF State faculty, staff, students and community members to collaborate and share information anytime, anywhere, from almost any device.

SF State establishes campuswide standard solutions for using cloud based storage to address the following requirements:

  • Enterprise-grade security and data privacy
  • University data ownership, management and support model
  • University protected data must be stored in U.S. data centers
  • Ability to influence product features for the benefit of the SF State campus
  • Vendor solution must demonstrate commitment to delivering an accessible alternative
  • Compatibility with SF State’s authentication system
  • Ability to enter into a contract for added protections

Standard solutions provide cost savings to the campus by reducing the number of products that need to be acquired, supported, and assessed for accessibility and information security compliance.

Departments wishing to acquire alternative storage solutions must document why the campus standard solution(s) cannot be used and receive approval from the information security and accessibility teams before acquiring the technology. Risk acceptance requests can be submitted using the Technology Acquisition Review Request (TAR) process.

Scope

This policy applies to all users of cloud based storage used for university business.

Implementation

SF State users must abide by the following:

SF State Individual accounts

  • SF State individual accounts are provided to with cloud storage services to store work, coursework and research files that an individual needs while at SF State and to access SF State Department folders
  • Current and emeritus SF State faculty, staff and students must have an @sfsu.edu or @mail.sfsu.edu email address to access their individual account
  • Storage quotas are set for SF State accounts and increases to the existing limits can be requested with a business-use justification
  • Accounts may be surrendered in the event of litigation or subpoena
  • Users can request to have their files and account disabled or deleted
  • SF State users must have a current affiliation to access to their cloud storage account(s)
  • Files stored in SF State individual accounts will be deleted two weeks after the user loses their affiliation
  • Personal cloud storage accounts requested directly from the cloud provider cannot be associated with an @sfsu.edu or @mail.sfsu.edu e-mail address
  • All users are required to complete Data Security and FERPA training upon hire and annually thereafter. In some cases, access may be delayed if training is not completed.

SF State Department folders

  • Department folders can be requested in order to share and manage files across a department
  • Access to Department folders is granted to SF State individual accounts
  • Storage quotas are set for SF State accounts and increases to the existing limits can be requested with a business-use justification
  • Requests for Department folder accounts and folders must be submitted by the unit head and evaluated by local IT support providers

Usage

  • Cloud based storage may be used to store or transmit SF State Confidential Level 1 data, if the service has been approved for Level 1 data use
  • All data uploaded to cloud based storage should follow existing CSU Policies and executive orders and be authorized by the designated data custodians for storage in Box. In addition, student data on Box at SF State must comply with SF State Student Privacy Rights
  • SF State reserves the right to remove, inspect and audit uploaded files without notice
  • All files stored in cloud based storage must be consistent with the CSU Responsible Use Policy including: hosting link farms, distributing malware, and any activity that results in economic gain
  • Users must obtain written permission from the owner of the copyrighted or trademarked material prior to uploading to cloud based storage services

Accessibility

Implementation

Responsibility for implementing this Policy will rest with Information Technology Services and Information Technology (IT) departments across campus. Submit any apparent violation of Cloud Based Storage Policy to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.

Non-Compliance

Non-compliance with applicable policies and/or practices may result in suspension of procurement, network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements

Searchable Words:

cloud, storage, compliance, security, accessibility

This Cloud Based Storage Policy replaces the Box at SF State Policy.