Cloud Based Storage

Division: 

Administration and Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Friday, February 3, 2017

Revised Date: 

Tuesday, January 24, 2017

Authority: 

ICSUAM 8060 Access Control

ICSUAM 8065 Asset Management

ICSUAM 8065.S02 Information Security Data Classification

ICSUAM 8075 Information Security Incident Management

ICSUAM 8105 Responsible Use Policy

ICSUAM 5500 ITR Procurement

ICSUAM 5228 Accessibility of Public Solicitations and Acquisition of Electronic and Information Technology (E&IT) Goods and Services

Records Retention and Disposition Schedules


Objective: 

The purpose of this Practice Directive is to provide guidance on usage of Box at SF State and other cloud based storage solutions to comply with CSU and SF State regulations regarding governing privacy and security of information, and to protect confidential data in the event of loss or theft of data. 


Statement: 

Purpose

Box at SF State is a cloud-based file sharing and storage service offered to SF State faculty, staff, students and community members to collaborate and share information anytime, anywhere, from almost any device.

SF State evaluated campus-wide cloud-based solutions for storage and selected Box. The evaluation included:

  • Enterprise-grade security and data privacy
  • University data ownership and management model
  • University protected data must be stored in U.S. data centers
  • Ability to influence product features for the benefit the SF State campus
  • Vendor solution must demonstrate commitment to delivering an accessible alternative
  • Compatibility with SF State’s authentication system

 

Standard solutions provide cost savings to the campus by reducing the number of products that need to be acquired, supported, and assessed for accessibility and information security compliance.

Departments wishing to acquire alternative storage solutions must document why the campus solution cannot be used and receive approval from the information security and accessibility teams before acquiring the technology. Exception requests can be made using the Technology Acquisition Review Request form.

Scope

This practice directive applies to all users of cloud based storage used for university business.

Implementation

Box at SF State users must abide by the following:

Box at SF State Individual accounts

  • Box at SF State individual accounts are provided to store work, coursework and research files that an individual needs while at SF State and to access Box at SF State Department folders
  • Current and emeritus SF State faculty, staff and students must have an @sfsu.edu or @mail.sfsu.edu email address to access their individual account
  • Storage quotas are set on Box at SF State accounts and increases with a business-use justification can be requested
  • Accounts may be surrendered in the event of litigation or subpoena
  • Users can request to have their files and account disabled or deleted
  • Box at SF State users must have a current affiliation to access to their account
  • Files stored in individual Box at SF State accounts will be deleted two weeks after the user loses their affiliation
  • Personal Box.com accounts requested directly from Box.com cannot be associated with an @sfsu.edu or @mail.sfsu.edu e-mail address

Box at SF State Department folders

  • Box Department folders can be requested to share and manage files across a department
  • Access to Box Department folders is granted to Box at SF State individual accounts
  • Storage quotas are set on Box at SF State accounts and increases with a business-use justification can be requested
  • Requests for Box Department folder accounts and folders must be submitted by the unit head and evaluated by local IT support providers

Usage

  • Box at SF State must not be used to store or transmit SF State Confidential Level 1 data
  • All data uploaded to Box at SF State should follow existing CSU Practice Directives and executive orders regarding and be authorized by the designated data custodians for storage in Box. In addition, student data on Box at SF State must comply with SF State Student Privacy Rights
  • SF State reserves the right to remove, inspect and audit uploaded files without notice
  • All files stored on Box at SF State must be consistent with the CSU Responsible Use Policy including hosting link farms, distributing malware. and any activity that results in economic gain
  • Users must obtain written permission from the owner of the copyrighted or trademarked material prior to uploading to Box at SF State.

Accessibility

  • SF State is strongly committed to ensuring access to web-based information and information technologies for individuals with disabilities as required by Executive Order 926, the Americans with Disabilities Act (ADA), Section 11135 of the California Government Code, and other applicable policies and laws. Documents on file storage workspace that are shared with public or campus-wide audiences, or that are uploaded as part of a reasonable accommodation request, must be accessible to people with disabilities. Please refer to the accessibility guidelines for information on making documents accessible.

Implementation

Responsibility for implementing this Practice Directive will rest with Information Technology Services and Information Technology (IT) departments across campus. Submit any apparent violation of Cloud Computing Practice Directive to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.

Non-Compliance

Non-compliance with applicable policies and/or practices may result in suspension of procurement, network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements

Searchable Words:

cloud, box, storage, compliance, security, accessibility

 

This Cloud Based Storage Practice Directive replaces the Box at SF State Practice Directive.