Information classification and other considerations

Assessing the information system's criticality, confidentiality, and legal, regulatory, contractual & funding agency requirements is a vital step in protecting University information.

Mission critical

A contract is required.

Review privacy and security safeguards.

A contract is required.

Review privacy and security safeguards.

A contract is required.

Review privacy and security safeguards.

A contract is required.

Review privacy and security safeguards required for compliance.

A contract is required.

Review privacy and security safeguards.

A contract is required.

Review privacy and security safeguards.

A contract is required.

Review privacy and security safeguards.

A contract is required.

Review privacy and security safeguards required for compliance.

A contract is required.

Review privacy and security safeguards.

Review the terms of service & privacy policy of the service provider.

Optionally, review privacy and security safeguards of service provider.

Review the terms of service & privacy policy of the service provider.

A contract is required.

Review privacy and security safeguards required for compliance.

Criticality

Determine the criticality of the system to be run in the cloud, based on its importance or risk relative to goals and objectives of the unit, including uninterrupted operation and essential business functions. Criticality categories are used to determine the requirements for availability and integrity: mission critical, critical or moderate.

Criticality guidelines

For mission critical or critical systems, a written contract is required and must include terms and conditions to satisfy all unit and/or University requirements. For moderately critical systems (except those containing confidential information) be sure to review the terms of use and privacy policy of the cloud provider (often presented as a ‘click-through’ agreement) to be sure the terms are agreeable. Confidential information, regardless of criticality, always requires a written contract.

Confidentiality

Important NOTE:

University passwords are highly confidential and should NEVER be used for any non-University cloud-based service, application, or Web site.

Determine the confidentiality of the information to be stored or processed in the cloud. Consider its sensitivity and required privacy and security safeguards to prevent unauthorized access, disclosure or misuse when determining if the information is confidential, Official Use Only (OUO), or low sensitivity/public. How much of a risk is there if this information were to be breached?

Confidentiality guidelines

If the information is confidential, a cloud-based solution may be appropriate, but the cloud provider’s privacy and security safeguards must be reviewed first. The cloud service must be governed by a contract that is negotiated between the University and the provider. The contract must include terms and conditions to address all privacy and security requirements, and should include periodic due diligence of the cloud provider’s privacy and security safeguards. Also, review terms and conditions that are typically used in cloud/hosted provider contracts.

If the information is OUO, a cloud-based solution may be appropriate. If the cloud based service will be considered mission critical or critical, the cloud provider’s privacy and security safeguards must be reviewed first. The cloud service must be governed by a contract that is negotiated between the University and the provider. The contract must include terms and conditions to address all privacy and security requirements, and should include periodic due diligence of the cloud provider’s privacy and security safeguards. Also, review the terms and conditions that are typically used in cloud/hosted provider contracts.

If the information is low sensitivity/public, a cloud-based solution may be appropriate. If the cloud based service will be considered mission critical or critical, the cloud service must be governed by a contract that is negotiated between the University and the provider. The contract must include terms and conditions to address all availability and integrity requirements. Review the terms and conditions that are typically used in cloud/hosted provider contracts.

Legal, regulatory, contractual or funding agency requirements

Is the information subject to restrictions and/or obligations?

Legal, regulatory, contractual or funding agency guidelines

If the information to be processed or stored in a cloud-based solution is subject to legal, regulatory, contractual or funding agency requirements, a cloud-based service may be appropriate, but it must be governed by a contract that is negotiated between the University and the information service provider. The contract must include terms and conditions to address all legal, regulatory, contractual and/or funding agency privacy and security requirements. Review the terms and conditions that are typically used in cloud/hosted provider contracts. Also, the cloud service provider’s privacy and security safeguards must comply with applicable laws, regulations, and contracts must be reviewed. A Business Associate agreement must be obtained for any cloud service provider that processes, stores, or transmits HIPPA Protected Health Information (PHI).

Next step: Criticality


If you have comments or suggestions about this Web page or see any errors, contact the IT Communication Group.