UIS.501.5 Cloud Technology Services Agreement Guidelines

In support of UIS.501 Vendor Security Policy

Georgetown University has adopted the security audit and accountability principles established in NIST SP 800-53 “Risk Assessment” guidelines as the official policy for this security domain. Each departmental technology requisitioner, sponsor, administrator, steward and owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.  

Technology functions, applications and services that are widely available through cloud providers or “software as a service” (SaaS) and available for low or no cost often require individual users to accept end-user license agreements in order to access the application or service. These agreements serve as the software terms of use and often fail to address the required protections for Georgetown data. 

Cloud Services Agreement Requirements  

  1. Storing data, providing access to, or using unapproved third-party or cloud services for University business purposes may expose the University to risk and liability; and it may also be a violation of Georgetown’s Information Security policies, data handling guidelines, and other state and federal laws.
  2. Risks with using unauthorized cloud and/or third-party services include, but are not limited to:  

    • Unauthorized access to restricted, protected or private data

    • Use of University data by third parties without the consent of the University

    • Loss of University data

    • Failure to comply with storage or access requirements for University data

  3. Using third-party or cloud services, functions, and/or applications requires the following:

    • Individuals contemplating use of a hosted or third-party technology application must first contact UIS via the department’s designated UIS Account Manager. 

      • The solution must be operationally and/or technically feasible

      • Must be significantly unique (i.e. different from any existing application or function)

      • Required and approved as a business process need by the appropriate department head

  4. The UIS Account Manager works with the requester to submit the UIS Technical Review request, providing required information:

    • Nature of data to be accessed, stored or processed

    • Description of use

    • Authentication method

    • Description of application or service

  5. UIS technical review teams initiate the assessment to determine feasibility and risk level

  6. The University procurement office evaluates the product/service/agreements and provide its assessment

    • UIS may provide recommendations as to contract requirements in order to meet security considerations.

    • Procurement works with the technology supplier to assure appropriate contract clauses are included, and that all appropriate documentation has been completed.

    • Only designated and authorized University OGC and/or Procurement representatives can approve and sign enterprise- and department-level license agreements. 

  7. Upon receipt of the new system, UIS works with University departments to ensure configuration, implementation and support requirements are met.