UIS.501.5 Cloud Technology Services Agreement Guidelines
In support of UIS.501 Vendor Security Policy
Georgetown University has adopted the security audit and accountability principles established in NIST SP 800-53 “Risk Assessment” guidelines as the official policy for this security domain. Each departmental technology requisitioner, sponsor, administrator, steward and owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.
Cloud Services Agreement Requirements
- Storing data, providing access to, or using unapproved third-party or cloud services for University business purposes may expose the University to risk and liability; and it may also be a violation of Georgetown’s Information Security policies, data handling guidelines, and other state and federal laws.
- Risks with using unauthorized cloud and/or third-party services include, but are not limited to:
Unauthorized access to restricted, protected or private data
Use of University data by third parties without the consent of the University
Loss of University data
Failure to comply with storage or access requirements for University data
- Using third-party or cloud services, functions, and/or applications requires the following:
Individuals contemplating use of a hosted or third-party technology application must first contact UIS via the department’s designated UIS Account Manager.
The solution must be operationally and/or technically feasible
Must be significantly unique (i.e. different from any existing application or function)
Required and approved as a business process need by the appropriate department head
The UIS Account Manager works with the requester to submit the UIS Technical Review request, providing required information:
Nature of data to be accessed, stored or processed
Description of use
Description of application or service
UIS technical review teams initiate the assessment to determine feasibility and risk level
The University procurement office evaluates the product/service/agreements and provide its assessment
UIS may provide recommendations as to contract requirements in order to meet security considerations.
Procurement works with the technology supplier to assure appropriate contract clauses are included, and that all appropriate documentation has been completed.
Only designated and authorized University OGC and/or Procurement representatives can approve and sign enterprise- and department-level license agreements.
Upon receipt of the new system, UIS works with University departments to ensure configuration, implementation and support requirements are met.