Guidelines for Using Cloud Based Technology
In this article
University policy X-1.00(A), "Policy on Acceptable Use of Information Technology Resources" specifies that "Those using University IT resources, whether at the University or elsewhere, are responsible for complying with security standards set forth by the Vice President and Chief Information Officer (VP/CIO), safeguarding identification codes and passwords, and for using them solely for their intended purposes.”
Third-party cloud-based technologies provided by the Division of IT, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), Box, Google Workspace, etc. are considered to be University IT resources.
Policies and standards
The following guidelines are not to be considered an exhaustive list of steps. Instead, to help you get started, they are a list of just some of the actions and responsibilities relevant to the use of cloud-based technology.
- All users of cloud platforms are expected to abide by all UMD Information Security and Privacy policies, including the Acceptable Use Policy, and the IT Standards approved by the UMD IT Council and VP IT/CIO. Failure to follow the University’s IT and Information Security Policies and/or violation of these Rules may result in penalties and disciplinary action, including but not limited to termination of employment.
- Individuals whose duties include network administration, programming, and application or system operation at the university are responsible for implementing measures to minimize the probability of a security incident involving systems and programs under their control. Such measures include the use of malware protection software, installation of vendor security updates, adherence with university security standards, and the monitoring of systems to detect anomalous activity.
- Security and Compliance is a shared responsibility between third-party providers and customers. Shared responsibility models are usually based on a model of layers for which each party is responsible, or for which responsibility is shared. Cloud-based technology, customers should be sure to review any relevant responsibility models for the services being used. The third-party provider will typically provide a responsibility matrix or other document that outlines the responsibilities of both parties. For example: AWS Responsibility Model; Google Cloud Platform Responsibility Model.
- Prior to any use of cloud-based technology, review the IT Standards and Policies to understand responsibilities for complying with security standards set forth by the Vice President and Chief Information Officer (VP/CIO).
- Prior to any upload of UMD data to the cloud, refer to the Data Classification Standard and ensure that the security measures in place are appropriate for the data’s classification level. It is the responsibility of the data owner to request assistance from DIT with any questions about security controls and compliance.
- If being used for research purposes, or as part of a research related agreement with a third party, the researcher(s) and signatory of the agreement must thoroughly read and document the requirements, and work with IRB and ORA to ensure that no violation of terms will occur, and no risk is inherited.
- UMD data stored, processed or transmitted using cloud platforms may not be added to or removed from the platform without the authorization of the data owner. Users may not disclose any data stored, processed or transmitted using the platform without the express permission of the data owner. Data should only be shared with other users or accounts that have a business need for that data.
- Incidents resulting in the potential or actual compromise of university computing resources or data must be promptly reported to the Security Office in the Division of Information Technology.
- Users must abide by the UMD Social Media Guidelines.