I.Purpose
The purpose of this ISSP-017 Addendum for Cloud Computing Providers document serves as a questionnaire to ensure that any Institutional Data placed with cloud computing providers is protected and maintained in accordance with all applicable USF System requirements. This is addendum to be filled out when the USF Institutional Data will be stored in Cloud Services.
II.When is this form completed?
This form is to be completed and approved by IT Security and the Data Owner prior to entering into any agreement that will involve Institutional Data being processed, stored, or transmitted on or through systems that are not fully hosted and/or managed at USF System facilities by USF System personnel.
This includes any proposed agreement with external third-parties to provide the USF System with Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS) utilizing private cloud, community cloud, public cloud, and/or hybrid cloud.
Per USF System Policy 0-507, Institutional Data is defined as all data elements created, maintained, received, or transmitted as a result of business, educational or research activities of a USF system unit.
III.Who should complete this questionnaire?
The Data/Application Owner should complete this form, collaborating as necessary with the cloud computing provider as well as IT project managers, technical leads, business analysts, Purchasing, General Counsel, and department representatives planning to purchase the software.
Upon completion, submit this form for review and approval to Alex Campoe campoe@usf.edu.
IV.About the Vendor
These questions are to be answered by the USF data or application owners
|
Is this a commonly known and recognized cloud computing provider with an overall positive industry reputation?
|
|
Does the cloud computing provider’s website give you confidence with up-to-date, useful information and links to articles and reviews?
|
|
Does the clouding computing provider’s website have support or customer forums?
|
|
Are the support or customer forums active and generally positive?
|
|
What are the applicable USF System data retention policies for this data?
|
|
Can this cloud service provider adhere to the applicable USF System data retention policies listed above?
|
|
Can the cloud service provider secure and provide Institutional Data timely as may be necessary for the USF System to comply with public records requests, subpoenas, etc.?
|
|
If answers to any of the above are not satisfactory, consider if the proposed cloud computing provider should be deemed unsuitable.
V.Analysis
This section is required only if the data is considered restricted, essential, or required. If the data stored with the cloud provider fits in this classification, obtain and review the provider’s SOC 2. If a SOC 2 is not available, or if not adequately addressed within the SOC 2 scope, proceed with the analysis section.
Answer the following if the data is considered restricted
|
What are the specific compliance requirements (e.g., FERPA, PCI, etc.) that will apply, and can the cloud computing provider demonstrate ongoing adherence to these requirements?
|
|
How does the cloud computing provider ensure adequate PII protection?
|
|
How is data protected while in motion and at rest, and what are the encryption levels?
|
|
If the same servers are used to store data from multiple customers, how will the provider ensure that other customers cannot see our data, and that we will not see theirs?
|
|
Are there mandatory background checks for employees of the cloud computing provider?
|
|
What measures does the provider have in place to protect against insider threat?
|
|
Is there a clear incident response notification procedure?
|
|
Have there been any security breaches at the cloud computing provider?
|
|
If one occurs, will the University be notified, even if the breach only affected other customers?
|
|
Is it guaranteed in writing that the cloud computing provider has no ownership in anything USF stores on its servers, and that they cannot resell USF data, even in the aggregate?
|
|
Will the cloud computing provider distribute its load and USF data across the world in multiple data centers, and if so, might the data be stored on servers in a country with less stringent privacy protection rules?
|
|
How is data deletion accomplished?
|
|
If the University terminates its contract with the cloud computing provider, can the provider certify that all copies of USF data, including on backups are destroyed?
|
|
Does the application have password controls in place that meet minimum University standards, and if not will the application support USF Single Sign-On?
|
|
Does the cloud vendor undergo regular IT security audits or reviews (internal or external)?
|
|
Has the cloud provider obtained industry specific certifications?
|
|
Does the cloud provider regularly undergo periodic vulnerability and/or penetration testing?
|
|
Have the cloud computing provider explain physical security at least at a high level of detail?
|
|
Have the cloud computing provider explain system administration responsibilities and practices for application/databases/operating systems and networks including updates, virus protection, firewalls, and network monitoring at least at a high level of detail.
|
|
How many of the cloud computing provider’s personnel will have access to USF System data? In what roles, and for what business purposes?
|
|
Answer the following if the data is considered essential or required data
|
Will the cloud computing provider provide the University with SLA’s consistent with these requirements?
|
|
Is there scheduled down time for maintenance?
|
|
What is the level of client support? Can someone on the USF staff pick up the phone and call a technical rep after hours?
|
|
What is their disaster recovery plan?
|
|
Does the cloud computing provider provide redundant sites?
|
|
Have the cloud provider explain application controls (i.e. input controls, completeness and validity checks, etc.) in place to ensure the integrity of processed data at least at a high level of detail.
|
|
Have the cloud provider explain change management procedures designed to ensure changes meet business requirements and are authorized.
|
|
If the University terminates its contract with the cloud computing provider, will Institutional Data be returned or otherwise available to the USF System in accessible/usable form?
|
|
VI.Conclusion
Overall conclusion/recommendation (proceed/do not proceed)
|
|
Basis for “proceed” recommendation, if response to any of the above items were not satisfactory (added controls, assuming risk, etc.)
|
|
Data Owner Approval Signature
|
IT Security Approval Signature
|
|
|
Form Version: 20150716
Share with your friends: |