204: Use of Third-Party/Non-OSU Services
Information Security Policies & Procedures Manual
Section 200: Information Systems Security
This policy applies to all academic, research, and administrative departments and offices at all Oregon State University locations. This policy applies to all University faculty, staff, students, visitors, contractors and affiliates.
This policy governs the confidentiality, integrity, and availability of university data and the responsibilities of institutional units and individuals for that data.
For purposes of this policy, a “non-OSU System” is a computer system that is not physically, administratively, and legally controlled by OSU. A system is administratively controlled by OSU only if OSU controls the software, devices and procedures used to access the system. This policy is not directed toward devices personally owned by employees.
The purpose of this section of the policy is to define acceptable terms for the use of third-party information technology services, such as Software as a Service (SAAS), Infrastructure as a Service (IAAS), or “Cloud” services. This policy establishes a framework that complies with Federal, State and Local laws, as well as with other University Policies, requiring the protection of the confidentiality, integrity, and availability of data.
Under no circumstance shall any information classified as Protected be placed on a non-OUS System other than those officially designated by the Vice Provost for Information Services. Data elements classified as Protected are located in Appendix A.
Information classified as Sensitive may be placed on a non-OSU System following the completion of a regulatory compliance review, approval by the designated records custodian charged with the care of that data, and contract terms that establish appropriate protection of that data. At the request of the records custodian, the Vice Provost for Information Services will conduct a risk assessment to help the records custodian determine whether the protection is adequate.
Furthermore, the individuals managing data classified as Protected or Sensitive must limit access consistent with the restrictions established in Section 200, must understand the policies associated with the use of that service, and must ensure that permissions to the data are accurately and appropriately managed. Protected and Sensitive information housed on non-OSU Systems must never be made publicly accessible.
If the third-party service does not meet the standards for storing certain types of information, the records custodian may ask the Vice Provost for Information Services for assistance in determining whether the University can establish appropriate protection to use the service by modifying types of information stored, business practices, or establishing other safeguards.
Information classified as Unrestricted may be stored on a non-OSU System by employees in the course of conducting University business, whether or not a University contract is in place. Employees are responsible for assuring that access is consistent with the restrictions established in Section 200, that they understand the policies associated with the use of that service, and that permissions to the data are accurately and appropriately managed.