ECU data cannot be stored external to the university network (in the "cloud") without the proper authorization and approval of the department head, data owner and CIO (Chief Information Officer).
What is Cloud Computing?
Cloud computing is the delivery of hosted services over the internet. One example is data storage using an outside company's servers and hardware. Software hosting is another use. A cloud service can be public (see the examples below) or privately-hosted on a company's internal network. Examples of some popular public cloud services include:
- Amazon Cloud Drive
- Google Mail cloud services
- IBM Big Blue cloud platform
- Dropbox file storage/sharing
- Microsoft Live
- sponsored research programs
Why Do I Need Authorization?
While simple to use, and in many cases free, these services may not meet university standards for user privacy, security, intellectual property protection, unfettered access, records retention, etc. Many involve the user committing to some type of service agreement (Terms of Use) and clicking an "I Accept" button. This acceptance by users on behalf of ECU could lead to legal, privacy and security issues for ECU and is in direct violation of the "Delegation of Authority to Sign Contracts" regulation. The level of security provided by any cloud computing service provider must demonstrate the minimum acceptable security level established by ECU.
Examples of Educational Cloud Tools and Services
- Educational assessment tools
- Clicker-type response apps
- Screen capture recording software or app
- Educational games
- File storage
- Drop Box
- Student presentation tools
- Student portfolios
- Collaboration tools including blogs, wikis and journals
- Note taking apps
- Personal email accounts (Gmail, Hotmail, Yahoo, etc.)
- Any other tool that stores student data external to ECU
How Does This Affect Me?
If you store ECU data externally with a service provider who utilizes a non-ECU IT infrastructure with resources that are not maintained, owned or managed by ECU (see the example above) you must remove that data from this service and store it in ECU-maintained network storage or ECU Exchange.
What ECU Storage is Available?
Every user's Office 365 subscription includes a 5TB OneDrive cloud folder approved for storage of sensitive data. Departments may also request a OneDrive for Business (OD4B) shared folder for department members. If you plan to store sensitive data in OneDrive or need to share outside ECU, see this policy page from University Data Governance for guidance which also includes the data steward if you have questions or need an exception. Please see Research Data and Records for more information on research data definitions and policies. Cloud storage services outside the university do not meet required security standards.
ECU also provides Piratedrive, a 5GB storage solution on ECU's network to students, faculty and staff. Submit a service request for a consult with a technician to discuss the most efficient storage method for your data.
Are There Guidelines?
- All cloud computing services shall be approved by the Chief Information Officer (CIO) or designee prior to purchase.
- All cloud computing service contracts must be reviewed by ECU Materials Management.
- Users must have appropriate authority to accept the terms of use as specified by the Delegation of Authority to Sign Contracts-Interim prior to entering into a contract.
- No confidential data shall be placed in the cloud without department head, data owner and CIO approval.
- ECU ensures that individuals with disabilities have access to reasonable accommodation and services and adheres to the requirements and philosophy of the Americans with Disabilities Act (ADA) and Section 504 of the Rehabilitation Act of 1973. Technology must meet ADA requirements. To ensure the cloud technology you are considering meets ADA requirements, please consult with the Department for Disability Support Services prior to purchase or use. For consultation, call 252-737-1016 or email dssdept@ecu.edu.
If you have data stored externally, contact the Pirate Techs Service Desk 252-328-9866 | 800-340-7081 to request a consult in how best to move the data back onto ECU approved storage.
What About Privacy and Data Security Best Practices?
- Sensitive data can only be shared with appropriate ECU users. See this policy page from University Data Governance for guidance that includes data steward contacts for questions and exception requests. Contact the Office of Research Integrity and Compliance (252-328-9474) to determine whether your research data, technical specifications or information falls under these categories.
- Never divulge information on the internet that the university has classified as confidential. Examples include social security numbers, credit card information and driver's license numbers.
- Comply with FERPA requirements to protect student privacy. Do not place grades or evaluative comments on internet sites. Contact the Office of the Registrar at 252-328-6747 for assistance interpreting FERPA.
- Comply with HIPAA privacy and security rules to protect PHI. Never place HIPAA data on internet sites. Contact the HIPAA Office at 252-744-5200 for assistance interpreting HIPAA rules.
- Never use personally identifying information (PII) without explicit permission unless the university has classified the information to be public. For example, in the university directory.
- Ensure that the cloud computing service provider can meet and will agree to the requirements in the ECU Data Compliance Document. Prior to selecting the provider, contact the Pirate Techs Service Desk at 252-328-9866 for assistance.
- Never agree to terms and conditions for a cloud service to store, transmit, process or back up ECU information. Binding contracts can only be signed by authorized university officials.
- Schedule an ITCS review at 252-328-9866 prior to making a decision to use a cloud computing service provider.
Are There Data Availability and Records Retention Best Practices?
- Ensure that all records, whether instructional, administrative or research, can be retained in the cloud solution as specified by the records retention schedule. See ECU Data Retention Schedule.
- Ensure that the cloud service provider meets the unfettered access requirement by consulting with Materials Management and request that the hosted services compliance memorandum of understanding be included in the contract prior to acceptance.
- Ensure data backup requirements are documented into the contract and include a tested recovery plan to ensure records are available when needed, as many providers assume no responsibility for data-recovery of content.
- If you perform your own data backup, ensure procedures are documented and tested, and the same security controls are included in the backup solution.