Rules and Required Procedures for Cloud Computing

Purpose

As cloud computing options proliferate, it is increasingly important to make informed choices about appropriate use of cloud services. The purpose of this document is to guide employees of Western Michigan University in the approved use of cloud computing services in the course and scope of executing their job duties. 

Scope and definition

Cloud computing, also called software as a service, is defined as the use of third party remote servers and software that allows centralized data storage and online access to computer services or resources, or information technology hosting of any type that is not controlled by, or associated with, the University. These rules and required procedures apply to all Western Michigan University employees.

Rules and required procedures

Use of cloud computing resources must be in compliance with all other University policies and procedures. It is the responsibility of the employee using such services to ensure that the use is consistent with those policies.

In addition to other University rules and policies the following are required procedures which must be followed in the use of cloud computing services:

Intellectual property and copyright

  • Western Michigan University marks, images, and symbols are owned by the University and may not be used or reproduced without the permission of the Office of University Relations.
  • Review and understand the policies on the use of intellectual property including copyrights, trademarks, and patents. 

Privacy and data security

  • Cloud computing may not be used for information that is classified, per the University's data classification policy, as restricted/confidential, private, personal, or sensitive, unless there is a contractual agreement between WMU and the service provider that protects the confidentiality of that information and data. 
  • No contractual agreement may be entered into for cloud computing services without having been approved by the product and appropriate contract review processes.
  • Student information may only be used in compliance with FERPA guidelines. Contact the Office of the Registrar for assistance interpreting FERPA.

Data availability and records retention

  • All records whether instructional, administrative, or research must be retained according to the records retention guide.
  • Applications or services must be accessible to all appropriate people (i.e. visually impaired students).
  • Materials are backed-up regularly to ensure that records are available when needed, as many providers assume no responsibility for data-recovery of content.

Other Requirements

These requirements are intended to assist units in their approach to evaluating the prudence and feasibility of leveraging cloud computing services.

  • Faculty, students, and staff may not speak for the University. Many of these services typically include “click-to-accept” agreements that have not been reviewed or approved by the Office of Information Technology or the Office of the General Counsel and so may introduce security risks regarding your information. By accepting such terms, you could be held personally liable.
  • Follow the University's appropriate product and appropriate contract review processes.
  • Consult with appropriate data stewards, process owners, stakeholders, and subject matter experts during the evaluation process. Also, consult with the Office of the General Counsel or the Office of Information Technology for guidance.
  • Ensure a Service Level Agreement (SLA) with the vendor exists that requires:
    • Clear definition of services
    • Agreed upon service levels
    • Performance measurement
    • Problem management
    • Customer duties
    • Disaster recovery
    • Termination of agreement
    • Protection of sensitive information and intellectual property
    • Definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery.
  • Communicate the issues, conditions, and risks associated with any tool you choose at the beginning of the academic term, preferably in the course syllabus.
  • Never include personal identifying information, such as social security numbers, Western Identification Number (WIN), or birth dates, about yourself or your students in content or in profile information online. For additional information on personal identifying information, refer to the data classification policy.
  • Restrict online access to student content as much as possible within the context of your instructional goals. In general, coursework conducted online must always be restricted to members of the course.
  • Set expectations with students and staff for online conduct in accordance with the existing University code of conduct, union and association contracts and agreements, and human resources policies and procedures.
  • Always require students to use aliases when creating accounts, particularly if access to student work is public. Your Western Michigan University username (Bronco NetID), and your Western Identification Number (WIN) are your University assigned unique identifiers as is your Bronco NetID password. They must not be used as identifiers on other non-University systems and/or services.
  • Manage your social media presence strategically and review it regularly.
  • Cloud computing services must not be engaged without developing an exit strategy for disengaging from the vendor and/or service while integrating the service into normal internal business practices.

Enforcement

It is your responsibility to take privacy and security into consideration when making decisions about when it is, and is not, acceptable to use cloud computing services. All University and campus policies, procedures, and guidelines apply to any University data, whether the data is stored on University or non-University systems. Failure to comply may result in disciplinary sanctions consistent with current collective bargaining agreements, University policies, and applicable law.

If you need assistance assessing these risks, please contact the Office of Information Technology or the Office of the General Counsel.

Note: these rules and requirements may be amended at any time by the Chief Technology Officer of Western Michigan University consistent with current collective bargaining agreements, University policies, and applicable law. Changes will be reviewed by appropriate University entities prior to posting on the Office of Information Technology's public website.

References

Document action

Reviewed and approved: Campus Information Security Committee, March 2015
Revised: March 2015
Direction/purpose: Dr. James Gilchrist/Campus Information Security Group, March 2010
Reviewed: Campus Information Security Group, April 2010
Reviewed and edited: Campus Information Security Group and designated campus representatives, May 2010
Reviewed: Campus Information Security Group, May 2010
Reviewed: Campus Information Security Group, June 2010
Reviewed: Campus Information Security Group, Aug. 2010
Reviewed and edited: Campus Information Security Group, Sept. 2010
Approved: Campus Information Security Group, Oct. 2010