Rules and Required Procedures for Cloud Computing

Purpose

The purpose of these rules and required procedures is to guide employees of the Western Michigan University community in the appropriate and approved use of “cloud computing” services in the course and scope of executing their job duties. This document provides a checklist of recommendations when considering engaging in use of such services.

Scope and definition

Cloud computing, for this purpose, is defined as the utilization of servers or information technology hosting of any type that is not controlled by, or associated with, the University for services such as, but not limited to, social networking applications (i.e. blogs and wikis), file storage (assignment drop box), and content hosting (publishers text book add-ons). It is important to keep in mind that virtual spaces, such as social network sites and message centers, that are used for University purposes, including instruction and delivery of instructional information, are treated in the same fashion as physical spaces and face-to-face instruction and interaction. These rules and required procedures apply to all Western Michigan University employees.

Rules and required procedures

Use of cloud computing resources must be in compliance with all other University policies and procedures. It is the responsibility of the employee using such services to ensure that the use is consistent with those policies.

In addition to other University rules and policies the following are required procedures which must be followed in the use of cloud computing services:

Intellectual property and copyright

  • Western Michigan University marks, images, and symbols are owned by the University and may not be used or reproduced without the permission of the Office of University Relations.
  • Review and understand the policies on the use of intellectual property including copyrights, trademarks, and patents. 

Privacy and data security

  • Information that the University has classified as "restricted/confidential” or “internal” may be used only in accordance with the policy related to the classification of information which may be found in the data classification policy.
  • Student information may only be used in compliance with FERPA guidelines. Contact the Office of the Registrar for assistance interpreting FERPA.

Data availability and records retention

  • Ensure that all records whether instructional, administrative, or research are retained according to the records retention guide.
  • Ensure that applications or services are accessible to all appropriate personnel (i.e. visually impaired students).
  • Back-up materials regularly to ensure that records are available when needed, as many providers assume no responsibility for data-recovery of content.

Other Requirements

These requirements are intended to assist units in their approach to evaluating the prudence and feasibility of leveraging cloud computing services.

  • Remember that faculty, students, and staff may not speak for the University. Many of these services typically include “click-to-accept” agreements that have not been reviewed or approved by the Office of Information Technology or the Office of the General Counsel and so may introduce security risks regarding your information. By accepting such terms, you could be held personally liable.
  • Consult with appropriate data stewards, process owners, stakeholders, and subject matter experts during the evaluation process. Also, consult with the Office of the General Counsel or the Office of Information Technology for guidance.
  • Ensure a Service Level Agreement (SLA) with the vendor exists that requires:
    • Clear definition of services
    • Agreed upon service levels
    • Performance measurement
    • Problem management
    • Customer duties
    • Disaster recovery
    • Termination of agreement
    • Protection of sensitive information and intellectual property
    • Definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery.
  • Communicate the issues, conditions, and risks associated with any tool you choose at the beginning of the academic term, preferably in the course syllabus.
  • Restrict online access to student content as much as possible within the context of your instructional goals. In general, coursework conducted online should always be restricted to members of the course.
  • Always require students to use aliases when creating accounts, particularly if access to student work is public. Your Western Michigan University username (Bronco NetID), and your Western Identification Number (WIN) are your University assigned unique identifiers and passwords. They should not be used as identifiers on other non-University systems and/or services.
  • Never include personal identifying information, such as social security numbers, Western Identification Number (WIN), or birth dates, about yourself or your students in content or in profile information online. For additional information on personal identifying information, refer to the data classification policy.
  • Set expectations with students and staff for online conduct in accordance with the existing University code of conduct, union and association contracts and agreements, and human resources policies and procedures.
  • Manage your social media presence strategically and review it regularly.
  • Cloud computing services should not be engaged without developing an exit strategy for disengaging from the vendor and/or service while integrating the service into normal internal business practices.

Enforcement

It is your responsibility to take privacy and security into consideration when making decisions about when it is, and is not, acceptable to use cloud computing services. All University and campus policies, procedures, and guidelines apply to any University data, whether the data is stored on University or non-University systems. Failure to comply may result in disciplinary sanctions consistent with current collective bargaining agreements, University policies, and applicable law.

If you need assistance assessing these risks, please contact the Office of Information Technology or the Office of the General Counsel.

Note: these rules and requirements may be amended at any time by the Chief Technology Officer of Western Michigan University consistent with current collective bargaining agreements, University policies, and applicable law. Changes will be reviewed by appropriate University entities prior to posting on the Office of Information Technology's public website.

References

Document action

Direction/purpose: Dr. James Gilchrist/Campus Information Security Group, March 2010
Reviewed: Campus Information Security Group, April 2010
Reviewed and edited: Campus Information Security Group and designated campus representatives, May 2010
Reviewed: Campus Information Security Group, May 2010
Reviewed: Campus Information Security Group, June 2010
Reviewed: Campus Information Security Group, Aug. 2010
Reviewed and edited: Campus Information Security Group, Sept. 2010
Approved: Campus Information Security Group, Oct. 2010