All cloud providers utilized by UMES IT systems that will access Personally Identifiable Information (PII) data as defined in the UMES Public & Confidential Data Classification Policy must meet the minimum requirements outlined below.
A Compliance with UMES Security
|Cloud providers must be able to comply with requirements as established within the relevant UMES IT Security Policies, including this document.|
|B UMES IT Authorization||A security review of the cloud service must be conducted by UMES IT prior to the procurement of the service.|
|C Classification of Data||Agencies must anticipate and mitigate risks where possible of cloud-hosted data and resources in accordance with the UMES Asset Management Policy, and UMES Security Assessment Policy.|
4.2 Vendor Assessment
UMES IT will assess a CSP that will be accessing UMES IT managed PII data to ensure the CSP can operate with the requirements outlined below.
A Assess Competency of
UMES IT must exercise due care and due diligence and conduct a thorough analysis of the provider’s capabilities and security measures. This can be done through means such as:
Detailed questionnaire given to the CSP
Research into the company
External vendor-assessment reports or audit results
Previous client testimonials
B Establish Contractual
CSPs may have standard contractual language, however it is important that wherever possible, UMES IT should negotiate with CSPs to insert UMES security controls into contract language if not already covered.
Contracts should be re-evaluated upon any significant change to the CSP as a third-party entity (e.g., bought by another company, bankruptcy)
Where possible, UMES IT should negotiate with CSPs to allow for ongoing evaluation by the UMES IT to ensure that security measures are properly implemented and enforced.
Any violation of security measures affecting the security of UMES information or resources that is discovered by UMES IT must be communicated with the CSP as soon as possible after discovery so the CSP can address the concern.
|Compliance||CSPs should, as part of their UMES IT assessment, be able to demonstrate compliance with applicable regulatory requirements such as: PCI DSS, HIPAA, CSA,|
|SSAE16 (SOC1-financial, SOC2-IT controls, SOC3-attestation),|
4.3 Privacy and Security Controls for Cloud Hosting
UMES IT will assess a potential cloud service provider that will be accessing UMES IT managed PII data to ensure the CSP can operate with any applicable capabilities and functionalities outlined below. These may be included in the questionnaire or other assessment methodologies of the potential CSP as deemed relevant by UMES IT in their evaluation.
|Discovery||Ensure that cloud provider’s electronic discovery capabilities, processes, and policies do not compromise the privacy and security of UMES PII data hosted by the CSP.|
|Monitoring||Where possible, ensure hosted systems or services will allow UMES IT to monitor the services for uptime, availability and security functionality.|
|Architecture||UMES IT should understand applicable underlying technologies that the cloud providers use to host services and how that integrates with current UMES on premise infrastructure if such integration exists.|
D Identity and Access
|Ensure relevant safeguards are in place to secure authentication, authorization, and other identity and access-management functions in accordance with the requirements outlined in|
|the UMES Account Management|
|Policy and UMES Data Security Policy.|
|E Software and Data|
|Isolation||CSPs should certify that in multi-tenant offerings the structure or architecture of their systems are capable of isolating hosted data and operations from other tenants where possible.|
|Availability||Establish an SLA with the CSP for notification of service disruption as well as resumption of critical operations within an agreed upon time.|
|Response||Ensure that the cloud provider informs UMES IT within a reasonable time after a breach has been discovered that directly impacts the agency resources or data.|
If an exemption from this policy is required, an UMES IT Policy Exemption Form needs to be submitted and it needs to clearly articulate the reason for the exemption. An operational risk assessment will be conducted to identify the risks associated with this exemption. If the University can accept the risk, an exemption to this policy may be granted.
|Service Provider (CSP)|
|A company that offers some component of cloud computing — typically Infrastructure as a Service (IaaS), Software as a Service (SaaS) or Platform as a Service (PaaS) — to other businesses or individuals.|
|for Standardization (ISO)||An international standard-setting body composed of representatives from various national standards organizations which promotes proprietary, industrial, and commercial standards.|
|for Attestation Engagements No. 16 (SSAE16)||Auditing standard for service organizations, often used to report compliance with Sarbanes Oxley Act.|
|A system software that, after being initially loaded into the computer by a boot program, manages all the other programs in a computer.|
UMES IT is responsible for managing security assessments for the University according to established requirements authorized in the UMES IT Security Program Policy. Any systems under the policy authority of UMES IT with requirements