Cloud Computing and ECU Data
ECU data cannot be stored external to the university network (in the "cloud") without proper authorization and approval of the cloud computing service provider
What is Cloud Computing?
Cloud computing is the delivery of hosted services over the Internet. One example is data storage using an outside company's servers and hardware. Software hosting is another use. A cloud service can be public (see the examples below) or privately-hosted on a company's internal network.
Examples of some popular public cloud services include:
|Amazon Cloud Drive||Dropbox file storage/sharing|
|Google Mail cloud services||Microsoft Live|
|IBM Big Blue cloud platform||Sponsored research programs|
Why Do I Need Authorization?
How Does This Affect Me?
If you store ECU data externally with a service provider who utilizes a non-ECU IT infrastructure with resources that are not maintained, owned or managed by ECU—like the example services above—you must remove that data from this service and store it in ECU-maintained network storage.
What ECU Storage is Available?
ECU-maintained network storage includes Piratedrive and ECU Outside. Every faculty, staff and student has a secure, 40GB Piratedrive storage folder on ECU's network; departments can also request a 50GB piratedrive folder. ECU Outside is a file transfer protocol (FTP) server designed specifically for ECU faculty and staff to share information with non-ECU collaborators.
Contact the IT Help Desk at 252.328.9866/1.800.340.7081 to request storage or a consult to find the most efficient storage method for your data.
Are There Guidelines?
- All cloud computing services shall be approved by the Chief Information Officer (CIO) or designee prior to purchase
- All cloud computing service contracts must be reviewed by ECU Materials Management
- No confidential data shall be placed in the cloud without department head, data owner and CIO approval
How About Privacy and Data Security Best Practices?
- Never divulge information on the Internet that the university has classified as confidential. Examples include social security numbers, credit card information, and driver's license numbers
- Comply with FERPA requirements to protect student privacy. Do not place grades or evaluative comments on Internet sites. Contact the Office of the Registrar at 252-328-6747 for assistance interpreting FERPA
- Comply with HIPAA Privacy requirements to protect PHI. Never place HIPAA data on Internet sites. Contact the HIPAA Privacy Office at 252.744.5200 or HIPAA Security Office at 252.328.9866 for assistance in interpreting HIPAA privacy or HIPAA security
- Never use personally identifying information (PII) without explicit permission, unless the university has classified the information to be public. For example, in the university directory ("Search People")
- Ensure that the cloud computing service provider can meet and will agree to the requirements in the ECU Data Compliance Document. Prior to selecting the provider, contact the ITCS Helpdesk at 252.328.9866 for assistance
- Never agree to terms and conditions for a cloud service to store, transmit, process or back up ECU information. Binding contracts can only be signed by authorized university officials
- Schedule an ITCS review at 252.328.9866 prior to making a decision to use a cloud computing service provider
Are There Data Availability and Records Retention Best Practices?
- Ensure that all records—whether instructional, administrative or research—can be retained in the cloud solution as specified by the records retention schedule. See ECU Data Retention Schedule
- Ensure that the cloud service provider meets the unfettered access requirement by consulting with Materials Management and request that the hosted services compliance memorandum of understanding be included in the contract prior to acceptance
- Ensure data backup requirements are documented into the contract and include a tested recovery plan to ensure records are available when needed, as many providers assume no responsibility for data-recovery of content
- If you perform your own data backup, ensure procedures are documented and tested, and the same security controls are included in the backup solution