Division:
Administration and Finance
Department:
Information Technology Services
Contact Information:
Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu
Effective Date:
Friday, February 3, 2017
Revised Date:
Thursday, April, 11, 2024
Authority:
ISO Domain 9: Access Control Policy
ISO Domain 8: Asset Management Policy
ISO Domain 16: Incident Management Policy
Objective:
The purpose of this Policy is to provide guidance on usage of cloud based storage at SF State to comply with CSU and SF State policies and practice regarding governing privacy and security of information, and to protect confidential data in the event of loss or theft of data.
Statement:
Purpose
Cloud based file sharing and storage services are offered to SF State faculty, staff, students and community members to collaborate and share information anytime, anywhere, from almost any device.
SF State establishes campuswide standard solutions for using cloud based storage to address the following requirements:
- Enterprise-grade security and data privacy
- University data ownership, management and support model
- University protected data must be stored in U.S. data centers
- Ability to influence product features for the benefit of the SF State campus
- Vendor solution must demonstrate commitment to delivering an accessible alternative
- Compatibility with SF State’s authentication system
- Ability to enter into a contract for added protections
Standard solutions provide cost savings to the campus by reducing the number of products that need to be acquired, supported, and assessed for accessibility and information security compliance.
Departments wishing to acquire alternative storage solutions must document why the campus standard solution(s) cannot be used and receive approval from the information security and accessibility teams before acquiring the technology. Risk acceptance requests can be submitted using the Technology Acquisition Review Request (TAR) process.
Scope
This policy applies to all users of cloud based storage used for university business.
Implementation
SF State users must abide by the following:
SF State Individual accounts
- SF State individual accounts are provided to with cloud storage services to store work, coursework and research files that an individual needs while at SF State and to access SF State Department folders
- Current and emeritus SF State faculty, staff and students must have an @sfsu.edu or @mail.sfsu.edu email address to access their individual account
- Storage quotas are set for SF State accounts and increases to the existing limits can be requested with a business-use justification
- Accounts may be surrendered in the event of litigation or subpoena
- Users can request to have their files and account disabled or deleted
- SF State users must have a current affiliation to access to their cloud storage account(s)
- Files stored in SF State individual accounts will be deleted two weeks after the user loses their affiliation
- Personal cloud storage accounts requested directly from the cloud provider cannot be associated with an @sfsu.edu or @mail.sfsu.edu e-mail address
- All users are required to complete Data Security and FERPA training upon hire and annually thereafter. In some cases, access may be delayed if training is not completed.
SF State Department folders
- Department folders can be requested in order to share and manage files across a department
- Access to Department folders is granted to SF State individual accounts
- Storage quotas are set for SF State accounts and increases to the existing limits can be requested with a business-use justification
- Requests for Department folder accounts and folders must be submitted by the unit head and evaluated by local IT support providers
Usage
- Cloud based storage may be used to store or transmit SF State Confidential Level 1 data, if the service has been approved for Level 1 data use
- All data uploaded to cloud based storage should follow existing CSU Policies and executive orders and be authorized by the designated data custodians for storage in Box. In addition, student data on Box at SF State must comply with SF State Student Privacy Rights
- SF State reserves the right to remove, inspect and audit uploaded files without notice
- All files stored in cloud based storage must be consistent with the CSU Responsible Use Policy including: hosting link farms, distributing malware, and any activity that results in economic gain
- Users must obtain written permission from the owner of the copyrighted or trademarked material prior to uploading to cloud based storage services
Accessibility
- SF State is strongly committed to ensuring access to web-based information and information technologies for individuals with disabilities as required by Executive Order 926, the Americans with Disabilities Act (ADA), Section 11135 of the California Government Code, and other applicable policies and laws. Documents on file storage workspace that are shared with public or campuswide audiences, or that are uploaded as part of a reasonable accommodation request, must be accessible to people with disabilities. Please refer to the accessibility guidelines for information on making documents accessible.
Implementation
Responsibility for implementing this Policy will rest with Information Technology Services and Information Technology (IT) departments across campus. Submit any apparent violation of Cloud Based Storage Policy to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.
Non-Compliance
Non-compliance with applicable policies and/or practices may result in suspension of procurement, network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements
Searchable Words:
cloud, storage, compliance, security, accessibility
This Cloud Based Storage Policy replaces the Box at SF State Policy.