SP 6-10i – Cloud Security
Colorado Community College System / System Procedure
SP 6-10i
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCES: Board Policy (BP) 6-10, Cyber Security Policy
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
BASIS
This procedure documents Colorado Community College System and its Colleges’ (“CCCS”) security requirements for the use and procurement of cloud-based Information Technology (“IT”) services.
APPLICATION
This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.
DEFINITIONS
Data Retention
Data retention is defined as the saving of historic and/or inactive files on disk, or other mass storage media for the purpose of keeping the data for compliance with laws, contractual requirements, or other applicable record retention rules.
Backup
Backup is a copy of one or more files created as an alternate in case the original data is lost or becomes unusable.
Cloud-Based IT Services
Cloud-based IT services refer to IT services made available to CCCS on demand via the internet from a cloud computing service provider.
PROCEDURE
The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
Procurement
- Any department wishing to procure cloud-based Information Technology (“IT”) services must consult with the System IT Department (“System IT”) or the College IT Department (“College IT”) and procurement departments prior to initiating or making a final procurement decision.
- The procuring department must identify if the requested cloud-based service will require integration with other System IT or College IT Information Systems or Assets.
- System IT or College IT shall review the cloud-based IT service procurement request to identify if CCCS has another solution in place that meets the needs of the procuring department, and to avoid duplication of efforts, funding, licensing, and support.
- System IT or College IT along with other necessary CCCS departments will review the cloud-based IT service contract to ensure it includes the appropriate provisions necessary to meet the minimum information security requirements set by CCCS.
- System IT or College IT should perform a risk assessment on the cloud service provider prior to finalizing the service contract.
- CCCS purchasing procedures and State procurement policies must be followed.
Access Management
- CCCS prefers that all cloud-based IT services integrate with CCCS’s access management solution to provide a more integrated and controlled access management function.
- If integration into CCCS’s access management solution is not possible, then the System IT or College IT will maintain ownership and responsibility for provisioning and deprovisioning access to the cloud-based IT service.
- Access to cloud-based IT services shall be granted based on the user’s role and job function.
- Additional requirements for user access management can be found in CCCS’s System Procedure for Access and Authentication.
Data Protection, Retention, and Disposal
- Sensitive or Restricted information stored or shared with a cloud-based IT service provider is required to be encrypted at rest and in motion using CCCS approved secure protocols.
- Ownership of the data stored with a cloud-based IT service provider remains with CCCS or the applicable College.
- Data retention and disposal requirements set forth in CCCS’s System Procedure on Data Retention and Disposal shall be met even when the data resides with a cloud-based IT service provider.
- Upon termination of a cloud-based IT service agreement, CCCS will require data stored at the cloud-based IT service provider to be returned to CCCS and that a certificate of data destruction is provided from the cloud-based IT service provider.
Data Backup and IT Continuity
- Data stored in a cloud-based IT service is required to be backed up in accordance with CCCS’s System Procedure on Backup and Recovery.
- Cloud-based IT services are required to be identified in the IT continuity program and must meet the IT continuity program requirements set forth in CCCS’s System Procedure on IT Continuity.
REVISING THIS PROCEDURE
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.