UCI Cloud Computing Security Policy, Standards and Procedures

Guiding Policy

Cloud Computing is governed under the system-wide policy BFB-IS-3: Electronic Information Security. Specifically, this includes:

  • all devices, independent of their location or ownership, when connected to a UC network or cloud service used to store or process Institutional Information, and
  • all use of Institutional Information, independent of the location (physical or cloud), ownership of any device or account that is used to store, access, process, transmit or control Institutional Information.

Standards for Using Enterprise Cloud Platforms - UCI Google Drive (GSuite) & Microsoft OneDrive

The most important consideration when selecting and using a cloud platform or other SaaS (software-as-a-service) solution, is the protection level of the data you will be storing, transmitting or processing with the solution. If you are unsure what protection level your data falls under, visit our Data Classification guidance page.  Here, you will discover links to an informative Data Classification webinar, decision tree as well as UC guidance with examples of data by protection level.

Allowed Enterprise Cloud Platform by Protection Level - General

There are a variety of cloud storage solutions trying to get your attention -- and your data.  This guidance is to help you choose the right ones that will protect you and the university.  There are two cloud storage providers under enterprise contracts with UCI.  An enterprise contract obligates a service provider (such as Google and Microsoft) to terms and conditions that result in penalties if those terms and conditions are breached, encouraging the service provider to look out for your data because it is in their self-interest. Which option, Microsoft OneDrive or Google Drive, is best for you?  The answer depends on what level of protection your data needs.  

Cloud Guidance by Protection Level

* Secure sharing of data in OneDrive requires the person doing the sharing to have a Microsoft A3 license at minimum.  Additional security features are available with the A5 license.  You can find more about sharing data securely with OneDrive with this set of good sharing practices.

** Neither solution is ready to accept Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule.  Please contact OIT Security for other options that may be available to you.

*** We are looking into securing these for P3 & P4 data.

Not Recommended - Non-contracted Solutions

The two services available to you are Google Drive and Microsoft OneDrive when used in conjunction with your UCI identity (name@uci.edu).  If you are storing data in Google Drive or OneDrive that isn’t tied to your UCI identity, your data is not covered by our enterprise contracts. Storing files on your personal Google Drive or Microsoft OneDrive using your personal identity affords no contractual protection, so if your data is exposed or stolen there is little to no recourse available. Storing your files on other sites that do not have a contract with UCI (Dropbox, Box, etc.) affords no contractual protection either.

Procedure for OneDrive Link Sharing by Protection Level in OneDrive

OneDriveLinksHowToShare

Creating links and sharing files securely

The following important guidelines ensure you do not expose P3 – P4 data to external users:

  • Please familiarize yourself with the different sharing options.
  • Never create an “open link” (Anyone with the link) to a file or folder with P3 - P4 data.

When sharing a file or folder you are presented with the following options:

  • Specific people (default link type) gives access only to the people you specify (internal or external users), although other people may already have access. If people forward the sharing invitation, only people who already have access to the item will be able to use the link. This is considered a “Direct Link” and the only acceptable way to share P3 – P4 data to external users.
  • People in (Your Organization) gives anyone in your organization who has the link access to the file, whether they receive it directly from you or forwarded from someone else.
  • People with existing access can be used by people who already have access to the document or folder. It does not change the permissions on the item. Use this if you just want to send a link to somebody who already has access.
  • Anyone with the link gives access to anyone who receives this link, whether they receive it directly from you or forwarded from someone else. This may include people outside of your organization. This is considered an “Open Link”

If P3 – P4 data must be shared outside of the organization, use a “Direct Link” (Specific People). This will require a verification code sent to the intended recipient's email address if they are

Additional examples of different link types are available here.

Cloud Computing Standards: Other Software-as-a-Service (SaaS)/Cloud Applications

Secure Procurement

Prior to using a SaaS solution at UCI that will process, store or transmit Institutional Information, the application needs to be reviewed by the appropriate parties at UCI, including OIT Security.  Carefully vetting solutions prior to use helps protect the UCI community from risk. This process is required for purchases made at all price points, from UCI Pal cards, through RFPs. A security review is also required for free, pilot and trial SaaS solutions where no purchase is involved.

For details on how to initiate this process for new applications, or at renewal, please reach out to your Unit Procurement Point of contact or visit the UCI Procurement Services website. On this site, you will detailed information about the cloud software procurement process, the required software procurement questionnaire, and more.

If you would like to initiate a security review outside the procurement process, please forward your request to securityreviews@uci.edu

Secure Configuration

Application owners, in cooperation with their Unit Information Security Leads, are accountable for the secure configuration and use of Cloud Solutions, whether managed by OIT or managed by the procuring Unit. Guidelines for secure configuration may be found in the UC Secure Software Configuration Standard.  In addition to secure configuration, it is important to conduct periodic reviews of access to ensure that those who have access to the SaaS application still require such access for their roles.

Secure Information Disposal

When it is determined that a solution is no longer required, Application owners, in cooperation with their Unit Information Security Leads, are accountable for secure information disposal. Guidelines may be found in the UC Institutional Information Disposal Standard.  Note that in some cases, records holds or other conditions might require that Institutional Information be held longer than standard procedure dictates.