Technology

08:31:00 Cloud Computing

1. Introduction: Chattanooga State Community College (ChSCC) relies heavily on its electronic data processing systems and the data stored in them to meet its educational, informational and operational needs. Technology Division is responsible for ChSCC’s Cloud Strategy.  Cloud computing differs from other historical IT service models in that it focuses primarily on services, rather than technology. Technology Division ensures that the desired business outcomes for each project are developed with process, technology and application requirements in mind, not just technology components. 
2. Cloud computing offers a number of advantages; however, without adequate controls, it also exposes individuals and organizations to online threats such as data loss or theft, unauthorized access to corporate networks, and so on. This cloud computing policy is to ensure that cloud services are not used without Technology Division’s knowledge and approval. It is imperative that employees not open cloud services accounts or enter into cloud service contracts for the storage, manipulation or exchange of company-related communications or company-owned data without Technology Division’s input. Personal cloud services accounts may not be used for the storage, manipulation or exchange of company-related communications or company-owned data. Technology Division, in conjunction with the ChSCC Data Governance Committee and Institutional Research will determine what data may or may not be stored in the Cloud, as necessary.
3. Personal cloud services accounts may not be used for the storage, manipulation or exchange of company-related communications or company-owned data. This is necessary to protect the integrity and confidentiality of ChSCC data and the security of the corporate network.
   1. This policy pertains to all external cloud services, e.g. cloud-based email, document storage, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), etc. Personal accounts are excluded.
   2. If you are not sure whether a service is cloud-based or not, please contact the Technology Division Service Desk.
4. Technology Division provides central file servers and OneDrive for Business as the preferred location for storing files that are actively being worked upon.  When using one of the approved cloud services for institutional information and related business needs, pay special attention to access levels when sharing files and folders with other collaborators to ensure that data is not inappropriately shared. You should use business appropriate storage to collect, process, or store data covered by laws such as HIPAA, FERPA, FISMA, and others. 
   1. Confidential documents and/or documents that contain PCI or FERPA information should not be stored in OneDrive if the data will be synchronized onto non-College owned devices. 
   2. Data classification and data management is vital when deciding what data can and cannot be store in the cloud environment. For data guidance on determining data confidentially levels and how cloud storage can be used, please review ChSCC Policy 08:16:00 Data Security and Controls and Technology Procedure 013:00 Determining Data Requirements.  

References:

State of Tennessee Department of Finance and Administration Strategic Technology Solutions 2:03, 12/28/2018

Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00, 9/26/2014

Tennessee Board of Regents (TBR) Policy G-052 Access Control, 9/26/2014

ChSCC (Technology) Policy 08:16:00 Data Security and Controls, 10/27/2017

Technology Procedure 013:00 Determining Data Requirements

Submitted to Policy Review Committee on 2019.02.18

Submitted to Policy Review Board on 2019.04.08

Approved by Policy Review Board on 2019.04.24