Cloud Privacy & Data Loss Prevention
Purpose
This document outlines the privacy policy for Â鶹´«Ã½ Fox University cloud file storage systems.
Scope
This applies to all files stored on all cloud storage systems centrally managed by Â鶹´«Ã½ Fox University.
Policy
- Expectation of Privacy:
- End users can and should expect that all files stored on university file systems are private to the individual file owner and any others who have functional access to the location the file is stored.
- Administrative access to files:
- Personnel providing technical support of university file systems may access files only with prior authorization and only for the purpose of assisting a user in the resolving technical issues pertaining to a given file or folder containing files.
- Personnel providing technical support of university file systems may need to move or copy files to or from a different location in order to service a file. In these instances, employees will not access the file beyond what is necessary to change the location of the file.
- If an employee has been terminated files in the cloud storage system may be reviewed by an administrator and access may be granted to the terminated employee's supervisor.
- Storage of sensitive data
- Storage of sensitive data within cloud storage systems presents risks that extend beyond those of on-premise storage systems.
- Payment Card Information:
- Payment card information is a special class of protected data governed by Payment Card Industry (PCI) standards.
- Payment card information is not permitted to be stored on any university system.
- Personal Health Information (PHI)
- PHI is a special class of data of protected data governed by the Health Insurance Portability and Accountability Act (HIPAA).
- Personal health information may only be stored on systems designated and authorized by Institutional Technology and the department producing the data to be stored.
- Personal health information may not be stored on general university systems.
- Other sensitive data may be stored on university systems on a case by case basis with prior approval by Institutional Technology.
- Payment Card Information:
- Storage of sensitive data within cloud storage systems presents risks that extend beyond those of on-premise storage systems.
- Cloud storage data loss prevention:
- As a means of preventing unauthorized or unintentional dissemination of sensitive data, Â鶹´«Ã½ Fox University deploys third party software that can monitor university managed cloud storage systems for inappropriately shared protected information. This monitoring is governed by the following:
- The software matches specific patterns of characters in order to identify:
- Social Security Numbers
- Credit card or other payment card information
- Personal health information
- Monitoring for these patterns happens for files that are shared publicly, with the entire Â鶹´«Ã½ Fox domain or with users external to the Â鶹´«Ã½ Fox domain.
- Where documents containing the above mentioned sensitive data are shared publicly or across the Â鶹´«Ã½ Fox domain, the software may revoke public or domain wide sharing.
- In such a case the end user will be notified of the specific changes made to file permissions.
- Where documents containing the above mentioned sensitive data are shared with users external to the Â鶹´«Ã½ Fox domain or where a high number of incidents of sensitive data are found, the software will notify the owner of the document. The owner of the document will be responsible to assess the permissions of the document and remediate any inappropriate levels of sharing.
- All of the above processes are automated and do not require Institutional Technology access to files or documents by application administrators.
- All scanning and activity by software is logged for auditing purposes.
- The software matches specific patterns of characters in order to identify:
- Â鶹´«Ã½ Fox does not back up files that are stored in off-premise cloud systems beyond the backup and redundancy offered by the service provider.
- As a means of preventing unauthorized or unintentional dissemination of sensitive data, Â鶹´«Ã½ Fox University deploys third party software that can monitor university managed cloud storage systems for inappropriately shared protected information. This monitoring is governed by the following: