The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS 50 – Standard for Cloud Services (Matrix)
I. STANDARD STATEMENT
The following tables list the cloud services and the types of data that have been approved for use with each service.
II. RATIONALE
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy.
III. SCOPE
This standard applies to all UTSA faculty, staff, and students.
IV. CONTACTS
If you have any questions about OIS 50 – Standard for Cloud Services (matrix) contact the following office:
The Office of Information Security
V. PROCEDURES
The following tables list the cloud services and the types of data that have been approved for use with each service. In some cases, a service may be approved for use only with published (Category III) university data. Additional tables for locally provided services is also furnished.
VI. Cloud Storage Services
Cloud Storage Services
| Service Name | UT Contract | Centrally Supported | For Students | For Staff/Faculty | Data Category | HIPAA | FERPA | SSNs | PCI | ITAR | IRB |
| Google Drive for Education | Yes | Yes | Yes | No | CAT III Only | No | No | No | No | No | No |
| Microsoft OneDrive for Business | Yes | Yes | Yes | Yes | CAT I, II & III | Yes | Yes | Yes | Yes | No | Yes |
| Private Channels in Microsoft Teams | Yes | Yes | Yes | Yes | CAT I, II & III | Yes | Yes | Yes | Yes | No | Yes |
| Box 1 (www.box.com) |
No | No | Yes | Yes | CAT III Only | No | No | No | No | No | No |
| DropBox 1 (www.dropbox.com) |
No | No | Yes | Yes | CAT III Only | No | No | No | No | No | No |
| Apple iCloud 1 (www.icloud.com) |
No | No | Yes | Yes | CAT III Only | No | No | No | No | No | No |
| Cloud Email Services | |||||||||||
| Service Name | UT Contract | Centrally Supported | For Students | For Staff/Faculty | Data Category | HIPAA | FERPA | SSNs | PCI | ITAR | IRB |
| Office 365/OWA | Yes | Yes | No | Yes | CAT I, II & III | No | Yes | Yes | Yes | No | Yes |
| G-Suite for Education | Yes | Yes | Yes | No | CAT II & III Only | No | No | No | No | No | No |
Cloud Document Services
| Service Name | UT Contract | Centrally Supported | For Students | For Staff/Faculty | Data Category | HIPAA | FERPA | SSNs | PCI | ITAR | IRB |
| Google Docs for Education | Yes | Yes | Yes | No | CAT III Only | No | No | No | No | No | No |
| Office Online (O365) | Yes | Yes | Yes | Yes | CAT I, II & III | No | Yes | Yes | Yes | No | Yes |
| Apple iCloud 1 (www.icloud.com) |
No | No | Yes | Yes | CAT III Only | No | No | No | No | No | No |
Cloud Survey Services
| Service Name | UT Contract | Centrally Supported | For Students | For Staff/Faculty | Data Category | HIPAA | FERPA | SSNs | PCI | ITAR | IRB |
| Qualtrics (http://utsa.qualtrics.com) |
Yes | Yes | Yes | Yes | CAT I, II & III | No | Yes | Yes | Yes | No | Yes |
Cloud Collaboration Services
| Service Name | UT Contract | Centrally Supported | For Students | For Staff/Faculty | Data Category | HIPAA | FERPA | SSNs | PCI | ITAR | IRB |
| SharePoint (https://utsacloud. sharepoint.com) | Yes | Yes | No | Yes | CAT I, II & III | No | Yes | Yes | Yes | No | Yes |
Notes on Cloud Services
1As there is no university contract in place for Box, DropBox or Apple iCloud, no usage involving confidential or controlled university data is permitted.
VII. Local Storage Services
Local Services
For comparison purposes, select services run by the Office of Information Technology (OIT) and offered to campus are listed below with the types of data that are approved for use with each. Use of locally hosted services is encouraged over cloud services when possible. This table is not intended to be a comprehensive list of all OIT offered services.
Central Storage Services
| Service Name | UT Contract | Centrally Supported | For Students | For Staff/Faculty | Data Category | HIPAA | FERPA | SSNs | PCI | ITAR | IRB |
| I: Drives (\\utfile\usersx$) | Yes | Yes | No | Yes | CAT I, II & III | No | Yes | Yes | Yes | No 1 | Yes |
| S: Drives (\\utfile\groups) | Yes | Yes | No | Yes | CAT I, II & III | No | Yes | Yes | Yes | No 1 | Yes |
| File Storage on Request | Yes | Yes | No | Yes | CAT II & III Only | No | No 2 | No 2 | No 2 | No 1 | No 2 |
Central Virtual Machine Hosting Services
| Service Name | UT Contract | Centrally Supported | For Students | For Staff/Faculty | Data Category | HIPAA | FERPA | SSNs | PCI | ITAR | IRB |
| VM Hosting on Request | Yes | Yes | No | Yes | CAT II & III Only | No | No 2 | No 2 | No 2 | No 1 | No 2 |
Central Database Services
| Service Name | UT Contract | Centrally Supported | For Students | For Staff/Faculty | Data Category | HIPAA | FERPA | SSNs | PCI | ITAR | IRB |
| DB Hosting on Request | Yes | Yes | No | Yes | CAT II & III Only | No | No 2 | No 2 | No | No 1 | No 2 |
Notes on Local Services
1It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should consult with the Office of Information Security (OIS) to determine if there are any other issues or concerns.
2 It may be possible to store Category I data within this service if appropriate security is implemented in accordance with OIT and OIS guidance.
Security Review for New Services
Departments evaluating the purchase and/or use of a cloud service not covered on this page with any confidential (Category I) university data should request a security review of the selected service by sending a written description of the proposed implementation to the Office of Information Security. During service selection, departments should inform vendors that security testing (either performed by the Office of Information Security or a qualified third party to the vendor) will be performed.
Non-Compliance and Exceptions
If, for any purpose, a non-approved cloud service is used with any confidential (Category I) university data, an Exception Process must be initiated that includes reporting the non-compliance to the Office of Information Security, along with a plan for risk assessment and management. (See Standard for Policy Exceptions and Risk Assumption) Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.
University of Texas at San Antonio employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at San Antonio employees are required to comply with state laws and regulations.
______________________________________________________________________________
Effective Date: 1/22/2018
Last Revised: 5/5/2020
Last Reviewed: 5/5/2020