I. STANDARD STATEMENT
The following tables list the cloud services and the types of data that have been approved for use
with each service at the University of Texas at San Antonio (UTSA).
II. RATIONALE
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy
III. SCOPE
This standard applies to all UTSA faculty, staff, and students.
IV. CONTACTS
The Office of Information Security at informationsecurity@utsa.edu
V. PROCEDURES
The following tables list the cloud services and the types of data that have been approved for use
with each service. In some cases, a service may be approved for use only with published (Category
III) university data. Additional tables for locally provided services is also furnished.
VI. Definitions
- UT Contract
- There exists an active contract with the provider either with UT System or UTSA.
- Centrally Supported
- University Technology Solutions (UTS) provides customer services for use; tracks and implements changes; provides integration services and coordinates maintenance.
- For Students
- The service is provided to UTSA students.
- Data Category
- The category of data intended to stored, transmitted and/or processed on the service.
- HIPAA
- Health Information Portability and Accountability Act. Protected Health Information (PHI) can be transmitted, stored and/or processed on the service.
- FERPA
- Family Educational Rights and Privacy Act.
- SSN’s
- Social Security Numbers.
- PCI
- Payment Card Industry.
- ITAR
- International Traffic in Arms Regulations.
- IRB
- Institutional Review Board.
- Local Services
- For comparison purposes, select services run by University Technology Solutions(UTS) and offered to campus is encouraged over cloud
services when possible.
VII. Supported Services
Table of UTSA cloud Services
| Service Name | UT Contract | Centrally Supported | For Students | For Staff/Faculty |
|---|---|---|---|---|
| Google Drive for Education | Yes | Yes | Yes | No |
| Microsoft OneDrive for Business | Yes | Yes | Yes | Yes |
| Box (www.box.com) | No | No | Yes | Yes |
| DropBox (www.dropbox.com) | No | No | Yes | Yes |
| Apple iCloud (www.icloud.com) | No | No | Yes | Yes |
| Qualtrics (http://utsa.qualtrics.com) | Yes | Yes | Yes | Yes |
| SharePoint (https://utsacloud. sharepoint.com) | Yes | Yes | No | Yes |
| I: Drives | Yes | Yes | No | Yes |
| S: Drives | Yes | Yes | No | Yes |
| File Storage on Request | Yes | Yes | No | Yes |
| VM Hosting on Request | Yes | Yes | No | Yes |
| DB Hosting on Request | Yes | Yes | No | Yes |
VIII. Data Sensitivity
| Service Name | Data Category | HIPAA | FERPA | SSN's | PCI | ITAR | IRB |
|---|---|---|---|---|---|---|---|
| Google Suite for Education | CAT III | No | Yes | No | No | No | No |
| Microsoft OneDrive for Business | Cat I, II, III | Yes | Yes | Yes | Yes | No | Yes |
| Box (www.box.com) | CAT III | No | No | No | No | No | No |
| DropBox (www.dropbox.com) | CAT III | No | No | No | No | No | No |
| Apple iCloud (www.icloud.com) | CAT III | No | No | No | No | No | No |
| Qualtrics (http://utsa.qualtrics.com) | Cat II and III only | No | No | No | No | No | No |
| SharePoint (https://utsacloud. sharepoint.com) | Cat I, II, III | No | No | No | No | No | No |
| I: Drives | Cat I, II, III | No | Yes | Yes | Yes | No | Yes |
| S: Drives | Cat I, II, III | No | Yes | Yes | Yes | No | Yes |
| File Storage on Request | Cat II and III only | No | No | No | No | No | No |
| VM Hosting on Request | Cat II and III only | No | No | No | No | No | No |
| DB Hosting on Request | Cat II and III only | No | No | No | No | No | No |
There is no university contract in place for Box, DropBox or Apple iCloud. UTSA employees are not allowed to store or process Category I or II on those services. It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should consult with the Office of Information Security (OIS) to determine if there are any other issues or concerns. It may be possible to store Category I data on Local DB hosting e if appropriate security is implemented in accordance with UTS and OIS guidance.
IX. Security Review for New Services
Departments evaluating the purchase and/or use of a cloud service not covered on this page with any confidential (Category I) university data should request a security review of the selected service by sending a written description of the proposed implementation to the Office of Information Security. During service selection, departments should inform vendors that security testing (either performed by the Office of Information Security or a qualified third party to the vendor) will be performed.
X. Non-Compliance and Exceptions
If, for any purpose, a non-approved cloud service is used with any confidential (Category I) university data, an Exception Process must be initiated that includes reporting the non-compliance to OIS, along with a plan for risk assessment and management. (See Standard for Policy Exceptions and Risk Assumption) Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit. UTSA employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and UT System rules and regulations, UTSA employees are required to comply with state laws and regulations.
Title: OIS 50- Standard for Cloud Services (Matrix)
Effective Date: 1/22/2018
Last Reviewed: 1/22/2018