Origin of Policies
Many of the policies governing the use and handling of sensitive and confidential data originate from TAC 202, a general set of Information Security rules which all state agencies must adhere to. Both because it is a requirement of TAC 202 and because TAC 202 is intentionally very high-level, UT System created UTS-165, which covers the requirements of TAC 202 while providing more stringent and specific guidance to UT System components. The IRUSP is the application of UTS-165 to The University of Texas' specific environment. The other three standards and guides listed provide specific, focused information for complying with the corresponding sections of the IRUSP. These all inform the list of approved cloud services.
The Information Resources Use and Security Policy (IRUSP)
The IRUSP and its related documents work together to implement the requirements of various state and federal laws, industry regulations, and UT System rules and policies. Examples of such that apply to the university are:
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act
- Sarbanes-Oxley
- International Traffic in Arms Regulations (ITAR)
- Texas Identity Theft Enforcement and Protection Act
- PCI Security Standards
As a result, all student data, most research data, and many other types of data will be considered Category I under policy (view the Data Classification Standard). Section 5.11 of the IRUSP deals with the handling of sensitive data, and section 5.11.2.4 specifically states that:
If the university intends to provide Category I Digital Data to a third party acting as an agent of or otherwise on its behalf (such as an application service provider) and if it determines that its provision of Category I Digital Data to a third party will result in a significant risk to the confidentiality and/or integrity of such Data, a written agreement with the third party is required. The agreement must specify terms and conditions that protect the confidentiality and/or integrity of the Category I Digital Data as required by this Policy. The written agreement must require the third party to use appropriate administrative, physical, and technical safeguards to protect the confidentiality and/or integrity of all Category I Digital Data obtained and that the university, as applicable, shall monitor compliance with the provisions of the written agreement.
This section, therefore, prohibits the casual outsourcing of storage and thus the use of all cloud storage services with any Category I data where there is not a contract in place protecting the university's interests. It is important to note that while all examples thus far have dealt with data that is Category I due to confidentiality needs, as that is by far the most common type of Category I data, data may also be classified as Category I based upon the need for availability (i.e. it is critical for the data to be available at all times) and integrity (i.e. it is critical that the data is not modified or altered by unauthorized parties). Non-Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, and other contractual agreements may also result in data being considered Category I in nature.