When evaluating, purchasing, and implementing cloud solutions, departments have the responsibility of protecting sensitive DePaul data. Please review this information carefully before working with any third-party vendor. Any use of non-public DePaul information is governed by the Responsible Use of Data policy along with classification of sensitivity of data via the Data Security Classifications and Controls Standard.

Responsibilities

Requestors must understand the shared responsibility model for maintaining cloud solutions and ensure that appropriate measures are taken to strengthen protections for the data they use. Examples of these efforts:

1. Requestors must work with OGC to incorporate cybersecurity legal language into contracts.
2. Requestors must work with Data Owners and IS Information Security teams to ensure for the proper handling of data.
3. Data owners, OGC and Procurement should ensure that requestors work with IS Information Security teams for any cloud services involving non-public data and PII.
4. Business users with administrative rights to cloud applications must work with IS to secure this administrative access with BlueKey single sign-on and Microsoft multi-factor authentication (MFA). 
5. If the vendor cannot support the use of single sign-on or requires use of user accounts local to the solution, MFA must be used to secure these accounts. If this is not an available protection, requestors must work with IS to assess viable alternatives or pursue risk acceptance.
6. Data provided to vendors must be kept to the minimum needed, must be only used for the initial intended purpose, must be eliminated when no longer required and users must be informed of how their data is being used and their rights to reduce or eliminate its use.

Requirements

1. Any non-public data being provided to a vendor must be encrypted in transit and at rest including backups, removable media, and email.
2. Email should not be used to provide vendors data unless its file level encrypted, or individual files are incorporated into an encrypted zip file. Encryption password should be shared with the vendor separate from the associated encrypted data.
3. MFA is required for administrative users and for non-administrative users when users have access to significant amount of sensitive data and PII.
4. Data must not be exported without the consent of data owners and must never reside on non-DePaul computers.
5. Data must not be stored unencrypted on W: or U: drives, removable media, or email.
6. Areas working with large amounts of non-public data must go through regular training on the proper handling of sensitive data.

Procedures

1. As early in the evaluation as possible, submit an IS Technology Request. This will help ensure awareness as well as facilitate timely review and implementation resource availability.
2. Partner with IS security staff to complete our required review forms and request resources from the vendor if available, including their SOC II and HECVAT.
3. IS will utilize the responses from our forms and the provided vendor documentation determines if additional due diligence to assess risk is required.
4. IS will make risk recommendations to the requestor and business based on all information gathered and document any high risks accepted by the business and when they may be addressed.
   1. High risk vendors or vendors using high risk data should be reassessed by IS Information Security annually to capture any changes to assessed risk.
   2. Risk acceptance must also be reviewed annually by Risk Management for continued appropriateness.

Additional Resources

For details on other elements of a new solution within the requestor’s scope of responsibility, please review the Third‑Party Risk Management Policy.