Security: Cloud Services Responsibilities, Requirements, and Procedures

When purchasing and implementing cloud solutions, departments have the responsibility of protecting sensitive DePaul data. Please review this information carefully before working with any third-party vendor. Any use of non-public DePaul information is governed by the Responsible Use of Data policy along with classification of sensitivity of data via the Security and Classification Control Matrix.


Requestors must be aware of the shared responsibility model used to maintain cloud solution and that minimally there is a requirement for the requestor to maintain identity services providing access to a cloud solution and protection of data imported into or exported out of a cloud solution including things like:

  1. Requestor needs to work with OGC to incorporate cybersecurity legal language into contracts.
  2. Requestor needs to work with Data Owners and IS Information Security to ensure for the proper handling of data.
  3. Data owners, OGC and Procurement should request that business areas work with IS Information Security for any cloud services involving non-public data and PII.
  4. Business users with administrative rights to cloud applications should work with IS to incorporate administrative access with DPU Azure multi-factor authentication. If using Azure MFA is not an option, business should work with IS information Security to see if using built in accounts with application specific MFA may be a viable alternative.
  5. Data provided to vendors must be kept to the minimum needed, must be only used for the initial intended purpose, must be eliminated when no longer required and users must be informed of how their data is being used and their rights to reduce or eliminate its use.


  1. Any non-public data being provided to a vendor must be encrypted in transit and at rest including backups, removable media, and email.
  2. Email should not be used to provide vendors data unless its file level encrypted, or individual files are incorporated into an encrypted zip file. Encryption password should be shared with the vendor separate from the associated encrypted data.
  3. MFA is required for administrative users and for non-administrative users when users have access to significant amount of sensitive data and PII.
  4. Data must not be exported without the consent of data owners and must never reside on non-DePaul computers or must not be stored unencrypted on W: or U: drives, removable media, or email.
  5. Areas working with large amounts of non-public data must go through regular training on the proper handling of sensitive data.


Complete our short questionnaire and request SOC II from the vendor if available. Using the short questionnaire responses and SOC II if provided determine if long questionnaire will also be needed. Using information provided determine if risk can be adequately assessed and documented or if a follow up meeting with the vendor will be required. Make risk recommendation to the business based on all information gathered and document any high risks accepted by the business and when they may be addressed. High risk vendors or vendors using high risk data should be reassessed by IS Information Security annually to capture any changes to assessed risk. Risk acceptance must also be rereviewed annually by Risk Management for continued appropriateness.