Re: Cloud Security Policy

[Shaun Gray <SGray () MEDFORD K12 NJ US>]

Thanks for the response Jim. We have evaluated the hosting services and determined that from a security standpoint they 
pass the test. We don't have a clearly defined policy for sharing information with other organizations outside of the 
regulatory policies that apply to all institutions. I certainly don't want to take the same approach we use for local 
storage policies and apply that to publicly accessible locations such as Google Drive. Right now any and everything is 
allowed to be stored on Google Drive and we are looking to address storing sensitive information there.


Dr. Shaun G.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim 
Cheetham
Sent: Tuesday, March 07, 2017 4:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cloud Security Policy

Quoting Shaun Gray (2017-03-08 10:03:56)
> We are developing a policy for the storage of data on the cloud. Does anyone have a policy or advice they would care 
> to share to help us with this process?

Surely this would be the same policy as the one that already governs you sharing information with existing third-party 
organisations that don't use the word "cloud"?

i.e. I can't place sensitive data on AWS until I've evaluated the protections that AWS offer me; exactly the same as 
the way I can't share sensitive information with an external partner until I've evaluated the protections that they 
offer me ...

Treating "cloud" as anything that's different from "someone else's computers", especially from a policy perspective, is 
missing the point.

--
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheetham () otago ac nz    ☏ +64 3 470 4670    ☏ m +64 21 279 4670
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605

Medford Township Public School District email is provided to staff for the purpose of professional communication.  
Please be aware that messages sent via email may not be secure and that network administrators may have to review 
communications to maintain network integrity and ensure the responsible use of the system.  This electronic 
transmission and documents transmitted as attachments contain information from the Medford Township Public School 
District that may be proprietary, confidential and/or privileged under state or federal law.  The information is 
intended for the sole use of the individual(s) or entity named above.  The individual(s) or entity named above as the 
receipt of this information is expressly prohibited from disclosing this information to any other party unless required 
to do so by state or federal law or regulation.  If you are not the intended recipient, be aware that any disclosure, 
copying or distribution or use of the contents of this electronic transmission and any document attachments is 
expressly prohibited.  If you have received this electronic transmission in error, please notify the sender immediately 
by replying to the address listed above and delete or destroy all copies of the original electronic transmission.