Responsible administrators are required to ensure that cloud applications which store university data or provide accounts or information for campus student employees must comply with campus and CSU security policies and standards including:
All cloud based applications and services must be reviewed and approved through the ITPR process
Responsible administrators must:
- Document the security posture and perform reviews at least annually for accounts with privileged access.
- Review and verify contract stipulations and requirements
Ensure SLA terms are met and are documented
The campus director of procurement is the sole authorized agent authorized to sign contracts, agreements, or accept the terms of User Licensing Agreements (ULA).
Responsible administrators must ensure that the security posture of the cloud application meets CSU and campus information security policies and standards as appropriate based on the classification of the data stored within the system.
- University data elements stored in or accessed by cloud applications must be documented based on campus data classification standards.
- Data owners must approve the storage of University data in cloud applications based on campus data classification standards.
- Review of privileged access and accounts must occur and be documented at least annually.
- For applications with Level 1 data, risk assessments must be documented prior to implementation and periodically following implementation.
- Authentication mechanism using campus single sign on must be prioritized.
- Authorization mechanisms must be implemented to control access to cloud resources as appropriate.
- Compliance with CSU and campus records retention requirements must be implemented.
- Privileged access to cloud based applications and services must be authorized via documented procedures and managed securely.
- All cloud applications must be registered in the campus server and application registry “Omni”.