Information Security

Cloud Security

Cloud computing  consists of applications and infrastructure resources that users access via the Internet. Companies such as Apple, Google, Microsoft, and Amazon provide cloud computing services for: communication, collaboration, project management, scheduling, data analysis, processing, sharing, and storage. Cloud computing services are generally easy for people and organizations to use because they are accessed via a browser and do not require installation or maintenance.

Cloud storage of files can expedite collaboration and sharing of information, however users need to be aware that CSU, Chico explicitly forbids the storage of University Level 1 Protected Information and restricts the storage of Level 2 Private Information (see table 2).

Additional Information

Software as a Service (SaaS): Is the capability to use applications via a thin client interface such as a Web browser (e.g., Web-based email). Consumers no longer need to manage or control the underlying infrastructure.  SaaS providers manage the servers, operating systems, storage, and even individual application functionality.

Listing of common cloud application and storage services. Shows which are approved for University use
Services Approved for University Use
Services Not Approved for University Use
 Google Apps for Education & Google Drive
Dropbox
 Microsoft O365 & OneDrive
iCloud
 Box
Amazon Cloud Drive

Most cloud services, such as Google Docs, make it easy for individuals to sign-up and use their services, often at no monetary cost.  However, CSU, Chico faculty, staff, must be very cautious about self-provisioning a cloud service to process, share, store, or otherwise manage institutional data (as defined by the CSU Data Classification Standard (PDF)). Self-provisioned cloud services may present significant data management risks.  Virtually all cloud services require individual users to accept click-through agreements. These agreements do not allow users to negotiate terms, do not provide the opportunity to clarify terms, often provide vague descriptions of services and safeguards, and can change without notice.

Policy for Use of Cloud Services for Storage, Communication, and Productivity involving University Data (Software as a Service):

  • Use of cloud services for storage, communication and productivity involving University Level 1 data is prohibited (Examples include but are not limited to Dropbox, Google Apps for Education, Office 365).
  • Use of cloud services for storage of University Level 2 data must be limited to services contracted by and supported by the University.  Cloud services which are not supported by and provisioned by the University are prohibited.
  • Uses of cloud service offerings which are not supported, provisioned or contracted by the University for storage, communication, and productivity are not recommended. This applies to any uses of University records including vital records which are classified as public or Level 3 data. University data should be limited to University supported, provisioned and contracted services.
  • The use of public cloud services for academic, non-FERPA data is permitted.
The following table outlines the data classification and proper handling of CSU, Chico data
Data Classification
Level 1
Protected
Level 2
Private Internal
Level 3
Public General
Non-University Data
Local Storage
(on your computer)
Incidental Use Allowed
Incidental Use Allowed
Incidental Use Allowed
Cloud Storage Approved by University
CSU Chico*
Box
Incidental Use Allowed
CSU Chico*
Box Level 1 Folder
Incidental Use Allowed
CSU Chico*
Sharepoint/O365/
OneDrive/Google Apps
Incidental Use Allowed
Incidental Use Allowed
Non-CSU Chico
Google, Box, Dropbox & O365
*Only services contracted by and supported by the University
Allowed   Not Allowed
Level 1 Protected Data - Confidential
(PII) Social Security number and name, driver's license number and name, and credit card numbers
(ePHI) Health Information
 Level 2 Private Data -Internal
Information Must be protected because of ethical or privacy concerns, such as grades, disciplinary actions, or student photos
  • FERPA Information
  • Employee Data
Level 3 Public Data - General
Information such as title, email address, or other directory information that is freely available in the public domain
Non-University Data
Personal files, instructional documents, syllabus