Important information from the university about the Ferguson grand jury announcement. Learn more

About WUSTL

Compliance & Policies

Externally Hosted Computing Services Appropriate Use Guidelines

This overview is intended to provide information for faculty, staff and students about the considerations and limitations for using the externally hosted computing services that have been arranged by university IT organizations. While there are examples of specific use cases and data types referenced in this summary, there may be data and concerns that are not addressed here.

Technology capabilities and data communication needs are constantly evolving. When specific questions about the implications and risks of using an externally hosted service are not answered here, the individual user should consult with the IT organization that supports their area. The IT organizations will be responsible for publishing any specific guidelines for use of the technologies that they support.

The appropriate use of any technology assumes individual compliance with all university policies, legal and regulatory requirements, and funding agency requirements. The university’s Code of Conduct specifies expectations for an employee’s attention to policies and regulatory requirements. Loss or exposure of data that result from the inappropriate use of technology may be considered a violation of the university’s information security or computer use policies, or other compliance requirements.

Background

IT leaders across the university, through the university’s Technology Leadership Council (TLC), evaluate, select and acquire technology tools for use by the university community. Due diligence is performed to verify that tools and services provide appropriate levels of reliability, security, compatibility with our environments and compliance with legal and regulatory requirements. The Office of General Counsel, Resource Management and other organizations are engaged as appropriate to evaluate and negotiate terms and conditions. The Technology Leadership Council coordinates the adoption of technology services across schools to provide the most consistent and seamless services possible.

In general, the technology and services supported by the university’s Information Services & Technology (IS&T) function and the school IT organizations are appropriate for use by faculty, staff and students for the conduct of the university’s mission and administrative activities, with the exception of noted limitations or considerations as published in service descriptions or the appropriate use matrix.

The Appropriate Use Guidelines matrix provides an overview of common data storage and communication services, and considerations for use with different classifications of information. Questions about these services, or any not identified should be directed to your local IT support team. The information summarized in this document and the Appropriate Use Guidelines represents subsets of the types of data that are created, communicated and stored as part of university activities. These summaries are not all inclusive but do capture the most sensitive and regulated types of information. When communicating and storing university information, it is always important to understand the type of information and to make appropriate arrangements to encrypt, use passwords, back-up or otherwise protect the information.

Externally Hosted Services

Several externally hosted or “cloud” technology solutions have been contracted for use by faculty, staff and students. These services have been evaluated and the terms and conditions for use reviewed to determine the capacity, limitations and appropriate uses of the solutions. The terms and conditions are for enterprise use and do offer greater protections than the consumer terms and conditions. The specific solutions that are currently available and a summary of the terms of use and any considerations for use are included in the attached Hosted Service Profiles.

While IS&T and IT leadership within schools are confident that the tools procured and the services arranged meet the university’s standards for reliability, security, compatibility and compliance, all risk of a service failure or data exposure for either internally or externally managed services cannot be eliminated. When used in accordance with security policies, guidelines for handling of sensitive data, and the considerations noted in the Hosted Service Profiles, the IT support commitment and employee risks from use of the external services will be the same as for an internally provided service.

Hosted Service Profile: Office 365

Vendor: Microsoft

Office 365 Email and Calendar are core services within the Microsoft hosted software provided to eligible members of the university community including the CFU, Danforth Campus schools and students. The School of Medicine has not identified Office 365 as appropriate for use and continues to manage an internally hosted email and calendaring service.

Summary of Terms and Conditions

  • Data ownership – The ownership for all email, attachments and documents stored in the Microsoft environment is the same as in an internally hosted environment. WUSTL has the ability to access and retrieve data to support normal business operations, respond to legal requests, and to recover data and services.
  • Data access and use by the vendor – Microsoft may only access WUSTL data stored in their environment for the purpose of maintaining the service, responding to valid legal requests or for resolving security threats. Microsoft will not access WUSTL data for the purpose of marketing, analysis of user behavior or for purposes not related to providing email, file storage and web conferencing services.
  • Data back-up and recovery – Data is retained until deleted by the end user or termination of the service by WUSTL. In the event the service is terminated, WUSTL will work with Microsoft to copy email, calendars and files to a university service or to a replacement third party service.
  • Security – All data associated with these services will be housed in multiple Microsoft owned geographically separated, enterprise-grade data centers within the United States. Microsoft commits to maintaining security in compliance with the ISO/IEC 27000 series of standards. This compliance is audited annually and WUSTL has the right to access the results of the audits.
  • FERPA – Microsoft agrees to comply with FERPA regulations.
  • HIPAA – There is no HIPAA Business Associate Agreement in place between WUSTL and Microsoft. The email service is not appropriate for communication of HIPAA governed data.

Considerations for Use

Office 365 Email and Calendar are covered by the university’s agreements with Microsoft. These services provide secure environments for maintaining or sharing the university's sensitive unregulated data, as well as some kinds of sensitive regulated data.

WUSTL IT leadership has determined that hosted Microsoft Office 365 is a reliable, secure and credible service. When used in compliance with university policies for information security, computer use and the code of conduct, the hosted services should be considered an extension of internally provided services.

The use of email for communication of any sensitive information is generally discouraged and is sometimes prohibited, whether the email service is supported inside or outside the university. Files with sensitive information that are attached to emails or posted in any shared workspaces should be properly encrypted and/or password protected.

Social Security Numbers or other personal identity information (PII) should only be used where required by law or where it is essential for university business processes. IS&T can help you explore appropriate ways to encrypt, securely transmit or store SSNs and PII when there is a legitimate business reason.

Office 365 Email and Calendar may not be used for:

  • Protected Health Information (regulated by HIPAA) (as of September 2013, a Business Associate Agreement has not been executed with Microsoft)
  • Payment Card Industry (PCI) information
  • Sensitive Identifiable Human Subject Research
  • Export Controlled Research (regulated by ITAR or EAR)

These data restrictions are compliance-based, not security-based. Regulatory requirements mandate that specific sensitive regulated data be restricted from this service. It may not be used for Protected Health Information because Microsoft has not signed the necessary Business Associate Agreement mandated by HIPAA. Office 365 may not be used for Export Controlled Research data because Microsoft cannot ensure that only U.S. persons have access to or maintain its systems.

Appropriate
Not Appropriate
? Appropriate with assistance from IS&T or school IT organization


Appropriate Data Use

✓ Attorney/Client Privileged Information
✓ IT Security Information
✓ Other University Sensitive Data not explicitly addressed elsewhere
✓ Student Education Records—FERPA
✓ Student Loan Application Information—GLBA

? Social Security Numbers
? Personally Identifiable Information (PII)
? Federal Information Security Management Act (FISMA) Data

✗ Credit Card or Payment Card Industry (PCI) Information
✗ Protected Health Information—HIPAA
✗ Sensitive Identifiable Human Subject Research
✗ Export Controlled Research—ITAR or EAR


Hosted Service Profile: Box

Vendor: Box.net, Internet2

Box is a cloud-based storage solution that allows you to share files with people inside and outside of the university. Internet2 and Box.net have partnered to work with representative universities to develop a hosted service that meets common higher education security and regulatory requirements.

Summary of Terms and Conditions

  • Data ownership – The ownership for all documents stored in the Box environment is the same as in an internally hosted environment. WUSTL has the ability to access and retrieve data to support normal business operations, respond to legal requests, and to recover data and services.
  • Data access and use by the vendor – When you upload a file to Box, it is private by default and encrypted when stored. Your files are only accessible to others if you share them or make them public. Box may only access WUSTL data stored in their environment for the purpose of maintaining the service, responding to valid legal requests or for resolving security threats. Box.net will not access WUSTL data for the purpose of marketing, analysis of user behavior or for purposes not related to providing file storage services.
  • Data back-up and recovery – Box stores local snapshots of data and backs up all data daily to a facility in a separate location. Data is retained until deleted by the end user or the agreement with WUSTL is terminated. In the event the agreement with Box is terminated, WUSTL will coordinate transferring data from Box to another service.
  • Security – Box hosts its servers at multiple geographically separated, enterprise-grade data centers in the United States with a 99.9% network uptime guarantee, SSAE 16 Type II security standards, ongoing audits and 24x7x365 monitoring and video surveillance. Data is stored on a secure internal storage cluster behind an enterprise-grade firewall, with redundant connections to multiple Internet backbones.
  • The software passes every request through a carefully audited verification code, which ensures that the user is authorized for the action requested. All user data is stored in encrypted form. Keys are held by Box under strictest security. 256-bit Secured Socket Layer (SSL) encryption is used on the data between the end user and Box.
  • FERPA – Box agrees to comply with FERPA regulations.
  • HIPAA – There is no HIPAA Business Associate Agreement in place between WUSTL and Box. Use of Box is not appropriate for data regulated by HIPAA.

Considerations for Use

Box is a contracted-for service obtained through a partnership with a consortium of higher education institutions. The agreement includes confidentiality and data security provisions. Box provides a secure environment in which to maintain or share the university's sensitive unregulated data, as well as some kinds of sensitive regulated data. WUSTL IT leadership has determined that hosted Box is a reliable, secure and credible service. When used in compliance with university policies for information security, computer use and the code of conduct, and subject to the considerations in this document, the hosted services should be considered an extension of internally provided services.

Social Security Numbers and other personal identify information should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data. IS&T can help you explore appropriate for you.

These Box.net applications may not be used for Protected Health Information because Box has not signed the necessary Business Associate Agreement mandated by HIPAA. They may not be used for Export Controlled Research because Box cannot ensure that only U.S. persons have access to or maintain their systems. Data will be stored in U.S. based data centers only and all data is stored in an encrypted form.

We believe that Box is compliant with most grants, although specific grant rules for data management should be checked prior to use for research data.

A detailed description of the Box service features can be found here

Appropriate
Not Appropriate
? Appropriate with assistance from IS&T or school IT organization


Appropriate Data Use

✓ Attorney/Client Privileged Information
✓ IT Security Information
✓ Other University Sensitive Data not explicitly addressed elsewhere
✓ Sensitive Identifiable Human Subject Research
✓ Student Education Records—FERPA
✓ Student Loan Application Information—GLBA

? Social Security Numbers
? Personally Identifiable Information (PII)
? Federal Information Security Management Act (FISMA) Data

✗ Credit Card or Payment Card Industry (PCI) Information
✗ Export Controlled Research—ITAR or EAR
✗ Protected Health Information—HIPAA

Updated April 1, 2013.