Skip to content Skip to site navigation Skip to service navigation

Security When Using a Cloud Product

When University data is processed or stored in Cloud products it is always subject to University security policies. User access also must be controlled in keeping with identity and access management policies. These tables list the relevant security guidelines and policies that must be complied with when using a SaaS or cloud computing product.

Data Risk Assessment (DRA) A DRA provided by the Information Security Office (ISO) will specify exactly what is required in order to store and manage your data in compliance with University policies. 

General Security Considerations

Considerations Questions to ask Reference
Cloud vendor's support of security standards Is the potential Cloud vendor compliant with relevant security standards? Admin Guide: Reference: 6.3.1. Information Security
Notification of breaches What is the Cloud vendor's policy regarding notifying customers of security breaches?  Will you get adequate notification from the vendor to fulfill University obligations as described in the Admin Guide? Admin Guide:  Reference: 6.6.1 Information Security
Identity and access management Does the solution provide support for the University’s identity and access management (IAM) requirements?  Objective is for Stanford users to use their SSO credentials to securely access the vendor's application or resource.  What types/levels of user security, authentication and authorization options are available? Admin Guide: Reference: 6.4.1 Identification and Authentication Systems

Data Security Considerations

Considerations Questions to ask Reference
Data Ownership Confirm that the University owns its data under all circumstances, including the raw data supplied by the University and the results of processing on the provider's cloud platform or application.  Ensure that the vendor is obligated to return all data under any possible termination scenario. Stanford University Minimum Security Guidelines
Location of data Where will the data physically reside?  Who is the hosting provider and where is the data located?  What type of infrastructure is the data is stored on?  Does the data cross International borders? Admin Guide: Reference: 6.3.1. Information Security
Protection of Data Is the data being processed or held high, medium, or low risk data?  Will HIPAA, PHI, FERPA, or other protected data ever be in the system?  Does the solution comply with PCI-DSS if processing credit card data?  Has the vendor signed a Business Associate Agreement (BAA) with the University? Stanford University Risk Classification Guidelines
Deletion of Data Confirm that the University maintains the right to sanitize (destroy) its data at any time and under any business or technical circumstance. Stanford University Data Sanitization Policy
Last modified November 30, 2017