Cloud Privacy and Data Loss Prevention

Purpose:

This document outlines the privacy policy for George Fox University cloud file storage systems.

Scope:

This applies to all files stored on all cloud storage systems centrally managed by George Fox University.

Policy:

  1. Expectation of Privacy:
    1. End users can and should expect that all files stored on university file systems are private to the individual file owner and any others who have functional access to the location the file is stored.
  2. Administrative access to files:
    1. Personnel providing technical support of university file systems may access files only with prior authorization and only for the purpose of assisting a user in the resolving technical issues pertaining to a given file or folder containing files.
    2. Personnel providing technical support of university file systems may need to move or copy files to or from a different location in order to service a file. In these instances, employees will not access the file beyond what is necessary to change the location of the file.
    3. If an employee has been terminated files in the cloud storage system may be reviewed by an administrator and access may be granted to the terminated employee's supervisor.
  3. Storage of sensitive data
    1. Storage of sensitive data within cloud storage systems presents risks that extend beyond those of on-premise storage systems.
      1. Payment Card Information:
        1. Payment card information is a special class of protected data governed by Payment Card Industry (PCI) standards.
        2. Payment card information is not permitted to be stored on any university system.
      2. Personal Health Information (PHI)
        1. PHI is a special class of data of protected data governed by the Health Insurance Portability and Accountability Act (HIPAA).
        2. Personal health information may only be stored on systems designated and authorized by Institutional Technology and the department producing the data to be stored.
        3. Personal health information may not be stored on general university systems.
      3. Other sensitive data may be stored on university systems on a case by case basis with prior approval by Institutional Technology.
  4. Cloud storage data loss prevention:
    1. As a means of preventing unauthorized or unintentional dissemination of sensitive data, George Fox University deploys third party software that can monitor university managed cloud storage systems for inappropriately shared protected information. This monitoring is governed by the following:
      1. The software matches specific patterns of characters in order to identify:
        1. Social Security Numbers
        2. Credit card or other payment card information
        3. Personal health information
      2. Monitoring for these patterns happens for files that are shared publicly, with the entire George Fox domain or with users external to the George Fox domain.
      3. Where documents containing the above mentioned sensitive data are shared publicly or across the George Fox domain, the software may revoke public or domain wide sharing.
        1. In such a case the end user will be notified of the specific changes made to file permissions.
      4. Where documents containing the above mentioned sensitive data are shared with users external to the George Fox domain or where a high number of incidents of sensitive data are found, the software will notify the owner of the document. The owner of the document will be responsible to assess the permissions of the document and remediate any inappropriate levels of sharing.
      5. All of the above processes are automated and do not require Institutional Technology access to files or documents by application administrators.
      6. All scanning and activity by software is logged for auditing purposes.
    2. George Fox does not back up files that are stored in off-premise cloud systems beyond the backup and redundancy offered by the service provider.