Cloud Storage Guidance (e.g., OneDrive, Dropbox, iCloud, etc.)
Cloud storage software provides Web access to your online file storage, file sharing, and file synchronization. For purposes of this guidance, we will refer to all of these services as 'cloud storage' services. Below is guidance about using cloud storage services.
The responsibility for storing Cal Poly documents and files resides with the person who stores the data. Judgment is required about how and where Cal Poly data will be stored.
Refer to the Cal Poly Information Classification and Handling Standard for specific information about how to handle specific types of documents.
The risks to Cal Poly are identified in the Cal Poly Information Classification and Handling Standard, and are specified for each type or classification of data. Different data has different regulations, laws, agreements and rules, requiring protection of that data and reporting when that data is released to unauthorized individuals.
Some examples: If you're working with grades and student's academic records, there are federal laws (FERPA). If you're working with SSN, there are federal and state laws. If you're working with driver’s license information there are CA laws. If you're working with credit card information there are credit card regulations (PCI). If you're working on grant sponsored research, that grant has specific rules. If you're collecting data for a book or creating intellectual property, this data may be solely yours.
Some questions to ask yourself as the person who wants to make a copy of or store Cal Poly data or information in a location which is additional to its source location follow.
- If the data is released to the public what is the risk to Cal Poly?
- If the data is unavailable to you when you need it, how bad would that be?
- Does the cloud storage service agree to protect the confidentiality of the data? (You can read the license agreement on their Website before and after you get your account.)
- Does the cloud storage service use encryption?
- Do people depend on this data to do their job?
- Does the cloud storage service indicate how available the data will be?
- Does using these services follow the above Cal Poly Information Handling Standard? Does it go against any of the standards?
FAQ: Is it OK to store Level 1 data on cloud storage servers?
Response: Level 1 data may not be stored in cloud storage services. Cloud storage services generally do not agree to protect the confidentiality of the data.
FAQ: Is it OK to store Level 2 data on cloud storage services?
Response: Level 2 data is everything between level 1 and public. The people who want to store data using cloud storage services need to review the Cal Poly Information Classification and Handling Standard and use their judgment regarding the specific level 2 data they want to store. Please contact the Office of Information Security if you need help to interpret specific license agreements.
FAQ: Outside of the above guidance, is there any language specifically prohibiting the use of cloud storage services for off-campus storage of Cal Poly level 2 or level 3/public data?
Response: Refer to the Cal Poly Information Classification and Handling Standard for specific information about how to handle specific types of documents.