Rutgers University is engaging in business where university data are collected, transmitted, or processed under contracted third-party arrangements. In many of these situations, a service is developed by a vendor to collect, transmit, or process data on behalf of a Rutgers department. The security challenges cloud computing presents are formidable, including those faced by public clouds whose infrastructure and computational resources are owned and operated by an outside party that delivers services to the general public via a multi-tenant platform.
In order to help mitigate the risks with cloud computing, the following steps are recommended:
Determine whether or not an internal service exists to serve the business requirement and whether there are any interface requirements with other Rutgers applications.
Classify the information according to its confidentiality, integrity and availability requirements per the university's data-classification policy. Determine the data types (nppi, phi, etc.) and the corresponding regulations governing that data type and impact of data breach.
Have the provider complete the third party risk assessment to help measure the potential information assurance risk associated with the provider. Consult Information Protection and Security (IPS) with any issues or concerns with the responses.
Privacy and security safeguard requirements should be included in the contract with providers. The "Rutgers Contract Addendum concerning personal information", providescontract terms and conditions and contains the appropriate language requirements. The contract should be reviewed by the department, Rutgers General Counsel, IPS and Procurement before it is signed.
Risks that should be addressed