Cloud Computing Overview

Rutgers University is engaging in business where university data are collected, transmitted, or processed under contracted third-party arrangements. In many of these situations, a service is developed by a vendor to collect, transmit, or process data on behalf of a Rutgers department. The security challenges cloud computing presents are formidable, including those faced by public clouds whose infrastructure and computational resources are owned and operated by an outside party that delivers services to the general public via a multi-tenant platform.

In order to help mitigate the risks with cloud computing, the following steps are recommended: 

  1. Determine whether or not an internal service exists to serve the business requirement and whether there are any interface requirements with other Rutgers applications.

  2. Classify the information according to its confidentiality, integrity and availability requirements per the university's data-classification policy. Determine the data types (nppi, phi, etc.) and the corresponding regulations governing that data type and impact of data breach.

  3. Have the provider complete the third party risk assessment to help measure the potential information assurance risk associated with the provider. Consult Information Protection and Security (IPS) with any issues or concerns with the responses.

  4. Privacy and security safeguard requirements should be included in the contract with providers. The "Rutgers Contract Addendum concerning personal information", provides contract terms and conditions and contains the appropriate language requirements. The contract should be reviewed by the department, Rutgers General Counsel, IPS and Procurement before it is signed.

Risks that should be addressed

  • Exposure or sharing of covered data
  • Release of data without notification to comply with legal request
  • Industry best practices are not maintained
  • Location of stored data is within the confines of US
  • Ability to have data returned at termination
  • Ability to hve data returned if the provider ceases business
  • Ability to have data returned if the provider is merged/acquired by another 
  • Positive proof of the secure deletion of data upon termination of contract

Administrative memo relative to the protection of personal information

Third Party Vendor Agreement