This overview is intended to provide information for faculty, staff and students about the considerations and limitations for using the externally hosted computing services that have been arranged by university IT organizations. While there are examples of specific use cases and data types referenced in this summary, there may be data and concerns that are not addressed here.
Technology capabilities and data communication needs are constantly evolving. When specific questions about the implications and risks of using an externally hosted service are not answered here, the individual user should consult with the IT organization that supports their area. The IT organizations will be responsible for publishing any specific guidelines for use of the technologies that they support.
The appropriate use of any technology assumes individual compliance with all university policies, legal and regulatory requirements, and funding agency requirements. The university’s Code of Conduct specifies expectations for an employee’s attention to policies and regulatory requirements. Loss or exposure of data that result from the inappropriate use of technology may be considered a violation of the university’s information security or computer use policies, or other compliance requirements.
IT leaders across the university, through the university’s Technology Leadership Council (TLC), evaluate, select and acquire technology tools for use by the university community. Due diligence is performed to verify that tools and services provide appropriate levels of reliability, security, compatibility with our environments and compliance with legal and regulatory requirements. The Office of General Counsel, Resource Management and other organizations are engaged as appropriate to evaluate and negotiate terms and conditions. The Technology Leadership Council coordinates the adoption of technology services across schools to provide the most consistent and seamless services possible.
In general, the technology and services supported by the university’s Information Services & Technology (IS&T) function and the school IT organizations are appropriate for use by faculty, staff and students for the conduct of the university’s mission and administrative activities, with the exception of noted limitations or considerations as published in service descriptions or the appropriate use matrix.
The Appropriate Use Guidelines matrix provides an overview of common data storage and communication services, and considerations for use with different classifications of information. Questions about these services, or any not identified should be directed to your local IT support team. The information summarized in this document and the Appropriate Use Guidelines represents subsets of the types of data that are created, communicated and stored as part of university activities. These summaries are not all inclusive but do capture the most sensitive and regulated types of information. When communicating and storing university information, it is always important to understand the type of information and to make appropriate arrangements to encrypt, use passwords, back-up or otherwise protect the information.
While IS&T and IT leadership within schools are confident that the tools procured and the services arranged meet the university’s standards for reliability, security, compatibility and compliance, all risk of a service failure or data exposure for either internally or externally managed services cannot be eliminated. When used in accordance with security policies, guidelines for handling of sensitive data, and the considerations noted in the Hosted Service Profiles, the IT support commitment and employee risks from use of the external services will be the same as for an internally provided service.
Office 365 Email and Calendar are core services within the Microsoft hosted software provided to eligible members of the university community including the CFU, Danforth Campus schools and students. The School of Medicine has not identified Office 365 as appropriate for use and continues to manage an internally hosted email and calendaring service.
Office 365 Email and Calendar are covered by the university’s agreements with Microsoft. These services provide secure environments for maintaining or sharing the university's sensitive unregulated data, as well as some kinds of sensitive regulated data.
WUSTL IT leadership has determined that hosted Microsoft Office 365 is a reliable, secure and credible service. When used in compliance with university policies for information security, computer use and the code of conduct, the hosted services should be considered an extension of internally provided services.
The use of email for communication of any sensitive information is generally discouraged and is sometimes prohibited, whether the email service is supported inside or outside the university. Files with sensitive information that are attached to emails or posted in any shared workspaces should be properly encrypted and/or password protected.
Social Security Numbers or other personal identity information (PII) should only be used where required by law or where it is essential for university business processes. IS&T can help you explore appropriate ways to encrypt, securely transmit or store SSNs and PII when there is a legitimate business reason.
Office 365 Email and Calendar may not be used for:
These data restrictions are compliance-based, not security-based. Regulatory requirements mandate that specific sensitive regulated data be restricted from this service. It may not be used for Protected Health Information because Microsoft has not signed the necessary Business Associate Agreement mandated by HIPAA. Office 365 may not be used for Export Controlled Research data because Microsoft cannot ensure that only U.S. persons have access to or maintain its systems.
Box is a cloud-based storage solution that allows you to share files with people inside and outside of the university. Internet2 and Box.net have partnered to work with representative universities to develop a hosted service that meets common higher education security and regulatory requirements.
Box is a contracted-for service obtained through a partnership with a consortium of higher education institutions. The agreement includes confidentiality and data security provisions. Box provides a secure environment in which to maintain or share the university's sensitive unregulated data, as well as some kinds of sensitive regulated data. WUSTL IT leadership has determined that hosted Box is a reliable, secure and credible service. When used in compliance with university policies for information security, computer use and the code of conduct, and subject to the considerations in this document, the hosted services should be considered an extension of internally provided services.
Social Security Numbers and other personal identify information should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data. IS&T can help you explore appropriate for you.
These Box.net applications may not be used for Protected Health Information because Box has not signed the necessary Business Associate Agreement mandated by HIPAA. They may not be used for Export Controlled Research because Box cannot ensure that only U.S. persons have access to or maintain their systems. Data will be stored in U.S. based data centers only and all data is stored in an encrypted form.
We believe that Box is compliant with most grants, although specific grant rules for data management should be checked prior to use for research data.
A detailed description of the Box service features can be found here
Updated April 1, 2013.