Cloud Storage Guidelines for Educational and Sensitive Data
Whitman-provided cloud services are appropriate for most communication and collaboration; however, the sensitivity and nature of the information must be carefully considered before you choose to store information on a cloud service.
Types of data to avoid storing on a cloud service:
Personal information (e.g., social security numbers, dates of birth, student records, and financial aid data).
Proprietary information (e.g., College financial data and donor information).
Regulated information, the disclosure of which is subject to regulatory compliance (including HIPAA, GLBA, PCI, etc).
Sharing of documents with internal and external collaborators is possible, but caution should be exercised when doing so. Make sure you understand the sharing mechanisms available before sharing files or folders with anyone – and setup reminders to periodically review any sharing permissions you have setup.
Whenever technically feasible sensitive information should be stored on network file space in restricted directories - not on an office computer or a removable storage device. If a computer must be used to store sensitive information, it must be in a secure location, and each individual authorized to use the computer should have a unique username with a strong password. Sensitive information should not be stored on a laptop or mobile device unless absolutely necessary (and that device is both password-protected and encrypted). Avoid storing any sensitive information on a cloud-based location unless specifically directed to do so. (This not only includes Google Drive, OneDrive for Business, DropBox, etc. -- but also includes on-line data backup services.)
For more specific guidance, please review the Whitman College Data Classification Standard document and/or contact the Information Security Office at x5852.
Whitman Google Drive and Google shared drives
Whitman provides online storage and collaboration options to all Whitman students, faculty, and staff. Google Drive provides a cloud storage resource for College data. While Whitman-local computing resources are preferred mechanisms for storing sensitive data – Whitman has specific agreements with Google that allow FERPA-protected data to be managed within Google Drive when internal business process warrant. However, storing any sensitive data on cloud-based storage should involve a risk discussion – the Information Security Office can assist with these conversations. Sharing of documents with internal and external collaborators is possible, but caution should be exercised when doing so.
Google shared drives may be reasonable solution for many departments -- especially those that manage large archives of non-sensitive data. If your department has very large amounts of data archived on the K:drive -- you are encouraged to contact WCTS to explore suitable storage alternatives.
Whitman OneDrive for Business
Whitman College offers authentication to the Office365/OneDrive for Business environment with your Whitman credentials (userID@whitman.edu). This is an additional option for those that choose to use this alternative. While Microsoft is contractually and legally responsible to protect FERPA data, WCTS advises the use of Whitman-local storage for any sensitive data storage.
Again, the sharing of documents with both internal and external collaborators is possible, but caution should be exercised when doing so.
Whitman College offers many other applications and services that are cloud-based: Simplicity, Slate, Handshake, etc. These examples are specific tools that enable certain activities within their academic or business processes. These services differ considerably from general file storage solutions like Google Drive – in that the ability to extend sharing permissions are quite different and there are specific contractual documents concerning securing the data. These services present much lower risk to institutional data.
It is also important to note: simply using your Whitman email address (userID@whitman.edu) does not mean you are logging into a Whitman-recommended, Whitman-supported, or Whitman-managed cloud resource.
If you have any questions about any service where your Whitman email address is used to login – you should contact the Help Desk or the Information Security Office for clarification.