S COPE This regulation applies to any College-owned or licensed technology platform that involves the use of a Cloud Computing technology or resource, except for legacy systems. R EQUIREMENTS Prior to entering into any contract or agreement for a Cloud Computing technology or resource, the College will assess the solution and endeavor to determine and ensure the following: • That implementation and use of the solution will forward the mission and goals of the College. • That the solution meets all considerations contained in state and federal regulatory requirements. • That the College possesses sufficient internal skills and infrastructure to support the solution post-implementation. • That the contract or agreement for the solution includes a Service Level Agreement (SLA) that provides for no less than 99.97% of scheduled up-time, and that any scheduled downtime for maintenance require at least 24 to 48 hours advance notice to the College. • That the vendor or contractor providing the solution will be responsible for reducing or refunding fees or providing other comparable remedies to the College if the required SLA levels are not achieved or maintained. • That the College will retain ownership of all data, information and intellectual property provided or developed by the College in connection with its use of the solution. • That the contract or agreement for the solution prohibits the service provider from making any alternative uses of the College’s data or information. • That the contract or agreement for the solution requires the service provider to promptly transfer the College’s data back to the College at the conclusion of the contract, and in a manner and format that can be readily used or converted to use by the College and in a form that is free of viruses, worms, data breaches, hacker activities, Trojan horses and other similar harmful data elements. The vendor should also be prohibited from deleting the College’s data from its servers for a period of at least ninety (90) days following the transfer to ensure that the data has been successfully transferred in usable format. • That the contract or agreement for the solution requires the service provider to carry insurance in form and amount sufficient to protect the College against data breaches, and which otherwise complies with the insurance requirements established by the College’s Office of Risk Management. • That the solution will always be hosted in the continental United States of America. • That the service provider possesses adequate backup and recovery capabilities. • That the service provider has and maintains a secondary site that provides for rapid failover and recovery of data and functionality. • That the service provider can ensure that data is protected at rest and in transit and while in use. • That the service provider submits to SOC 2 and other audits as required. • That the service provider provides technical and functional support for its product. • That the contract or agreement for the solution provides for custom source code escrow. • That the contract or agreement for the solution requires the service provider to protect Personally Identifiable Information (PII).
153|Page
Made with FlippingBook Learn more on our blog