Request accessible format

The accessibility of NIC.edu is extremely important to us! If you encounter any barriers and need assistance, please contact accessibility@nic.edu.

3.08.07 - Cloud Services

Policy Title: Cloud Services

Impact: Employees, Affiliates

Responsibility: Chief Information Officer

Effective Date: 04/16/2018

Revised Date:

Reviewed Date:

Relates to Policy(s):  3.08.07

Legal Citation(s):

I. Policy Narrative

Any employee, program, department, division, business unit, or affiliate of North Idaho College (NIC) that needs to acquire or use a cloud service that will store, process, or share institutional data must work with the Information Technology (IT) Department, the Office of Finance and Business, and NIC’s Legal Counsel to properly evaluate and manage the associated risks and service agreement language.

The use of cloud services to manage institutional data does not absolve an employee or unit from the responsibility of ensuring that the data is secure and managed in accordance with applicable policies and laws. 

II.            Definitions

“Affiliate” refers to any authorized individual, business, or organization connected to NIC, authorized to act on behalf of NIC, or is authorized to conduct work related to NIC needs.

 “Cloud Service” is any service provided remotely via the internet from a provider’s local servers as opposed to being provided from NIC’s on-premises server(s).

“Institutional Data” refers to any type of information that is processed, created, collected, transferred, recorded, or stored by NIC to conduct NIC business.

Procedure Title: Cloud Services

Impact: Employees, Affiliates

Responsibility: Chief Information Officer

Effective Date: 04/16/2018

Revised Date:

Reviewed Date:

Relates to Policy(s):  3.08.07

Legal Citation(s): 

 

The purpose of this procedure is to guide employees and affiliates of North Idaho College (NIC) in the approved use of cloud services in the course and scope of their job duties. Use of cloud services must comply with all other NIC policies and procedures, as well as applicable state and federal laws and regulations. It is the responsibility of the employee using such services to contact the IT Department to ensure that the use is consistent with those policies and procedures.

I. Use and approval of cloud services

No contractual agreement for cloud computing or cloud storage services may be entered into without NIC approval. All proposed agreements must undergo a contract or terms of service review process by the NIC Information Technology (IT) Department, Office of Finance and Business, and/or legal counsel to grant or deny approval.

Upon request or discontinuation of contracted cloud services, all data must be destroyed and a certificate of destruction of such records or similar documentation must be submitted to NIC as proof of record deletion.

II. Privacy and data security

  1. Cloud services and cloud storage may not be used for information that is classified as restricted, unless there is a contractual agreement between NIC and the service provider that protects the confidentiality of that information and data.

  2. Data stored under cloud services must remain the sole property of NIC.

III. Enforcement

Regarding employees and other affiliates, the consequences of policy violation will be commensurate with the severity and frequency of the offense and may include termination of employment or contract.

Regarding students, the consequences of policy violations will be commensurate with the severity and frequency of the offense and may include suspension or expulsion.

Violations of this policy will be addressed in accordance with appropriate NIC policies and procedures, as issued and enforced by the appropriate authorities.

Violations of any local, state, or federal law will be reported to law enforcement.

Consequences of policy violation may include, but are not necessarily limited to, the following:

  1. Notification: alerting a user to what appears to be an inadvertent violation of this policy in order to educate the user to avoid subsequent violations.

  2. Warning: alerting a user to the violation, with the understanding that any additional violation will result in a greater penalty.

  3. Loss of computer and/or network privileges: limitation or removal of computer and/or network privileges, either permanently or for a specified period of time.

  4. Penalties: if applicable, the violator may be subject to criminal or civil penalties.

IV. Appeal

For employees, appeal of actions taken which result in an unresolved dispute will be handled via the Grievance Policy and Procedure.  For students, all provisions of the Student Code of Conduct shall apply.

V. Maintenance

This procedure will be reviewed by NIC’s Chief Information Officer (CIO), IT Department, and the IT Policy and Planning Council every three years or as deemed appropriate based on changes in technology or regulatory requirements.

VI. Exceptions

Exceptions to this procedure must be approved by the NIC IT Department and formally documented under the guidance of the CIO, and President’s Cabinet.