If you are considering working with or storing sensitive CHA data using cloud services (including Software as a Service, Infrastructure as a Service, Platform as a Service), you must:
- Choose a cloud service that complies with laws, regulations, and CHA Policies for your data type, in addition to addressing considerations of cost savings, functionality, and efficiency.
- Use that service in ways that recognize you have a shared responsibility with the cloud provider to properly safeguard and protect the security and privacy of sensitive CHA data.
Choose a Secure Cloud Service
CHA has contractual agreements with some cloud service providers for services that comply with the laws, regulations, and policies that apply to some types of sensitive data. These agreements are typically reviewed and approved by Procurement Services, Information Assurance, and the CHA's Office of Associate General Counsel. Choose a service that meets your administrative, teaching, research, and/or clinical requirements and that provides appropriate protection for your data type.
CHA Provided or Contracted-for Services
- Sensitive Data Guide. Use the guide to make informed decisions about where to safely store and share sensitive CHA data using services hosted by the CHA or covered by CHA contractual agreements with third-party providers.
- Cloud Computing. Review this list of services provided by or through Information & Technology Services (ITS). Some of these services require use of two-factor authentication..
CHA Business units planning to adopt a new cloud product or service must include ISPOT and the Chief Information Security Officer in the planning process so that ISPOT can perform an information security review. Ultimately, CHA—not the vendor—is responsible for securing institutional data and the privacy of its community members.
- Request ISPOT consultation by contacting the Office of the Chief Information Security Officer or Filling our our SBAR Form
- Third-Party Vendor Security & Compliance. Work with CHA's Procurement Services and ISPOT to select a vendor that meets compliance requirements, include IT security and privacy in your vendor contract, and plan to manage ongoing vendor security compliance.
Use Cloud Services Securely
Follow guidance from Information Assurance about secure use of cloud services.
- Security and Privacy in the CHA's Google Environment. Resources about security and privacy of the Google environment at CHA.
- Sensitive Data Guide. The guide not only helps you choose a storage or sharing service, it provides specific compliance guidance for use of each listed service.
- Use DROPBOX Securely with Sensitive Data and Research Data. Recommendations for using Google Drive securely with sensitive data.
If you are considering working with or storing sensitive CHA data using cloud services (including Software as a Service, Infrastructure as a Service, Platform as a Service), you must:
- Choose a cloud service that complies with laws, regulations, and CHA IT policies for your data type, in addition to addressing considerations of cost savings, functionality, and efficiency.
- Use that service in ways that recognize you have a shared responsibility with the cloud provider to properly safeguard and protect the security and privacy of sensitive CHA data.