Policy on the Use of External Services

Restricted data should neither be stored on nor sent to, from or through any external service provider (ESP) unless one of the two following conditions has been met:

  1. the University has a contract with the ESP that specifically addresses such use of sensitive data1, or
  2. encryption methods that meet the requirements of the University of Chicago Statement on Minimum Encryption Standards are implemented to protect this data.

Restricted data is defined in the Data Classification Guideline.

Definition of External Service Provider

An external service provider (ESP) is any Internet-based service not sourced from the University of Chicago network. Examples include the following:

  • Consumer email services such as Yahoo!, live.com, or Google mail (outside of the University’s Google domain)
  • Internet Service Providers such as Comcast and AT&T
  • Web hosting and web application providers, such as Amazon’s S3 or Google Apps (outside of the University’s Google domain)
  • Services provided by other universities
  • Application Service Providers, such as GEAC, Workbrain, or eBiz

Examples

Email
Some people who have University email accounts also maintain private email accounts, in some cases forwarding messages sent to their University accounts to their private accounts. While it is recognized that it may be an inconvenience, it is important that University employees not forward messages pertaining to University business and containing sensitive data to accounts not managed by the University. Doing so may have significant legal consequences for both the University and the individual.

Online Data Storage
There are now several companies that offer an individual the ability to store their data and access it from “anywhere”, meaning your phone, PDA, laptop or desktop, no matter where these devices happen to be at any given time. Examples of such services are Apple’s MobileMe (formerly .Mac) and Pro SoftNet’s iDrive. Unless the University has specifically contracted for the use of one of these services and the contract specifically addresses storing, retrieving and deleting of sensitive data, these services should not be used for any machine that may be used for the storage, transmission or retrieval of sensitive data.

Web Applications
The use of web applications is a growing industry; companies such as Google are currently offering tools and applications to serve a variety of needs, including collaboration, calendaring and messaging. Unless the University has specifically contracted for the use of one of these services and the contract specifically addresses storing, retrieving, and deleting of sensitive data, these applications should not be used for University business where sensitive data may be involved.

Questions?
If you have any questions about this policy or how it may apply to your usage, please contact IT Security at security@uchicago.edu or 773.702.2378.

1 The University may contractually require the ESP to implement additional security controls if it deems them to be appropriate for the intended use. Also, external service providers who perform authentication of university provided identity credentials must be contractually obligated to maintain the confidentiality of those credentials. All ESPs must be explicitly prohibited from storing university passwords or other shared secrets.
 
Category: Eligibility and Acceptable Use
Policy Owner: mmorton