Cloud Server Technical Control Requirements Policy

Version 1.4

For Students, Faculty, Staff, Guests, Alumni

Purpose

The purpose of this policy is to inform the University community of the technical security control requirements for Internet-exposed cloud servers owned and managed by the University, which meet specific criteria enumerated below.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

Security controls may be in the form of an Intrusion Prevention System (IPS), Web Application Firewall (WAF), and Security Management Tools (SMT) for all Internet-exposed cloud servers regardless of the service provider (e.g., Microsoft™ Azure, Amazon™ AWS) if the business partner requires one or more of the elements listed below.
- As technology changes, these security controls may change, or other methods may be implemented.
There will likely be costs associated with the implementation of security controls.
- IT and business partners must be aware of these potential costs and adjust their budgets.
- IT and business partners must accept the cost associated with the selected level of service.
The control requirements and risk evaluations involving the Office of Information Technology’s Information Security and Assurance, DevOps - Platform Services, DevOps - Application Services, or Educational Technologies, and the business partners are outlined in the table below:

If IT or Business Partner Requires	Control Requirements
High Availability	IPS, WAF, SMT
IT Security Support (Outside M-F, 9 a.m. - 5 p.m.)	IPS, WAF, SMT
Storage of Fordham Sensitive* or Fordham Protected Data	IPS, WAF, SMT
Avoidance of University Reputational Risk	IPS, WAF, SMT
Avoidance of Operational Risk (Business Continuity)	IPS, WAF, SMT

*Fordham Sensitive Data is the default data classification and should be assumed when there is no information indicating the data should be classified as protected or public. See the Data Classification Guidelines.

Definitions

Fordham Protected Data is any data that contains personally identifiable information concerning any individual, as well as any data that contains personally identifiable information that is regulated by local, state, or federal privacy regulations, and any data designated or described by any voluntary industry standards or best practices concerning the protection of personally identifiable information that Fordham chooses to follow. See the Data Classification Guidelines.

Fordham Sensitive Data is based on departmental/internal standard operating procedures (e.g., budgets, payroll, or properties that Fordham may be interested in purchasing). See the Data Classification Guidelines.

High Availability refers to systems that are durable and likely to operate continuously without failure. The term implies that parts of a system have been thoroughly tested and, in many cases, that there are accommodations for failure in the form of redundant components.

Intrusion Prevention System (IPS) is a form of access control. Its intent is not only to detect a network attack but also to prevent it. It neither requires nor involves human intervention to respond to a system attack.

IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Operational risk summarizes the uncertainties and hazards Fordham University faces when it attempts to do its day-to-day business activities.

Reputational Risk refers to the potential for negative publicity, public perception, or uncontrollable events that may damage Fordham University’s reputation, and thereby may affect its revenue, accreditation, current enrollment, or future enrollment.

Security Management Tool (SMT) is a tool provided by the cloud platform that analyzes, assesses the security of the cloud service continuously, and offers immediate feedback on potential security risks. These tools are cloud-specific (e.g., Azure Security Center for Microsoft Azure, Inspector for Amazon Web Services).

Web Application Firewall (WAF) is a system or service that filters, monitors, and blocks HTTP traffic to and from a website to protect it from attack.

Related Policies and Procedures

Implementation Information

Review Frequency:	Annual
Responsible Person:	Senior Director of IT Security Operations and Assurance
Approved By:	CISO
Approval Date:	July 19, 2019

Revision History

Version	Date	Description
1.0	07/29/2019	Initial document
1.1	08/17/2020	Updated policy statement
1.2	08/31/2021	Updated policy statement, definitions
1.3	10/26/2022	Updated Links and Sr Director’s title, added MFA Policy
1.4	10/26/2023	Updated policy statement, scope, and disclaimer

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.