Skip to main content

Cloud Server Technical Control Requirements Policy

Version 1.0

Purpose

The purpose of this policy is to inform the University community of the technical security control requirements for Internet exposed cloud servers owned and managed by the University, which meet specific criteria enumerated below.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • The University Information Security Office (UISO) requires the implementation of security controls.
  • Security controls may be in the form of Intrusion Prevention System (IPS), Web Application Firewall (WAF), and Security Management Tools (SMT) for all Internet exposed cloud servers regardless of the service provider (e.g., Microsoft™ Azure, Amazon™ AWS) if the business partner has a requirement for one or more of the elements listed below.
  • There will likely be costs associated with the implementation of security controls.
    • Business partners must be aware of these potential costs and adjust their budgets.
    • Business partners must accept the cost associated with the selected level of service.
  • The control requirements and risk evaluations involving the UISO, Digital Platform Services (DPS), Software Services and Information Architecture (SSIA), or Instructional Technology Computing (ITAC), and the business partners are outlined in the table below:
  • Fordham Sensitive Data is the default data classification and should be assumed when there is no information indicating the data should be classified as protected or public. See the Data Classification Guidelines.

If Business Partner Requires

Control Requirements

High Availability

IPS, WAF, SMT

IT Security Support
(Outside M-F, 9 a.m. - 5 p.m.)

IPS, WAF, SMT

Storage of Fordham Sensitive or Fordham Protected Data

IPS, WAF, SMT

Avoidance of University Reputational Risk

IPS, WAF, SMT

Avoidance of Operational Risk
(Business Continuity)

IPS, WAF, SMT

Definitions

Fordham Protected Data is any data that contains personally identifiable information concerning any individual, as well as any data that contains personally identifiable information that is regulated by local, state, or federal privacy regulations, and any data designated or described by any voluntary industry standards or best practices concerning protection of personally identifiable information that Fordham chooses to follow. See the Data Classification Guidelines.

High Availability refers to systems that are durable and likely to operate continuously without failure. The term implies that parts of a system have been thoroughly tested and, in many cases, that there are accommodations for failure in the form of redundant components.

Intrusion Prevention System (IPS) is a form of access control. Its intent is not only to detect a network attack but also to prevent it. It neither requires nor involves human intervention to respond to a system attack.

IT Resources include computing, networking, communications, applications, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Operational risk summarizes the uncertainties and hazards Fordham University faces when it attempts to do its day-to-day business activities.

Reputational Risk refers to the potential for negative publicity, public perception, or uncontrollable events that may damage Fordham University’s reputation, and thereby may affect its revenue, accreditation, current enrollment, or future enrollment.

Security Management Tool (SMT) is a tool provided by the cloud platform that analyses, assesses the security of the cloud service continuously, and offers immediate feedback on potential security risks. These tools are cloud-specific (e.g., Azure Security Center for Microsoft Azure, Inspector for Amazon Web Services).

Web Application Firewall (WAF) is a system or service that filters, monitors, and blocks HTTP traffic to and from a website to protect from attack.

Related Policies and Procedures

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Security
Approved By: CISO
Approval Date: July 19, 2019

Revision History

Version Date Description
1.0 07/29/2019 Initial document

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.