3.05 – External Hosting Policy

Purpose of Document:

To define the requirements for appropriate and approved use of externally hosted Asbury Theological Seminary systems and/or data. 

Policy:

External hosting of systems and/or data can be categorized into the following models: 

  • Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. 
  • Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones. 
  • Infrastructure as a Service (IaaS) is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers, and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. 

For the purpose of this document, the term cloud computing services is used to encompass SaaS, PaaS, and IaaS. 

Sensitive and/or confidential data stored on cloud computing services must be evaluated by LITS staff and approved by the Dean of LITS, Provost, and CFO. 

In addition to other Seminary policies, the following requirements must be followed in the use of cloud computing services: 

Pre-requisite Requirements 

  • Consult with appropriate data owners, process owners, stakeholders, and subject matter experts during the evaluation process. Also, consult with the Office of the General Counsel as decided by the CFO.
  • Contractual requirements: 
    • Both the Seminary and vendor must declare the type of data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the data owned by each party. The parties also must clearly define data that must be protected. 
    • The contract must specifically state what data the Seminary owns. It must also classify the type of data shared in the contract according to the Seminary’s Data Classification policy requirements. Departments must exercise caution when sharing sensitive or confidential data (as defined by Asbury’s Data Classification Policy) within a cloud computing service. 
    • The contract must specify how the vendor can use Seminary data. Vendors cannot use Seminary data in any way that violates the law or Seminary policies. 
    • The contract must specify that the vendor will implement and maintain standards to safeguard data in accordance with laws protecting student data, including but not limited to: FERPA, Gramm-Leach-Bliley Act (GLBA), PCI-DSS, GDPR. For more information see Data Safeguards for Internal and External Systems Policy.
  • A Service Level Agreement (SLA) with the vendor should exist that requires: 
    • Clear definition of services; 
    • Agreed upon service levels; 
    • Performance measurement; 
    • Problem management; 
    • Customer duties; 
    • Disaster recovery; 
    • Termination of agreement; 
    • Protection of sensitive information and intellectual property; and 
    • Definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery. 
  • Cloud computing services should not be engaged without developing an exit strategy for disengaging from the vendor and/or service while integrating the service into normal internal business practices and/or business continuity and disaster recovery plans. The Seminary must determine how data would be recovered from the vendor.
  • A proper risk assessment must be conducted by LITS prior to any third party hosting or cloud computing service arrangement.

Intellectual property

  • Asbury Theological Seminary logos, seal, images, and symbols are owned by the Seminary and may not be used or reproduced without the permission of the Office of Communications. See 2012 Brand Manual
  • Review intellectual property guidelines found in the ATS Copyright Policy

Privacy and data security 

  • Information that the Seminary has classified as “Sensitive Data,” “Confidential Data,” “Internal Data,” or “Public Data” may be used only in accordance with the Data Classification Policy.

Supplemental Requirements 

The requirements lists set forth in this Policy are not comprehensive, and supplemental controls may be required by the Seminary to enhance security as necessary. 

LITS Staff reserve the right to modify this policy at any time.

Approvals: 

  • LITS: October 11, 2019
  • Provost: February 2020