UCSF Secure Enterprise Cloud Terms of Service v2.0

Submitted by ryanhunt on Jun 4, 2020

ACTION REQUIRED - NOTICE OF CHANGES TO TERMS OF SERVICE

 

UCSF IT cloud team is hereby known as ‘Cloud Team’.  UCSF Department or individual owning this cloud account/subscription is hereby known as ‘Customer’.  For simplicity, an Azure subscription will be described as an “account.”

 

This terms of service agreement is entered into effect on date when Customer self acknowledges this terms of service agreement.

 

Applicable to all Cloud Platform Customers

 

Enterprise Cloud Core Infrastructure

DO NOT’s

  • Do not attempt to modify or delete any services or resources which have a “restricted” tag, or are listed in the cloud platform user guide as protected or restricted services
  • Do not attempt to configure SSH tunneling or otherwise change network traffic routing, visibility, or in any other way bypass UCSF firewall
  • Do not attempt to view, modify, or impact any other customer accounts or resources without that customer’s express approval.
  • Do not attempt to uninstall, bypass, or modify Duo MFA
  • Do not delete or modify cost allocation tag or any tags used by Cloud Team

DO’s

  • Because not all protected resources support tagging, please review the cloud-specific user manual for a more detailed list of restricted / protected services.
  • Get a cloud account security risk assessment for your specific use-case(s)
    • The platform security risk assessment covers the platform your account is built on, but your account needs its own assessment
    • As per IT policy, obtain a new security assessment when there is a significant change to your environment
  • Create a ServiceNow application record for your application / use-case and create a “depends on” relationship with the appropriate cloud platform application record
  • Warn the Cloud Team if you plan on using a large amount of network bandwidth in-and-out of VPC/VNet

 

Understand This

  • After account is provisioned, the VPC CIDR range will not change.  Please provide accurate CIDR range estimate during initial account request

 

 

User permissions / IAM Roles

Customer hereby acknowledges he or she agrees not to remove, re-configure, restrict (in any way), or otherwise tamper with the permissions, roles, assignments, and memberships created by the Cloud Team.   IT-created IAM roles are required to allow UCSF IT to troubleshoot, audit, view, operate, maintain, and/or configure critical services within a Customer account.

DO NOT’s

  • Do not attempt to add new roles or edit existing role permissions
  • Do not modify UCSF IT-created IAM roles
  • Do not attempt to bypass authentication and permission structure
  • Do not attempt to create “backdoor” privileged local users

DO’s

  • Notify Cloud Team if someone in your team no longer need access to the account

 

Shared Responsibilities

List account owner responsibilities – shared responsibility grid

  • Customer need to adhere to RACI (Box link: TBD)
  • Customer to provide infrastructure topology and intended services to be deployed in account during consultation
  • Application layer and up are customer responsibilities, including day-2 responsibility
  • Customer is responsible for monitoring and updating their deployed services
  • Customer needs to inform Cloud Team on changes to their data criticality
  • Customer needs to inform Cloud Team on their most current application inventory
  • Customer is responsible for application logging, including any 3rd party application deployed by Customer

 

 

Applicable to AWS Platform Customers

DO NOT’s

  • Do not attempt to interact with root user in anyway. Root account user is controlled and maintained by Cloud Team and access will not be given to Customer.

DO’s

  • Contact cloud support if you have a change that requires root access.

 

 

Applicable to Azure Platform Customers

Please see the AEC User Guide for additional details: AEC Acceptable Use: Do's / Do Not's  (Web view)

DO NOT’s

  • Do not attempt to modify or bypass Azure Policy
  • Do not attempt to create, modify, update, or delete the network routes

DO’s

  • Do configure your PaaS/SaaS services with private endpoints (i.e. receiving a 10.x.x.x IP address inside of your vNet/subnet

 

 

 

What Happens if I Do Not Comply?

  • Non-compliant individual will result in user account termination, resources suspension, platform account termination, and/or escalation to management.

 

 

 

Guidelines from UCSF IT Security:

 

Depending on the solution being deployed into the Cloud Platform, there may be security requirements and responsibilities that need to be addressed. Some solution designs will inherit compliant and strong security controls and some solutions may have design elements which need to address technology, process, and compliance requirements within the application, workflows, and operations of the customer solution.

 

Below is a list of the applicable Security policies and standards at UCSF. This includes narrative language for the terms of service to determine applicability. This will not serve as a direct solution compliance or operational security list, that determination should be made during onboarding and solution design prior to deployment to identify applicable roles and responsibilities. There is a shared responsibly model with most cloud computing environments and the vendor; at UCSF this model generally creates a multi-tiered, shared responsibility model.

 

NOTE: This document doesn’t address federal or state legal requirements or contractual requirements specific to the solution. Those should be addressed within the solution design phase and appropriate parties.

 

Key UCSF Security Policies and Standards

Information Security and Confidentiality – UCSF's main Information Security Policy

https://policies.ucsf.edu/policy/650-16

 

Addendum A, UCSF Roles and Responsibilities for Securing Electronic Information Resources

http://it.ucsf.edu/policies/ucsf-650-16-addendum-ucsf-roles-and-responsibilities-securing-electronic-information-resour

 

Addendum B, UCSF Minimum Security Standards for Electronic Information Resources

https://it.ucsf.edu/standard-guideline/ucsf-650-16-addendum-b-ucsf-minimum-security-standards-electronic-information

 

UCSF 650-16 Addendum C - UCSF Incident Investigation

http://it.ucsf.edu/policies/ucsf-650-16-addendum-c-ucsf-incident-investigation

 

UCSF 650-16 Addendum C - UCSF Incident Investigation

https://it.ucsf.edu/standard-guideline/ucsf-650-16-addendum-c-ucsf-incident-investigation

 

UCSF 650-16 Addendum E - PCI

http://it.ucsf.edu/policies/ucsf-650-16-addendum-e-pci

 

UCSF Policy 650-16 Addendum F - UCSF Data Classification Standard

https://it.ucsf.edu/policies/dataclassification

 

 

Key UC-wide Policies and Standards – The UCSF Policy 650-16 references adhering to the UCOP Policy and applicable standards

 

UC Policy – IS-3 Information Security

https://policy.ucop.edu/doc/7000543/BFB-IS-3

 

Account and Authentication Management Standard

https://security.ucop.edu/policies/account-authentication.html

 

Classification of Information and IT Resources

https://security.ucop.edu/policies/institutional-information-and-it-resource-classification.html

Disposal of Institutional Information Standard

https://security.ucop.edu/policies/institutional-information-disposal.html

 

Encryption Key and Certificate Management Standard

https://security.ucop.edu/policies/encryption-key-and-certificate-management.html

 

Event Logging Standard

https://security.ucop.edu/policies/event-logging.html

 

Incident Response Standard

https://security.ucop.edu/policies/incident-response.html

 

Secure Software Configuration Standard

https://security.ucop.edu/policies/secure-software-configuration.html

 

Secure Software Development Standard

https://security.ucop.edu/policies/secure-software-development.html

 

Other Resources

 

IT Security Risk Assessment - The IT security risk assessment process collects information about each of our information systems and scores their security compliance. The process, called a distributed systems technical risk assessment, measures the security aspects of all computing devices associated with the system including servers, desktop computers and laptops, phones, tablets, routers, switches, network connections and other technologies. Note: The information system must be fully designed before the risk assessment can be started.

https://it.ucsf.edu/service/it-security-risk-assessment

 

Quick Start Guides by Role

https://security.ucop.edu/policies/quick-start-guides-by-role/

 

Location Cyber-risk Responsible Executives (CREs) - Each Location’s Chancellor has appointed a Cyber-risk Responsible Executive (CRE). The CREs, as a convening body, form the UC Cyber-Risk Governance Committee (CRGC).

The CRGC is responsible for monitoring the University’s cyber-risk profile, overseeing investment strategies, and coordinating cybersecurity efforts across the system. Additionally, the CRGC ensures that UC’s work is informed by the latest research, subject matter expertise, and best practices in the field of cybersecurity. 

https://security.ucop.edu/resources/location-cre.html

 

Information Security Tips and Fact Sheets

https://security.ucop.edu/resources/factsheets.html

 

CSA Cloud Security Controls Matrix and CSA Cloud Security Controls Matrix

https://cloudsecurityalliance.org/research/cloud-controls-matrix/

https://cloudsecurityalliance.org/research/guidance/

 

UCSF Incident Response contact – email [email protected] or call UCSF IT Service Desk at 415-514-4100