UCSF Secure Enterprise Cloud Terms of Service v2.0



UCSF IT cloud team is hereby known as ‘Cloud Team’.  UCSF Department or individual owning this cloud account/subscription is hereby known as ‘Customer’.  For simplicity, an Azure subscription will be described as an “account.”


This terms of service agreement is entered into effect on date when Customer self acknowledges this terms of service agreement.


Applicable to all Cloud Platform Customers


Enterprise Cloud Core Infrastructure


  • Do not attempt to modify or delete any services or resources which have a “restricted” tag, or are listed in the cloud platform user guide as protected or restricted services
  • Do not attempt to configure SSH tunneling or otherwise change network traffic routing, visibility, or in any other way bypass UCSF firewall
  • Do not attempt to view, modify, or impact any other customer accounts or resources without that customer’s express approval.
  • Do not attempt to uninstall, bypass, or modify Duo MFA
  • Do not delete or modify cost allocation tag or any tags used by Cloud Team


  • Because not all protected resources support tagging, please review the cloud-specific user manual for a more detailed list of restricted / protected services.
  • Get a cloud account security risk assessment for your specific use-case(s)
    • The platform security risk assessment covers the platform your account is built on, but your account needs its own assessment
    • As per IT policy, obtain a new security assessment when there is a significant change to your environment
  • Create a ServiceNow application record for your application / use-case and create a “depends on” relationship with the appropriate cloud platform application record
  • Warn the Cloud Team if you plan on using a large amount of network bandwidth in-and-out of VPC/VNet


Understand This

  • After account is provisioned, the VPC CIDR range will not change.  Please provide accurate CIDR range estimate during initial account request



User permissions / IAM Roles

Customer hereby acknowledges he or she agrees not to remove, re-configure, restrict (in any way), or otherwise tamper with the permissions, roles, assignments, and memberships created by the Cloud Team.   IT-created IAM roles are required to allow UCSF IT to troubleshoot, audit, view, operate, maintain, and/or configure critical services within a Customer account.


  • Do not attempt to add new roles or edit existing role permissions
  • Do not modify UCSF IT-created IAM roles
  • Do not attempt to bypass authentication and permission structure
  • Do not attempt to create “backdoor” privileged local users


  • Notify Cloud Team if someone in your team no longer need access to the account


Shared Responsibilities

List account owner responsibilities – shared responsibility grid

  • Customer need to adhere to RACI (Box link: TBD)
  • Customer to provide infrastructure topology and intended services to be deployed in account during consultation
  • Application layer and up are customer responsibilities, including day-2 responsibility
  • Customer is responsible for monitoring and updating their deployed services
  • Customer needs to inform Cloud Team on changes to their data criticality
  • Customer needs to inform Cloud Team on their most current application inventory
  • Customer is responsible for application logging, including any 3rd party application deployed by Customer



Applicable to AWS Platform Customers


  • Do not attempt to interact with root user in anyway. Root account user is controlled and maintained by Cloud Team and access will not be given to Customer.


  • Contact cloud support if you have a change that requires root access.



Applicable to Azure Platform Customers

Please see the AEC User Guide for additional details: AEC Acceptable Use: Do's / Do Not's  (Web view)


  • Do not attempt to modify or bypass Azure Policy
  • Do not attempt to create, modify, update, or delete the network routes


  • Do configure your PaaS/SaaS services with private endpoints (i.e. receiving a 10.x.x.x IP address inside of your vNet/subnet




What Happens if I Do Not Comply?

  • Non-compliant individual will result in user account termination, resources suspension, platform account termination, and/or escalation to management.




Guidelines from UCSF IT Security:


Depending on the solution being deployed into the Cloud Platform, there may be security requirements and responsibilities that need to be addressed. Some solution designs will inherit compliant and strong security controls and some solutions may have design elements which need to address technology, process, and compliance requirements within the application, workflows, and operations of the customer solution.


Below is a list of the applicable Security policies and standards at UCSF. This includes narrative language for the terms of service to determine applicability. This will not serve as a direct solution compliance or operational security list, that determination should be made during onboarding and solution design prior to deployment to identify applicable roles and responsibilities. There is a shared responsibly model with most cloud computing environments and the vendor; at UCSF this model generally creates a multi-tiered, shared responsibility model.


NOTE: This document doesn’t address federal or state legal requirements or contractual requirements specific to the solution. Those should be addressed within the solution design phase and appropriate parties.


Key UCSF Security Policies and Standards

Information Security and Confidentiality – UCSF's main Information Security Policy



Addendum A, UCSF Roles and Responsibilities for Securing Electronic Information Resources



Addendum B, UCSF Minimum Security Standards for Electronic Information Resources



UCSF 650-16 Addendum C - UCSF Incident Investigation



UCSF 650-16 Addendum C - UCSF Incident Investigation



UCSF 650-16 Addendum E - PCI



UCSF Policy 650-16 Addendum F - UCSF Data Classification Standard




Key UC-wide Policies and Standards – The UCSF Policy 650-16 references adhering to the UCOP Policy and applicable standards


UC Policy – IS-3 Information Security



Account and Authentication Management Standard



Classification of Information and IT Resources


Disposal of Institutional Information Standard



Encryption Key and Certificate Management Standard



Event Logging Standard



Incident Response Standard



Secure Software Configuration Standard



Secure Software Development Standard



Other Resources


IT Security Risk Assessment - The IT security risk assessment process collects information about each of our information systems and scores their security compliance. The process, called a distributed systems technical risk assessment, measures the security aspects of all computing devices associated with the system including servers, desktop computers and laptops, phones, tablets, routers, switches, network connections and other technologies. Note: The information system must be fully designed before the risk assessment can be started.



Quick Start Guides by Role



Location Cyber-risk Responsible Executives (CREs) - Each Location’s Chancellor has appointed a Cyber-risk Responsible Executive (CRE). The CREs, as a convening body, form the UC Cyber-Risk Governance Committee (CRGC).

The CRGC is responsible for monitoring the University’s cyber-risk profile, overseeing investment strategies, and coordinating cybersecurity efforts across the system. Additionally, the CRGC ensures that UC’s work is informed by the latest research, subject matter expertise, and best practices in the field of cybersecurity. 



Information Security Tips and Fact Sheets



CSA Cloud Security Controls Matrix and CSA Cloud Security Controls Matrix




UCSF Incident Response contact – email [email protected] or call UCSF IT Service Desk at 415-514-4100