A knowledge base article about Cloud Services FAQs provided by the UC Berkeley IT Service Hub - Knowledge Portal
The best campus resources for this are the IT Service Hub and Research IT. Additionally, the Berkeley IT Procurement department may be able to assist you in finding services that have already been purchased on behalf of the campus.
Contact the UCB Procurement Office directly to find out whether a contract is in place with a service provider: supplychain@berkeley.edu
If you are planning to use a cloud service for any kind of UC Institutional Information, including research, first determine whether an already-existing campus service will meet your needs. If not, work with your departmental Buyer or campus Procurement to ensure the proper contract language is in place. You will need to know the Protection Level of the information that you intend to use with the service in order to ensure the contract and procurement process (and your use case) meet University policy.
An important distinction is that just having a contract in place with a supplier doesn't mean that it is appropriate for all use cases. There may be limitations on the types of data that can be used with the service. Before using a service, always confirm with your Buyer/Procurement or the campus service provider its allowable data Protection Level and any other restrictions.
An example is our campus Google Workspace agreement, which will meet the overwhelming majority of campus needs in the e-mail/calendar space. However, it is not approved for use with information classified as Protection Level P4. It is also not HIPAA or PCI (credit card data) compliant. As such, campus Google tools are not appropriate for use with these types of data despite having an approved UC agreement in place.
For assistance with IT policy questions, contact security-policy@berkeley.edu
For evaluating cloud service providers that handle P4 data on behalf of the University, the Information Security Office offers the Vendor Security Assessment Program (VSAP). The VSAP is intended to ensure that campus third-party service providers adhere to the same baseline level of security practices required for campus systems and applications that contain protected information and are managed and maintained by internal campus resources.
To request a VSAP evaluation for a P4 system that is vendor-managed, review the Details of the Vendor Security Assessment Program and then send an email request to security@berkeley.edu. If there are particular services or types of services that you believe would add significant value, please contact David Willson (dwillson@berkeley.edu).
For questions concerning IT policy, contact security-policy@berkeley.edu.
For all other questions, contact security@berkeley.edu.
By engaging with a service provider, you have the responsibility as the Resource Proprietor for ensuring compliance with laws, regulations and policies, including standards (UC Business Finance Bulletin IS-2 and IS-3).
For example, if notice-triggering data is involved, the service (whether on or off campus) must meet the protective measures defined in the campus Minimum Security Standard for Electronic Information.
Information that is subject to state or federal regulations will have use and disclosure restrictions that must be maintained. Student records are protected by FERPA regulations. Medical records are protected by HIPAA, FERPA, and state laws.
The Resource Proprietor, in consultation with the Resource Custodian, is responsible for determining the level of risk (subject to law, regulation, and policy) and ensuring the implementation of appropriate security controls to address that risk. This puts responsibility for evaluation of the service's security controls (e.g., hardening, patching and monitoring) in the hands of the Resource Proprietor. Although not directly applicable to services outside of the campus network, the campus Minimum Security Standard for Networked Devices provides a useful set of baseline security requirements.