Overview

Cloud computing is defined as on-demand delivery of information technology (IT) resources through the Internet. Such services use a pool of shared resources to achieve economies of scale, provide greater flexibility, and support communication, collaboration, scheduling, sharing, and storage. In most cases, these services are provided on a contractual basis by a third-party vendor and essentially becomes an extension of the County’s network. Security concerns in cloud computing include, but are not limited to:

  • Loss of control over the maintenance and protection of the data
  • Potential loss of privacy due to aggregation of data from other cloud consumers
  • Reliance on vendor’s services for the security of County data

Policy Purpose

The purpose of the Cloud Computing Policy is to safeguard the County’s data and to mitigate any risks associated with utilizing cloud solutions. This policy outlines best practices to ensure that data will be properly stored and shared when using cloud computing services.

Scope

The scope of this policy includes all users of the County of San Mateo’s network who uses cloud computing services, including vendors, contractors, volunteers, temporary staff, consultants, collectively known as Workforce Members, and any other party who provides services or works on the computer and/or network systems.

Policy

All cloud computing services shall undergo a security assessment, performed at the time of contract, including but not limited to: security controls, identity and authentication management, password management, auditing, and encryption capabilities. As part of the review process, all cloud services that are currently listed in the Federal Risk Authorization Management Program (FedRAMP) will undergo an abbreviated security review process. Cloud services that are not “FedRAMPed” will undergo a more in-depth security review process. Any cloud service’s security level and trustworthiness must match the sensitivity of the data stored on that service. If there are circumstances that fall outside the ability to comply with and/or conform to County policies, an exception waiver may be required.

All cloud computing services must be reviewed and approved by the Chief Information Officer (CIO) or designee before purchase or deployment, including renewals. The CIO or designee has the right to deny the request and shall provide the reason(s) for doing so as well as alternatives so that a mutually agreeable solution can be developed.

The use of cloud computing services shall comply with all current laws and regulations as well as all County policies. All software stored in the cloud must comply with licensing agreements and copyright laws. Additionally, all internet domains (URLs) associated with County business shall be managed and registered through ISD.

Software as a Service

Software as a Service (SaaS) solutions must utilize latest version of Security Assertion Markup Language (SAML) authentication (WS-Federation and Okta’s Secure Web Authentication (SWA) may be used in lieu of SAML) and integrate with the County’s identity provider (currently Okta). Multi-factor authentication is required when the application is accessed from outside of the County’s network. If solutions do not utilize SAML authentication or multi-factor authentication, a request for exception, signed by the Department Head, must be submitted to the CIO or designee, for approval. Note: The security assessment may result in a request for exception based on the results of the review and is not limited to the above-mention authentication processes.

The cloud environment shall also include a County-approved warning banner upon logon, if capable.

All software must be configured to have a lock-out session after fifteen (15) minutes of idle time. Full auditing, in coordination with ISD, must be enabled to allow for successful and unsuccessful account logon events, account management events, and system events. Audit logs, if performed by another organization, shall be shared with the County upon request or as stated in the underlying agreement. All audit logs must be stored for a minimum of one year.

Contingency plans for disaster recovery must be provided by the vendor in all SaaS solutions including a strategy to restore the data within a specified time frame.

Both vendor and County roles and responsibilities shall be clearly stated including enforcement mechanisms to meet the required service levels. All parties must also comply with Administrative Memorandum B-1.

The terms and conditions of termination shall be clearly defined along with the disposal and/or transfer of data.

Self-Provisioning Cloud Services

Self-provisioning cloud services, used to share, store, and/or manage data, present significant data management risks including compromised data, sudden loss of data or service, and changes to the terms of service without notice. Users of self-provisioning cloud services sign up for services through an end-user license at no monetary cost. These cloud computing services, including but not limited to Google Docs and DropBox may not be used for the storage, manipulation, or exchange of County-related data. Furthermore, cloud services shall not be used to store, process, share, or manage any data deemed to be sensitive or confidential, such as data related to the Health Insurance Portability and Accountability Act (HIPAA) or Personally Identifiable Information (PII) at any time.

Confidential Data

Cloud systems are subject to the same internal standards as those located on-premises. Confidential data may only be stored and managed through a secure vendor that has been approved by ISD as appropriate for confidential data.

All vendors shall comply with all County specified standards and requirements in addition to federal and state mandated standards, such as HIPAA. Compliance shall be detailed within the business case for each application. Vendors must provide information regarding the controls they employ to maintain security on all HIPAA and PII data. The following list includes security concerns that will be evaluated in the security review process. Note that an exception waiver may be required in the event that the listed County requirements are not met.

How and where vendor encrypts data, both at rest and in motion

  • How vendor employees who will have physical access to the network and infrastructure that hosts the application, are vetted
  • What third-party audits will be/have been performed to validate vendor controls
  • What security features are and are not included as part of their SLA
  • What constitutes a security event and what their notification policies and procedures are after a security event occurs
  • If the backups of the County’s data are moved offsite, how are they encrypted
  • How will data be securely deleted or destroyed as requested
  • The vendor’s ability to provide patches and update products, including the patch schedules and timeline for end-of-device support
  • Assurance that the sharing of the County provided account password will be strictly prohibited

Client data from the cloud may not be transmitted to a personal computing device (such as a flash/thumb drive).

Other County Policies

The County has other policies that address specific areas of information security including policies on IT security, Internet use, email, mobile technology use, vendor/contractor access, and portable computing. These policies are also applicable and extend to cloud services including the use and storage of information. Departments may have internal policies that also address these issues. These policies are cumulative and in the event of conflict, the policies providing the County with the greatest level of security shall apply.

Responsibility

Departments shall be responsible for providing security awareness and training to all users of devices or electronic media containing Personal Health Information (PHI) or PII as it relates to the HIPAA requirements for all data under their control. ISD will be responsible for providing Countywide security awareness and training.

Policy Enforcement

The CIO or designee is the policy administrator for information technology resources and will ensure that this process is followed. Additionally, Division Directors, managers, and

Department Heads are responsible for compliance with County policies within their respective administrative areas.

Any violations of this policy shall be reported to the CIO or designee. Violations will be investigated and may result in disciplinary action up to and including dismissal from County employment. For violations of patient confidentiality, the procedures of the Patient Confidentiality Sanctions Policy as regulated by HIPAA will apply. Vendors who violate

this policy may be subject to contract termination, denial of service, and/or legal penalties, both criminal and civil.

Revision History

Effective Date Changes Made
7/31/2018 Policy established
6/22/2020 Policy revised