Last Revision Date: Feb 4, 2014
Approval Date: March 20, 2014
Approval Authority: CWRU Chief Information Security Officer
This policy establishes boundaries for sanctioned use of CWRU Google Apps for Education (Google Apps), including but not limited to email, calendar, contacts, online meetings (Hangouts), online file storage (Drive and Google Docs), self-service web sites (Sites), photos (Picasa), social media (Google+), etc.
Coordination with Other Policies and Procedures
The Sanctioned Use Policy for CWRU Google Apps is closely aligned with these policies:
- Policy I-1 Acceptable Use Policy
- Policy III-1, Information Tiers and Sensitivity
- Policy I-2 SSN Use Policy
- Policy III-1e Tier III Controls: Information Security Requirements for Restricted Information
Case Western Reserve University has been engaged in the use of Google Apps for Education (Google Apps) since 2007. In the use of the various applications in the Google Apps suite, the following policy is defined to assist users in prudent decisions about how to use Google Apps, and similar cloud-based services available to the CWRU community. The application suite encompasses Google Apps utilities available to authorized CWRU users, through appropriate Single Sign On authentication.
- The CWRU-branded Google Apps suite of applications have been approved for use with Public and Internal Use categories of information, as described in CWRU UTech Policy III-1 Information Tiers and Sensitivity.
- The storage and transfer of Restricted information in Google Apps is strictly prohibited, unless the files are individually protected using encrypted means sufficient to prevent disclosure (strongly encrypted, complex-password-protected attachments, with no passwords included).
End Users will manage information under their stewardship in accordance with university policy.
University Technology will manage risk of shared information in Google Apps through various audit and assessment activities.
Standards Review Cycle
This standard will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.