Cloud Services Security Checklist

Cloud services can help the Institute to deliver instruction, collaborate, and share information and ideas. While it can be very simple to create an account with a cloud service provider and start using their service, there are some things we need to consider to ensure we are meeting our obligations to our students and each other. Before entering into an agreement with a cloud service provider, you should consider the following items:

  1. Consider the type of data to be shared with the cloud service provider
    1. Is this data subject to regulatory standards and/or protected by federal law (e.g FERPA, HIPAA, DFARS, GDPR)
    2. Does the Institute consider this information to be sensitive:
  2. Have the cloud vendor provide a completed HECVAT
  3. Contact GT procurement and GT Legal to assist with purchasing the service:
  4. Read research agreements to verify they allow the use of cloud services
  5. Verify the cloud service agreement provides the following guarantees:
    1. Georgia Tech maintains sole ownership of our data
    2. The cloud service provider must notify Georgia Tech in the event of a data breach
    3. Georgia Tech has the right to reclaim our data
    4. Georgia Tech has the right to review independent audit reports or to audit the cloud service provider
  6. Verify the cloud service implements the following security measures[1] if you are considering using the service in conjunction with sensitive GT data:
    1. Storage encryption
    2. Transmission encryption
    3. Password protection
    4. Data backup
    5. Secure data/drive disposal

[1] The complete list of cloud security requirements for sensitive data are located in the Georgia Tech Data Protection Safeguards: Contact GT CyberSecurity if assistance is needed with security issues: