Cloud Services
What is Cloud Computing?
As most of the services are now becoming cloud native acquiring cloud-based software services is something we all have to do. There are certain requirements you need before you can acquire these services and our web post provides a user friendly guide for doing that.
Cloud computing is described in the NIST Special Publication 800-145 as “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
We will go over the following topics in this article:
- Service Models of Cloud Computing
- Requirements Needed to Request Service
- HECVAT Assessment and Exceptions
- VPAT Compliance
- Requesting Cloud Services
Which are the Three Service Models through which Cloud Computing Services are Delivered?
Which Requirements do I need for Requesting Service?
- We have two major requirements, one for IT Security and one for IT Accessibility.
- IT Security = HECVAT
- IT Accessibility = VPAT
What are the Different Types of HECVAT Assessments I Can Complete? Is there an Exception?
Third-Party HEVCAT Assessment:
- FedRAMP authorization
- StateRAMP authorization
- SOC 2 certifications
- ISO 27001/27017 certifications
Vendor-supplied HECVAT Assessment:
Vendors can complete a HECVAT Assessment using ISORA LITE Tool or HECVAT Lite Spreadsheet.
Yes, exceptions can be made. Request exceptions using the IT Policy Exception Request Form. NOTE: Exemption is valid for only one year.
The information you will need to provide on your HECVAT Exception is:
- Business and technical contacts
- The specific policy or control for which you are seeking the exception
- Information about the information resources relevant to the exception (i.e., DNS names)
- Business purpose for the policy exception
- The business impact if the exception is denied
- Mitigation against risk (compensating controls)
The approval flow of HECVAT Exceptions will be:
- Risk Management Team
- The Unit Head for Approval; (Dean/Vice President)
- University Chief Information Security Officer for Final Approval
What is VPAT Compliance?
VPAT Compliance:
- Departments wanting to purchase software to first complete the IT Accessibility Review Routing Form
- Vendors may voluntarily provide the VPAT on their websites
- Vendors can acquire VPAT by filling up VPAT 2.4Rev 508 (March 2022)
- You can use the ACE Tool to see if exceptions are already there.
- If compliance is not possible, the online EIR Accessibility Exception Request form must be submitted.
NOTE: An approved exception is not an exemption. It is documentation of a temporary acceptance of risk.
How to Request Cloud Services?
There are 160 cloud services which have been reviewed and approved for use. You can start using them right away. To request a new service go to the Reviewed Cloud Services Page and click on this tab:
