Skip to main contentSkip to main navigationSkip to footer content

Cloud Storage User Policy

Policy Purpose

This policy defines how users are allowed to access and store University data in cloud storage. Protection of data in cloud storage is a security control.

Policy Statement

It shall be the policy of the University of Arkansas-Fort Smith to ensure the safe storage of user data in University approved Cloud Storage. This policy is used to protect the confidentiality, integrity, and availability of University data.

Applicability

This policy applies to all University employees and students. This policy also applies to all contracted employees, or any other user who has been granted access to highly sensitive information owned by the University of Arkansas – Fort Smith.

Definitions

Cloud Storage – Any third-party service capable of storing and/or synchronizing digital information through an internet connection. Examples include but are not limited to Google Drive, iCloud, Dropbox, OneDrive, SharePoint, and Microsoft Teams.
Public Data – Information to which the public may be granted access in accordance with University of Arkansas – Fort Smith policy or standards. Examples of public data include directory information and public announcements.
Internal Data – Information that is restricted to personnel designated by the university, who have legitimate business purpose for accessing such data. This classification applies even though there may not be any law or other regulation requiring this protection. Examples of internal data include confidentiality agreements and employee data.
Highly Sensitive Data – Data containing information that, if disclosed to unauthorized persons, would be a violation of federal or state laws, university policy, or university contracts. Examples of highly sensitive data include social security numbers, credit card numbers, and confidential health information.

Policy Procedure

1. Authorized uses of cloud storage locations are permitted for Public and Internal data classification types and only for use with University approved storage which are Microsoft One Drive, Google Drive, Microsoft Teams (uses SharePoint) and Microsoft SharePoint.
2. University maintained Microsoft OneDrive, SharePoint, and Teams accounts are approved for storing Public Data, Internal Data, and Highly Sensitive Data.
3. Users must exercise additional caution when sharing permissions if Highly Sensitive data is accessible in their OneDrive or SharePoint accounts.
4. Authorized usage of cloud storage services must not subject UAFS data or systems to any risk of being compromised.
5. Devices with persistent access to cloud storage services, containing University information, must be password protected. Such devices include but are not limited to cell phones, tablet computers, and employee workstations.
6. Summary: Public data can be stored on OneDrive, Google Drive, Teams Chat, SharePoint, and UAFS email.
7. Summary: Internal data can be stored on OneDrive, Google Drive, Teams Chat, SharePoint, and UAFS email, but must be used with caution concerning share permissions.
8. Summary: Highly sensitive data can be stored on OneDrive, Teams Chat, SharePoint, and UAFS email, but must be used with caution concerning share permissions. Highly sensitive data may not be stored on Google Drive.

Enforcement

1. Data will be monitored for violations using software applications.
2. 1 st violation – User will be sent an email from IT explaining the violation and the policy.
3. 2 nd violation – User, user’s supervisor, and/or Department Head, and/or Director or will be copied on the email explaining the violation and the policy.
4. 3 rd violation – HR and the VCFA will be notified, and the user may be subject to disciplinary action. If the user knowingly and willfully violated this policy, the disciplinary action may lead to termination.

Policy Management

This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.

Exclusions

None Applicable.

Effective and Approved Date

This internal policy was approved by Terry Meadows – Director of IT/CIO on 5/12/2023.

Last Updated

This policy was last updated by Terry Meadows on 10/1/2025 for accessibility compliance.