Users of cloud services at Harvard, regardless of how the services are obtained, are responsible for abiding by the following appropriate use guidelines. Note that most guidelines are not unique to cloud services, and are principally restatements of existing policies and best practices.

• Follow Harvard's Information Security Policy and Data Protection Guidelines
• Ensure compliance with all other applicable policies such as PCI (credit card processing), HIPAA (health records), and FERPA (student records)
• Follow appropriate best practices for operational and technical management of the systems occurs (change control, access management, patching, back-up, etc. as necessary)
• Use the service only to conduct Harvard business (not for personal use)
• Maintain adequate local budgets to support utilization of services and actively monitor usage and charges. Due to the metered and variable nature of most cloud services, users should be diligent in regularly reviewing costs and using vendor tools to help monitor expenses.  Any disputes over services provided by an external vendor must be resolved directly by the local unit with the vendor, though HUIT should be contacted to help facilitate resolution and monitor overall vendor performance.

• AWS Beta services may not be used to support any system, service, or process that has an expectation of availability. Harvard Level 3 and Level 4 data may not be created, modified, transferred, stored, or deleted by AWS Beta services.

Last Updated:  7/7/2015