Campus Cloud Infrastructure - Terms of Service 
Version 2.1 : October 25, 2023 

1. Service Description:
   • Campus Cloud Infrastructure (CCI) is a university-owned, DoIT-managed private cloud and virtualization platform built upon a hyperconverged infrastructure.  The CCI Private Cloud is an environment in which all hardware and software resources are owned by and dedicated to the University. CCI Private Cloud combines many of the benefits of cloud computing—including elasticity, scalability, and ease of service delivery—with the access control, security, and resource customization of an on-premises infrastructure.
2. Service Eligibility:
   • CCI Private Cloud is available to UW-Madison faculty, staff, and researchers, and UW System campuses via the IT as a Service (ITaaS) program.
3. Data elements allowed in CCI Private Cloud
   • The campus definition of Restricted Data can be found at https://policy.wisc.edu/library/UW-504.  Restricted data elements may be hosted in the CCI environment pending successful completion of a Cybersecurity Risk Assessment for workloads storing or accessing restricted data.  See https://it.wisc.edu/about/division-of-information-technology/enterprise-information-security-services/office-of-cybersecurity/  to request a risk assessment.
   • Non-restricted data elements are allowed in the CCI Private Cloud environment.
4. Roles and Responsibilities
   • DoIT CCI Private Cloud Responsibilities: DoIT is responsible for CCI Private Cloud infrastructure (server hardware, storage hardware, network hardware, and hypervisors).
     • Access control: DoIT is responsible for controlling access to CCI Private Cloud.
     • Audit: DoIT is responsible for maintaining audits for the infrastructure.
     • Business Organization: DoIT is responsible for ensuring that access to a customer’s deployments is limited to the list of people provided by the customer.
     • COOP: DoIT Operational Framework - Section 8.0 - Continuity of Operations (COOP) for CCI Private Cloud infrastructure.
     • HIPAA Risk Assessment: DoIT is responsible for the HIPAA risk assessment of CCI Private Cloud.
     • Integrity: DoIT is responsible for the integrity of the infrastructure.
     • IT Operations: DoIT is responsible for the operations procedures that ensure the confidentiality, integrity, and availability of CCI Private Cloud.
     • Maintenance Notification: CCI Private Cloud is responsible for notifying customers of any maintenance that is to be performed in the environment.
     • Physical Security: DoIT is responsible for the physical security of CCI Private Cloud.
     • OS Templates: DoIT is responsible for providing guest OS templates that meet the Departmental IT Security Baseline laid out by the Office of Cybersecurity.
     • Training: DoIT will ensure that infrastructure staff are trained annually on HIPAA regulations.
     • IT Sanitization: DoIT is responsible for sanitizing all physical storage removed from CCI Private Cloud.
   • Customer Responsibilities: Customer is responsible for everything contained within a virtual server (guest operating system, applications, data, backup of VM and VM data, etc.).
     • Access control: The customer is responsible for controlling access to their CCI Private Cloud deployments.
     • Load Balancing: of customer-owned applications.
     • Audit: The customer is responsible for audits related to their deployments.
     • Business Associates Agreement (BAA): The customer is responsible for any BAAs with third parties.
     • Business Organization: The customer is responsible for the HR processes needed to ensure the correct people are working with HIPAA data.
     • Certificate management.
     • Compliance with the Departmental IT Security Baseline for their Virtual Machines.
     • COOP: Customer is responsible for theContinuity of Operations Planning (COOP)plan for their virtual servers.
     • Disaster Recovery: Customer is responsible for their disaster recovery plan. DoIT provides infrastructure tools (e.g., backup, etc.) that customers can use as part of their plan.
     • Encryption: Customer is responsible for file-level encryption on their servers. DoIT provides documentation to assist. VM Level encryption is available. (CCI Private Cloud - VM Encryption)
     • Endpoint Security: The customer is responsible for the security of all of their devices that connect to CCI Private Cloudresources.
     • HIPAA Risk Assessment: The customer is responsible for the HIPPA risk assessment of their HIPAA deployments in CCI Private Cloud.
     • HIPAA-approved storage platforms (if not using DoIT-provided data storage).
     • Integrity: Customer is responsible for their file integrity.
     • IT Operations: The customer is responsible for the operations procedures that ensure the confidentiality, integrity, and availability of their CCI Private Cloud deployments.
     • Malicious Protection: Customer is responsible for malware protection on their virtual servers. Cybersecurity can assist with vulnerability detection tools like Qualys Cloud Agent and Qualys vulnerability scanning.
     • Security-related patching of Virtual Machines and endpoints.
     • Security Incident: Customer is responsible for reporting any suspected security incident. SEO Service Management provides policy, process, and tools to assist with incident management.
     • Storage: The customer is responsible Use HIPAA-approved storage platforms (if not using DoIT-provided data storage).
     • User Authorization: Customer is responsible for maintaining the list of users authorized to create, modify, and delete virtual servers associated with their CCI account.
5. Rates
   • Current rate information for CCI Private Cloud can be found on the IT.WISC.EDU service page at https://it.wisc.edu/services/campus-cloud-infrastructure-cci/.
6. Support:

---

Incident Reporting & Technical Support