5 Inclusions for your Cloud Computing Policy

If your business uses cloud, it’s best it has a cloud
computing policy ensuring those services are being used appropriately and
productively.

Given there’s different types of clouds (e.g., public,
hybrid, private) with different types of services (e.g., data storage, email,
backups), there isn’t going to be a single cloud computing policy that a
business could use. The unique requirements and varied expectations that need
to be included in such a policy will depend on the types of clouds and the services
available.

And there’s no single way to structure the policy material,
other than presenting the information in a logical manner. When compiling your
cloud computing policy, you might want to include the following sections:

1. An Overview

Not all employees will be
familiar with the cloud and/or services your business use. Start your cloud computing
policy with a section that gives an overview or background information. Use
easily understood language, with as little jargon as possible. Keep it short
and simple to absorb. Remember to include a statement of purpose as in, why
this policy exists and what it’s intended to address.

2. The Scope

List the specifics of your cloud computing policy, such as
who it applies to. Individuals? Groups? Full time employees or contractors as
well? You could also specify the types of clouds to which the policy applies.
For example, the policy pertains to all types of external cloud services.

3. Policy Requirements

Your cloud computing policy must list the requirements and
expectations associated with using your business’ cloud services. Samples of
which can include the following;

  • Processes
    to be followed when evaluating or selecting cloud service providers
  • Legal
    requirements, compliance, current laws and regulations, including data
    privacy regulations.
  • Associations
    to existing IT requirements. Cloud service providers may need to comply
    with your existing security and/or risk management policies.
  • Authority
    requirements. Employees may be instructed to gain prior authority before
    opening a new cloud service account specifically for business purposes.
  • Unacceptable
    practices such as the sharing of cloud service passwords or the use of
    personal cloud services for business purposes

4. Guidance Section

Consider including a section on how to meet the outlined
requirements and expectations. Discuss what kind of assessments must be done
when evaluating and selecting a cloud service provider. Conducting security checks?
Risk assessments of potential providers? And who is to perform them?

Outline the process employees should follow to have a cloud
service authorised for use. Or perhaps list the pre-approved cloud services.

5. Compliance

The compliance section is often the shortest, but that does
not make it any less important. Outline how to handle policy exceptions, or any
consequences associated with non-compliance with the cloud computing policy.

As always if you’re still unsure, call us to discuss how we
can help you and your business with cloud services and providers.

Posted on