If your business uses cloud, it’s best it has a cloud computing policy ensuring those services are being used appropriately and productively.
Given there’s different types of clouds (e.g., public, hybrid, private) with different types of services (e.g., data storage, email, backups), there isn’t going to be a single cloud computing policy that a business could use. The unique requirements and varied expectations that need to be included in such a policy will depend on the types of clouds and the services available.
And there’s no single way to structure the policy material, other than presenting the information in a logical manner. When compiling your cloud computing policy, you might want to include the following sections:
1. An Overview
Not all employees will be familiar with the cloud and/or services your business use. Start your cloud computing policy with a section that gives an overview or background information. Use easily understood language, with as little jargon as possible. Keep it short and simple to absorb. Remember to include a statement of purpose as in, why this policy exists and what it’s intended to address.
2. The Scope
List the specifics of your cloud computing policy, such as who it applies to. Individuals? Groups? Full time employees or contractors as well? You could also specify the types of clouds to which the policy applies. For example, the policy pertains to all types of external cloud services.
3. Policy Requirements
Your cloud computing policy must list the requirements and expectations associated with using your business’ cloud services. Samples of which can include the following;
- Processes to be followed when evaluating or selecting cloud service providers
- Legal requirements, compliance, current laws and regulations, including data privacy regulations.
- Associations to existing IT requirements. Cloud service providers may need to comply with your existing security and/or risk management policies.
- Authority requirements. Employees may be instructed to gain prior authority before opening a new cloud service account specifically for business purposes.
- Unacceptable practices such as the sharing of cloud service passwords or the use of personal cloud services for business purposes
4. Guidance Section
Consider including a section on how to meet the outlined requirements and expectations. Discuss what kind of assessments must be done when evaluating and selecting a cloud service provider. Conducting security checks? Risk assessments of potential providers? And who is to perform them?
Outline the process employees should follow to have a cloud service authorised for use. Or perhaps list the pre-approved cloud services.
The compliance section is often the shortest, but that does not make it any less important. Outline how to handle policy exceptions, or any consequences associated with non-compliance with the cloud computing policy.
As always if you’re still unsure, call us to discuss how we can help you and your business with cloud services and providers.