If your business uses cloud, it’s best it has a cloud
computing policy ensuring those services are being used appropriately and
Given there’s different types of clouds (e.g., public,
hybrid, private) with different types of services (e.g., data storage, email,
backups), there isn’t going to be a single cloud computing policy that a
business could use. The unique requirements and varied expectations that need
to be included in such a policy will depend on the types of clouds and the services
And there’s no single way to structure the policy material,
other than presenting the information in a logical manner. When compiling your
cloud computing policy, you might want to include the following sections:
1. An Overview
Not all employees will be
familiar with the cloud and/or services your business use. Start your cloud computing
policy with a section that gives an overview or background information. Use
easily understood language, with as little jargon as possible. Keep it short
and simple to absorb. Remember to include a statement of purpose as in, why
this policy exists and what it’s intended to address.
2. The Scope
List the specifics of your cloud computing policy, such as
who it applies to. Individuals? Groups? Full time employees or contractors as
well? You could also specify the types of clouds to which the policy applies.
For example, the policy pertains to all types of external cloud services.
3. Policy Requirements
Your cloud computing policy must list the requirements and
expectations associated with using your business’ cloud services. Samples of
which can include the following;
to be followed when evaluating or selecting cloud service providers
requirements, compliance, current laws and regulations, including data
to existing IT requirements. Cloud service providers may need to comply
with your existing security and/or risk management policies.
requirements. Employees may be instructed to gain prior authority before
opening a new cloud service account specifically for business purposes.
practices such as the sharing of cloud service passwords or the use of
personal cloud services for business purposes
4. Guidance Section
Consider including a section on how to meet the outlined
requirements and expectations. Discuss what kind of assessments must be done
when evaluating and selecting a cloud service provider. Conducting security checks?
Risk assessments of potential providers? And who is to perform them?
Outline the process employees should follow to have a cloud
service authorised for use. Or perhaps list the pre-approved cloud services.
The compliance section is often the shortest, but that does
not make it any less important. Outline how to handle policy exceptions, or any
consequences associated with non-compliance with the cloud computing policy.
As always if you’re still unsure, call us to discuss how we
can help you and your business with cloud services and providers.