Cloud Computing Policy

The purpose of this policy is to ensure that Protected or Sensitive data is not inappropriately stored or shared using public cloud computing and/or file sharing services. Cloud computing and file sharing, for this purpose, is defined as the utilization of servers or information technology hosting of any type that is not controlled by, or associated with, Hedgehog Security for services such as, but not limited to, social networking applications (i.e. all social media, blogs and wikis), file storage, and content. Acceptable and unacceptable cloud storage services are listed in the appendix. All other cloud services are approved on a case-by-case basis.

You can download the policy from here: Cloud Computing Policy

Cloud Computing Policy

    POLICY: CLOUD COMPUTING POLICY
Effective: 	March 2021
Version: 		EC21


PURPOSE
The purpose of this policy is to ensure that Protected or Sensitive data is not inappropriately stored or shared using public cloud computing and/or file sharing services. Cloud computing and file sharing, for this purpose, is defined as the utilization of servers or information technology hosting of any type that is not controlled by, or associated with, {{client_name}} for services such as, but not limited to, social networking applications (i.e. all social media, blogs and wikis), file storage, and content.  Acceptable and unacceptable cloud storage services are listed in the appendix.  All other cloud services are approved on a case-by-case basis.



SCOPE
This policy applies to all persons accessing and using 3rd party services capable of storing or transmitting protected or sensitive electronic data that are owned or leased by {{client_name}}, all consultants or agents of {{client_name}} and any parties who are contractually bound to handle data produced by {{client_name}}, and in accordance with our contractual agreements and obligations.


POLICY

The following table outlines the data classification and proper handling of {{client_name}} and {{client_name}} Client data.

Data Classification	Cloud Storage	Network Drive	Locale Storage
Confidential	Provided appropriate account controls are in place, MFA	No special requirements	Not allowed
Sensitive	Requires CEO approval	No special requirements	Allowed 
Public	Allowed	Allowed	Allowed


Use of central servers, where authentication is required, is the best place to store all categories of data. Sensitive Data can be stored on the {{client_name}} instance of OneDrive provided access to the data is protected by Multi-Factor Authentication and sharing is set for “People in {{client_name}} with the link”. It is never acceptable to store Confidential data on any other cloud service.  This includes data such as financial data, private correspondence, research, etc.

Definitions
Confidential Data - Any data that contains personally identifiable information concerning any individual and is regulated by local or international privacy regulations.

Sensitive Data - Any data that is not classified as Confidential Data, but which is information that {{client_name}} would not distribute to the general public.

Public Data - Any data that {{client_name}} is comfortable distributing to the general public.


General Data Protection Terms
{{client_name}} must specify particular data protection terms in a contract with a cloud-computing vendor. In this way, we create a minimum level of security for our and our client’s data. A minimum level of security ensures that data is kept confidential, is not changed inappropriately, and is available to the business as needed.

The business should consider the following contract terms to ensure a minimum level of information security protection: 
•	Data transmission and encryption requirements
•	Authentication and authorization mechanisms
•	Intrusion detection and prevention mechanisms
•	Logging and log review requirements
•	Security scan and audit requirements
•	Security training and awareness requirements
 
COMPLIANCE
Compliance Measurement
The {{client_name}} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions
Any exceptions to the policy must be approved by the CEO in advance.

Non-Compliance	
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

RELATED STANDARDS, POLICIES AND PROCESSES

•	 All

REVISION HISTORY

•	...
    


Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?