by peter

Share

CLOUD COMPUTING POLICY

PURPOSE

The purpose of this Cloud Computing Policy is to ensure that Protected or Sensitive data is not inappropriately stored or shared using public cloud computing and/or file sharing services. Cloud computing and file sharing, for this purpose, is defined as the utilization of servers or information technology hosting of any type that is not controlled by, or associated with, {{client_name}} for services such as, but not limited to, social networking applications (i.e. all social media, blogs and wikis), file storage, and content. Acceptable and unacceptable cloud storage services are listed in the appendix. All other cloud services are approved on a case-by-case basis.

SCOPE

This Cloud Computing Policy applies to all persons accessing and using 3rd party services capable of storing or transmitting protected or sensitive electronic data that are owned or leased by {{client_name}}, all consultants or agents of {{client_name}} and any parties who are contractually bound to handle data produced by {{client_name}}, and in accordance with our contractual agreements and obligations.

POLICY

The following table outlines the data classification and proper handling of {{client_name}} and {{client_name}} Client data.

Data Classification Cloud Storage Network Drive Locale Storage
Confidential Provided appropriate account controls are in place, MFA No special requirements Not allowed
Sensitive Requires CEO approval No special requirements Allowed
Public Allowed Allowed Allowed

Use of central servers, where authentication is required, is the best place to store all categories of data. Sensitive Data can be stored on the {{client_name}} instance of OneDrive provided access to the data is protected by Multi-Factor Authentication and sharing is set for “People in {{client_name}} with the link”. It is never acceptable to store Confidential data on any other cloud service. This includes data such as financial data, private correspondence, research, etc.

Definitions

Confidential Data – Any data that contains personally identifiable information concerning any individual and is regulated by local or international privacy regulations.

Sensitive Data – Any data that is not classified as Confidential Data, but which is information that {{client_name}} would not distribute to the general public.

Public Data – Any data that {{client_name}} is comfortable distributing to the general public.

General Data Protection Terms
{{client_name}} must specify particular data protection terms in a contract with a cloud-computing vendor. In this way, we create a minimum level of security for our and our client’s data. A minimum level of security ensures that data is kept confidential, is not changed inappropriately, and is available to the business as needed.

The business should consider the following contract terms to ensure a minimum level of information security protection:

  • Data transmission and encryption requirements
  • Authentication and authorization mechanisms
  • Intrusion detection and prevention mechanisms
  • Logging and log review requirements
  • Security scan and audit requirements
  • Security training and awareness requirements

COMPLIANCE

Compliance Measurement
The {{client_name}} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exceptions to the policy must be approved by the CEO in advance.

Non-Compliance

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

RELATED STANDARDS, POLICIES AND PROCESSES