If your business uses cloud services, it is a good idea to have a cloud computing policy. It can help ensure that the cloud services are being used appropriately and productively.
With so many different types of clouds (e.g., public, hybrid, private) and cloud services (e.g., data storage, email, backups), there isn’t a one-size-fits-all policy that companies can use. The requirements and expectations that need to go into this policy will depend on the types of clouds and cloud services being used, and a company’s IT and security practices.
Similarly, there is no single right way to present the material. The information just needs to be presented in a logical manner. One approach is to follow the organizational structure used in your acceptable use policy, adapting it where needed. When following this approach, you might want to include the following five sections in your cloud computing policy:
1. Overview Section
Some employees might not be familiar with cloud services, so you might want to begin your cloud computing policy with a section that gives an overview or background information on them. This section needs be easy to understand, even for technically challenged people. Keep it short and avoid using technical jargon.
The overview section is also a good place to state the purpose of the policy. If you are not sure of what to say, check out the purpose statements in these policies:
- IT Manager Daily’s Cloud Computing Policy
- US Department of Commerce’s Cloud Computing Policy
- Tufts University’s Cloud Computing Services Policy
2. Scope Section
A cloud computing policy should include a section that notes its scope. In other words, this section should specify to whom the policy applies. Besides pertaining to employees, the policy might also apply to other groups, such as temporary workers or contractors if they use a cloud service to carry out their duties.
Some businesses also specify the types of clouds to which the policy applies. For example, they might state that the policy pertains to all types of external cloud services.
3. Policy Section
The cloud computing policy must have a section that lists the requirements and expectations associated with using cloud services. Here is a sampling of the types of requirements and expectations you might find in this section:
- Processes that must be followed when evaluating and selecting cloud service providers
- Legal requirements (e.g., cloud service usage must comply with all current laws and regulations, including data privacy regulations)
- IT requirements (e.g., cloud service providers must comply with the company’s IT security and risk management policies as well as any other policies that might apply)
- Practices that employees must follow (e.g., need to get prior authorization to open a new cloud service account specifically for business purposes)
- Unacceptable practices (e.g., employees cannot share their cloud service passwords or use their personal cloud services for work)
4. Guidance Section
Some cloud computing policies include a section that provides guidance on how to meet the outlined requirements and expectations. For example, this section might discuss what kind of assessments must be done when evaluating and selecting a cloud service provider (e.g., conduct security and risk assessments of potential providers) and who is to perform them.
Similarly, the guidance section might discuss the process employees should follow to get a cloud service authorized for use. Companies sometimes even provide a list of pre-approved cloud services.
5. Policy Compliance Section
The compliance section is often the shortest one. That does not make it any less important, though. Besides describing how to handle policy exceptions, this section spells out the consequences associated with not complying with the cloud computing policy.