What’s in a Cloud Policy?


A well thought-out cloud policy can save your organization time and trouble

As cloud options become more and more popular as a cost-effective data storage solution, many people, from CIOs to small business owners, are thinking about whether their organizations can benefit. But before you engage with cloud solutions, you’ll need a cloud policy.

Before you set about drafting the contents of a cloud policy, it is important to consider these two important concepts.

  • Scope and classification of data are preconditions to a cloud policy
  • Lack of specificity in your policy will invalidate all cloud benefits

1st: Figure out your scope

It’s important to remember that a cloud policy is not an IT policy; it’s a corporate policy. As a rule of thumb, the cloud is like a product/service combination, and its requirements span a lifecycle: procurement, maintenance, and retirement.

2nd: Classify your data

If you haven’t done so already, now is the time to ensure that your company classifies data in its custody based on its legal obligations.  For example: Personal Information, Employee Personal information, Personal Health Information, etc. Data classification is a precondition.

3rd: Define your Cloud Policy Table of Contents

Privacy and security considerations are key to any good cloud policy, but they are only part of what needs to be covered. A good cloud policy should include considerations for:

  1. Full lifecycle: Your policy should cover the full lifecycle of cloud participation. Given that there are several different kinds of cloud services, your organization needs to figure out rules for:
    • Procurement
    • Maintenance
    • Retirement
  2. Brand requirements: Specify what your organization’s brand requirements and expectations are.
  3. Speed of adoption: It is best to indicate your strategy and timelines for adopting a cloud solution.
  4. Privacy and Security considerations: At a minimum, a cloud policy should ensure coverage of:
    • Governance
    • Due diligence
    • Location of PHI/PI
    • Risk management, including breach management and encryption

Test your policy

The development of a good cloud policy will take time. Before launching your policy, it’s worthwhile to test it on an existing or upcoming project. Run through an end-to-end scenario, and note if there are any discrepancies.

To create a cloud policy that covers all legal and practical requirements you will need a document that covers all the above points, includes the data classification, and is beneficial to your various organizational constituents.