WHAT’S IN A CLOUD POLICY?
A well thought-out cloud policy can save your organization time and trouble
As cloud options become more and more popular as a cost-effective data storage solution, many people, from CIOs to small business owners, are thinking about whether their organizations can benefit. But before you engage with cloud solutions, you’ll need a cloud policy.
Before you set about drafting the contents of a cloud policy, it is important to consider these two important concepts.
- Scope and classification of data are preconditions to a cloud policy
- Lack of specificity in your policy will invalidate all cloud benefits
1st: Figure out your scope
It’s important to remember that a cloud policy is not an IT policy; it’s a corporate policy. As a rule of thumb, the cloud is like a product/service combination, and its requirements span a lifecycle: procurement, maintenance, and retirement.
2nd: Classify your data
If you haven’t done so already, now is the time to ensure that your company classifies data in its custody based on its legal obligations. For example: Personal Information, Employee Personal information, Personal Health Information, etc. Data classification is a precondition.
3rd: Define your Cloud Policy Table of Contents
Privacy and security considerations are key to any good cloud policy, but they are only part of what needs to be covered. A good cloud policy should include considerations for:
- Full lifecycle: Your policy should cover the full lifecycle of cloud participation. Given that there are several different kinds of cloud services, your organization needs to figure out rules for:
- Procurement
- Maintenance
- Retirement
- Brand requirements: Specify what your organization’s brand requirements and expectations are.
- Speed of adoption: It is best to indicate your strategy and timelines for adopting a cloud solution.
- Privacy and Security considerations: At a minimum, a cloud policy should ensure coverage of:
- Governance
- Due diligence
- Location of PHI/PI
- Risk management, including breach management and encryption
Test your policy
The development of a good cloud policy will take time. Before launching your policy, it’s worthwhile to test it on an existing or upcoming project. Run through an end-to-end scenario, and note if there are any discrepancies.
To create a cloud policy that covers all legal and practical requirements you will need a document that covers all the above points, includes the data classification, and is beneficial to your various organizational constituents.