Cloud Corporate Security Policies

Spread the love

Goals or mission statement for cloud services:

Short summary that clearly states the goals for using cloud services.

Data classification:

  • Sensitive corporate data.
  • Data that is protected by law such as HIPA, PII, and SPI.
  • Operational data that is used on a daily basis.

Scope:

Defines who and what the policies applies to.

Responsibilities:

The party responsible for key activities.

Policy statements: 

These are the specific statements that make up the policy.

Questions to Ask When Developing Cloud Security Policies

  • What service, apps, and data should be put in the cloud and why?
  • What services, apps, and data should NOT be in the cloud and why?
  • Is there a current policy that can be leveraged?
  • How is competition handling their policies and making decisions?
  • Who should have authorization to cloud services?
  • Goals to securing cloud solution components (abuse, data theft, breaches, access control, etc.)
  • Encryption and decryption of data and traffic.

Apply Security to Achieve Defense-In-Depth

  • Find all points of vulnerability to provide a true defense-in-depth.
  • Encrypt data while it is in transit using encryption protocols.
  • Fulfil compliance requirements for HIPPA, FERPA, SCA, FCRA, COPPA, SOX, FISMA, AND PCI.

Governance

  • Framework for implementation and linking governance to business requirements.
  • Create descriptions for planning, building, running, and monitoring IT processes.
  • Control objectives (requirements for managing IT services).
  • Future models to coomply with current policy.’
  • Compliance responsibility – Cloud Provider or Customer? Check SLA.
Posted in Cloud, Security and tagged .

Leave a Reply

Your email address will not be published. Required fields are marked *