Goals or mission statement for cloud services:
Short summary that clearly states the goals for using cloud services.
- Sensitive corporate data.
- Data that is protected by law such as HIPA, PII, and SPI.
- Operational data that is used on a daily basis.
Defines who and what the policies applies to.
The party responsible for key activities.
These are the specific statements that make up the policy.
Questions to Ask When Developing Cloud Security Policies
- What service, apps, and data should be put in the cloud and why?
- What services, apps, and data should NOT be in the cloud and why?
- Is there a current policy that can be leveraged?
- How is competition handling their policies and making decisions?
- Who should have authorization to cloud services?
- Goals to securing cloud solution components (abuse, data theft, breaches, access control, etc.)
- Encryption and decryption of data and traffic.
Apply Security to Achieve Defense-In-Depth
- Find all points of vulnerability to provide a true defense-in-depth.
- Encrypt data while it is in transit using encryption protocols.
- Fulfil compliance requirements for HIPPA, FERPA, SCA, FCRA, COPPA, SOX, FISMA, AND PCI.
- Framework for implementation and linking governance to business requirements.
- Create descriptions for planning, building, running, and monitoring IT processes.
- Control objectives (requirements for managing IT services).
- Future models to coomply with current policy.’
- Compliance responsibility – Cloud Provider or Customer? Check SLA.