Below is a sample cloud computing policy template that organizations can adapt to suit their needs. It may be necessary to add background information on cloud computing for the benefit of some users. Finally, be sure to have legal counsel review it.
Company XYZ: Cloud Computing Policy
Cloud computing offers a number of advantages including low costs, high performance and quick delivery of services. However, without adequate controls, it also exposes individuals and organizations to online threats such as data loss or theft, unauthorized access to corporate networks, and so on.
This cloud computing policy is meant to ensure that cloud services are NOT used without the IT Manager/CIO’s knowledge. It is imperative that employees NOT open cloud services accounts or enter into cloud service contracts for the storage, manipulation or exchange of company-related communications or company-owned data without the IT Manager/CIO’s input. This is necessary to protect the integrity and confidentiality of Company XYZ data and the security of the corporate network.
Company XYZ’s IT department remains committed to enabling employees to do their jobs as efficiently as possible through the use of technology. The following guidelines are intended to establish a process whereby XYZ employees can use cloud services without jeopardizing company data and computing resources.
This policy applies to all employees in all departments of Company XYZ, no exceptions.
This policy pertains to all external cloud services, e.g. cloud-based email, document storage, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), etc. Personal accounts are excluded.
If you are not sure whether a service is cloud-based or not, please contact the IT department.
- Use of cloud computing services for work purposes must be formally authorized by the IT Manager/CIO. The IT Manager/CIO will certify that security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendor.
- For any cloud services that require users to agree to terms of service, such agreements must be reviewed and approved by the IT Manager/CIO.
- The use of such services must comply with Company XYZ’s existing Acceptable Use Policy/Computer Usage Policy/Internet Usage Policy/BYOD Policy.
- Employees must not share log-in credentials with co-workers. The IT department will keep a confidential document containing account information for business continuity purposes.
- The use of such services must comply with all laws and regulations governing the handling of personally identifiable information, corporate financial data or any other data owned or collected by Company XYZ.
- The IT Manager/CIO decides what data may or may not be stored in the Cloud.
- Personal cloud services accounts may not be used for the storage, manipulation or exchange of company-related communications or company-owned data.
Pre-approved cloud computing services
[You may want to include a list of pre-approved cloud computing services along with directions for accessing them, creating a user account, etc., to head off multiple requests for common cloud services, like Google Drive, for example.]