Assignment of Information Technology Service Management

Template

BtC Enterprises

Secure Cloud Usage Policy

This template outlines how an organizations end users can securely use cloud services through acceptable usage guidelines.

Policy Template

Introduction: How to Use This Template

To use this policy template, simply replace the text in dark grey with information customized to your organization. When complete, delete all introductory or example text and convert all remaining text to black prior to distribution.

As a starting point, several common policy sections are included below. These are designed to match those used by myPolicies and should be included in every policy. Customize the content of each section to your organization.

Policy Title	Name the formal title of the policy.
Policy Author	Name the person or group responsible for this policys creation.
Policy Owner	Name the person or group responsible for this policys management.
Policy Approver(s)	Name the person or group responsible for implementation approval of this policy.
Effective Date	List the date that this policy went into effect.
Next Review Date	List the date that this policy must undergo review and update.

1. Purpose

The purpose section contains the reasons for developing and maintaining the policy. Describe the factors or circumstances that mandate the existence of the policy. Also state the policys basic objectives and what the policy is meant to achieve.

2. Scope

This section explains where the policy applies. It can include sections that call out specific groups, services, or locations. Define to whom and to what systems this policy applies. List the employees required to comply or simply indicate all if all must comply. Also indicate any exclusions or exceptions (e.g., those people, elements, or situations that are not covered by this policy or where special consideration may be made.)

2.1 Pre-Approved Cloud Services

List any pre-approved cloud services along with directions for accessing them and creating a user account. (What services are allowed?)

2.2 Unauthorized Services

In this section, explain what cloud-based services are not permitted.

2.3 Information Types

Provide a list of information types covered by this policy. Use data classification best practices to label the data your organization stores and processes.

Example: This policy applies to all customer data, personal data and other company data defined as sensitive by the companys data classification policy. The sensitive data types covered by this policy include:

Identity and authentication data:

Financial data:

Proprietary data:

Employee personal data:

3. Definitions

Define any key terms, acronyms, or concepts that will be used in the policy. A standard glossary approach is sufficient.

4. Secure Usage of Cloud Computing Services

This section defines the requirements for acceptable use of cloud services.

Example: All cloud-based services must be approved prior to acquisition and deployment. To ensure secure adoption and usage of cloud services, the following steps must be taken:

4.1 Acceptable Use

Describe/Define proper and improper behaviour when users can access company resources. Include restrictions on the use of company resources for non-business-related activities. Can also include details of how the company will monitor and enforce this section of the policy.

4.2 Passwords

In this section, explain the requirements for the length and complexity of passwords, how they expire, what can and cannot be reused and for how long, sharing (NO), lockouts, and the procedure for resetting forgotten passwords etc.

4.3 Email

Describe how your organization specifies how email can and should be used, whether mailboxes are encrypted and describe techniques used to help prevent/deter phishing and other similar breaches/attacks.

4.4 Social Media

Describe your organizations position on using social media while on company time. What is and is not acceptable.

5. Security Controls

The cloud security policy specifies the various security components available and in use by the organization. It should include both internal controls and the security controls of the cloud service provider, breaking out specific groups of requirements, including technical and control requirements, mobile security requirements, physical security requirements and security controls assurance practices.

5.1 Auditing

Auditing access attempts, changes to system configuration and network activities is critical for both security and compliance with various regulations designed to protect sensitive data. Data security policies should spell out the level of control required and the methods for achieving it.

5.2 Security Incident Reporting

The data security policy should also address incident response and reporting, specifying how data security breaches are handled and by whom, as well as how security incidents should be analyzed and lessons learned should be applied to prevent future incidents.

5.3 Mobile Security Requirements

This section should include controls for configuring mobile access, generating a robust identity, device monitoring, employing anti-malware solutions and mobile device management.

5.4 Physical Security Requirements

Include in the policy the reasons for designing and applying countermeasures against damage to physical access and equipment. Highlight protection of power, temperature, water, and other utilities at the data center location. Physical security also covers issues from natural and human-made disasters, such as the process for disaster recovery.

5.5 Security Controls Assurance

This section defines how often security controls should have a regular IT health check.

6. Ownership and Responsibilities

In this section, list all roles (not names of people) related to cloud security actions, controls, and procedures. Examples can include cloud security administrators, data owners, users, and cloud providers. Describe each role and the associated responsibilities for safe cloud usage and security maintenance.

To compile this list, consider the following questions:

Who is using the cloud?

Who is responsible for maintaining the cloud service on the organizational end and the provider end?

Who is responsible for maintaining cloud security?

Who is responsible for selecting new cloud solutions?

7. Awareness-Raising

This section spells out how often the organization should perform security training, who must pass the training and who is responsible for conducting the training.

8. Enforcement

This part details the penalties for policy violations and how they will be enforced.

9. Related Documents/Policies

This section lists all documents related to the cloud security policy and procedures.

[Organization] IT Security Policy

[Organization] Code of Conduct

[Organization] Human Resources Policies

[Organization] Policy Handbook

[Insert Policy] (Include links or storage location)

Approval

Include a section that has the signature of the signing authority, confirming that the policy has been put into effect. Both signature and date are required. A sample statement is provided below.

This policy must be signed by the appropriate officer (listed below) before it is considered approved and put into force.

___________________________________________

Officer Name

___________________________________________ _______________________

Officers Signature Date

Agreement

Include a section that confirms understanding and agreement to comply with the policy. Both signature and date are required. A sample statement is provided below.

I have read and understand the [name of policy]. I understand that if I violate the rules explained herein, I may face legal or disciplinary action according to applicable laws or company policy.

___________________________________________

Employee Name

___________________________________________ ________________________

Employee Signature Date

Revision History

Version	Change	Author	Date of Change

SCENARIO: FoxFirst Consulting has been contracted to create a comprehensive IT Policy on "Securely Accessing Cloud Data" for their new client, BtC Enterprises. You may add new sections or subsections. Reminder: You work for FoxFirst Consulting. This company has recently migrated to Office 365, fully in the cloud. Knowing this, your client requires an IT Policy document on securely accessing Cloud Resources and Data, acceptable use, and approved services. YOUR ASSIGNMENT: SUBMIT 1 MS Word document that includes/combines all of the following: 1. Cover Page. 2. Declaration Statements - Include the following declaration statements on this page: - A copy of the provided statement that must be paraphrased or inserted as an image. Include your name in the statement and below the statement. Your name is your signature. - A one-line statement that indicates how much time your spent working on this assignment. 3. Abstract - 150 word (or less) that summarizes the effort. Abstracts do not add any new information not discussed in the document. 4. Table of Contents - Live-Linked and steps 1,2,3 should NOT be listed in ToC 5. Submission Academic Introduction that 1) Opening statement, 2) Provides background to the paper and identifies the problem(s) (WHAT), 3) Demonstrates WHY the problem(s) need to be solved, 4) Summarizes the solution, 5) Provides a "Bridge-in" to the next section. - Introduction must be 5 sentences minimum