FoxFirst Consulting has been contracted to generate a comprehensive IT Policy on "Securely Accessing Cloud Data" for their new client, BtC Enterprises.You may add new sections or subsections.Reminder:You work for FoxFirst Consulting.

This company has recently migrated to Office 365, fully in the cloud. Knowing this, your client requires an IT Policy document on securely accessing Cloud Resources and Data, acceptable use, and approved services.

generate -

Abstract
Submission Academic Introduction that 1) Opening statement, 2) Provides background to the paper and identifies the problem(s) (WHAT), 3) Demonstrates WHY the problem(s) need to be solved, 4) Summarizes the solution, 5) Provides a "Bridge-in" to the next section
Template:
Policy Template Introduction: Policy Title Name the formal title of the policy. Policy Author Name the person or group responsible for this policy's creation. Policy Owner Name the person or group responsible for this policy's management. Policy Approver(s) Name the person or group responsible for implementation approval of this policy. Effective Date List the date that this policy went into effect. Next Review Date List the date that this policy must undergo review and update. 1. Purpose The purpose section contains the reasons for developing and maintaining the policy. Describe the factors or circumstances that mandate the existence of the policy. Also state the policy's basic objectives and what the policy is meant to achieve. 2. Scope This section explains where the policy applies. It can include sections that call out specific groups, services, or locations. Define to whom and to what systems this policy applies. List the employees required to comply or simply indicate "all" if all must comply. Also indicate any exclusions or exceptions (e.g., those people, elements, or situations that are not covered by this policy or where special consideration may be made.) 2.1 Pre-Approved Cloud Services List any pre-approved cloud services along with directions for accessing them and creating a user account. (What services are allowed?) 2.2 Unauthorized Services In this section, explain what cloud-based services are not permitted. 2.3 Information Types Provide a list of information types covered by this policy. Use data classification best practices to label the data your organization stores and processes. Example: This policy applies to all customer data, personal data and other company data defined as sensitive by the company's data classification policy. The sensitive data types covered by this policy include: Identity and authentication data: Financial data: Proprietary data: Employee personal data: 3. Definitions Define any key terms, acronyms, or concepts that will be used in the policy. A standard glossary approach is sufficient. 4. Secure Usage of Cloud Computing Services This section defines the requirements for acceptable use of cloud services. Example: All cloud-based services must be approved prior to acquisition and deployment. To ensure secure adoption and usage of cloud services, the following steps must be taken: 4.1 Acceptable Use Describe/Define proper and improper behaviour when users can access company resources. Include restrictions on the use of company resources for non-business-related activities. Can also include details of how the company will monitor and enforce this section of the policy. 4.2 Passwords In this section, explain the requirements for the length and complexity of passwords, how they expire, what can and cannot be reused and for how long, sharing (NO), lockouts, and the procedure for resetting forgotten passwords etc. 4.3 Email Describe how your organization specifies how email can and should be used, whether mailboxes are encrypted and describe techniques used to help prevent/deter phishing and other similar breaches/attacks. 4.4 Social Media Describe your organization's position on using social media while on company time. What is and is not acceptable. 5. Security Controls The cloud security policy specifies the various security components available and in use by the organization. It should include both internal controls and the security controls of the cloud service provider, breaking out specific groups of requirements, including technical and control requirements, mobile security requirements, physical security requirements and security controls assurance practices. 5.1 Auditing Auditing access attempts, changes to system configuration and network activities is critical for both security and compliance with various regulations designed to protect sensitive data. Data security policies should spell out the level of control required and the methods for achieving it. 5.2 Security Incident Reporting The data security policy should also address incident response and reporting, specifying how data security breaches are handled and by whom, as well as how security incidents should be analyzed and "lessons learned" should be applied to prevent future incidents. 5.3 Mobile Security Requirements This section should include controls for configuring mobile access, generating a robust identity, device monitoring, employing anti-malware solutions and mobile device management. 5.4 Physical Security Requirements Include in the policy the reasons for designing and applying countermeasures against damage to physical access and equipment. Highlight protection of power, temperature, water, and other utilities at the data center location. Physical security also covers issues from natural and human-made disasters, such as the process for disaster recovery. 5.5 Security Controls Assurance This section defines how often security controls should have a regular IT health check. 6. Ownership and Responsibilities In this section, list all roles (not names of people) related to cloud security actions, controls, and procedures. Examples can include cloud security administrators, data owners, users, and cloud providers. Describe each role and the associated responsibilities for safe cloud usage and security maintenance. To compile this list, consider the following questions: Who is using the cloud? Who is responsible for maintaining the cloud service on the organizational end and the provider end? Who is responsible for maintaining cloud security? Who is responsible for selecting new cloud solutions? 7. Awareness-Raising This section spells out how often the organization should perform security training, who must pass the training and who is responsible for conducting the training. 8. Enforcement This part details the penalties for policy violations and how they will be enforced. 9. Related Documents/Policies This section lists all documents related to the cloud security policy and procedures. [Organization] IT Security Policy [Organization] Code of Conduct [Organization] Human Resources Policies [Organization] Policy Handbook [Insert Policy] (Include links or storage location)

DECLARATION (SAMPLE)