Definitions 

Cloud computing: Is defined as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.

Public cloud: Is based on the standard cloud computing model, in which a service provider makes resources, such as applications and storage, available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model.

Private Cloud: Is based on the standard cloud computing model but uses a proprietary architecture at an organization’s in-house facilities or uses an infrastructure dedicated to a single organization.

Financial information: Is any data for (^Company^), its employees, members, or other third parties.

Intellectual property: Is any data that is owned by (^Company^) or provided by a third party that would not be distributed to the public.

Other non-public data or information: Are assets deemed the property of (^Company^).

Other public data or information: Are assets deemed the property of (^Company^).

Personally Identifiable Information (PII): Is any data that contains personally identifiable information concerning any members, employees, or other third parties. 

Overview 

Cloud computing would allow (^Company^) to take advantage of technologies for storing and/or sharing documents and other files, and virtual on-demand computing resources. Cloud computing can be beneficial in reducing cost and providing flexibility and scalability. 

Purpose 

The purpose of this policy is to ensure that (^Company^) can potentially make appropriate cloud adoption decisions and at the same time does not use, or allow the use of, inappropriate cloud service practices. Acceptable and unacceptable cloud adoption examples are listed in this policy. All other cloud use cases are approved on a case-by-case basis. 

Policy Detail 

It is the policy of (^Company^) to protect the confidentiality, security, and integrity of each member’s non-public personal information. (^Company^) will take responsibility for its use of cloud computing services to maintain situational awareness, weigh alternatives, set priorities, and effect changes in security and privacy that are in the best interest of (^Company^). 

This policy acknowledges the potential use of diligently vetted cloud services, only with: 

1. Providers who prove, and can document in writing, that they can provide appropriate levels of protection to (^Company^) data in categories that include, but are not limited to, transport, storage, encryption, backup, recovery, encryption key management, legal and regulatory jurisdiction, audit, or privacy 
2. Explicit procedures for all handling of (^Company^) information regardless of the storage, sharing or computing resource schemes 

Cloud Computing Services

The category of cloud service offered by the provider has a significant impact on the split of responsibilities between the customer and the provider to manage security and associated risks. 

1. Infrastructure as a Service (IaaS) is a form of cloud computing that provides virtualized computing resources over the Internet. The provider is supplying and responsible for securing basic IT resources such as machines, disks, and networks. The customer is responsible for the operating system and the entire software stack necessary to run applications and is responsible for the customer data placed into the cloud computing environment. This means most of the responsibility for securing the applications and the data falls onto the customer. 
2. Software as a Service (SaaS) is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. The infrastructure, software, and data are primarily the responsibility of the provider, since the customer has little control over any of these features. These aspects need appropriate handling in the contract and the Service Level Agreement (SLA). 
3. Platform as a Service (PaaS) is a cloud computing service that provides a platform allowing customers to develop, run, and manage web applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an application. Responsibility is likely shared between the customer and provider. 

Privacy Concerns

There are information security and data privacy concerns about use of cloud computing services at (^Company^). They include: 

1. (^Company^) may be limited in its protection or control of its data, potentially leading to a loss of security, lessened security, inability to comply with various regulations and data handling protection laws, or loss of privacy of data due to aggregation with data from other cloud consumers. 
2. (^Company^)’s dependency on a third party for critical infrastructure and data handling processes. 
3. (^Company^) may have limited SLAs for a given provider’s services and the third parties that a cloud vendor might contract with. 
4. (^Company^) is reliant on vendors’ services for the security of the computing infrastructure. 

Diligence

In evaluating the potential use of a particular cloud platform, (^Company^) will pay particular attention to the foregoing, and other privacy concerns, in addition to its documented vendor due diligence program. 

Exit Strategy

Cloud services should not be engaged without developing an exit strategy for disengaging from the vendor or service and integrating the service into business continuity and disaster recovery plans. (^Company^) must determine how data would be recovered from the vendor. 

Examples

The following table outlines the data classifications and proper handling of (^Company^) data.