momius - Fotolia

Q
Get started Bring yourself up to speed with our introductory content.

What is the best way to write a cloud security policy?

Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these policy writing best practices.

One of the key components of an enterprise's information security program is having a strong set of cloud security policies in place. These policies can describe the information security requirements, outline how the information security program meets these requirements, and conduct risk management and prioritization.

Senior management should sign off on cloud security policies. Management provides the information security team with institutional support to protect the entire enterprise from incidents that could potentially negatively affect an individual or part of the enterprise.

Information security programs should stay updated with cloud service environmental changes. Changes like these may prompt an enterprise to create a new cloud security policy or update an existing policy. Enterprises that are new to cloud services or do not have broad usage of cloud services are in a better position to create a new cloud security policy from scratch.

For enterprises with mature or broad usage of cloud services -- where cloud services are integrated into many aspects of enterprise IT -- existing infosec security policies are more likely to be updated than rewritten. The cloud security policy should align with the enterprise cloud strategy so that the cloud security policy can support the benefits of using cloud services securely.

Cloud security policy should be approved by senior management. Given the effect of shadow IT and how easy it is to use cloud services with sensitive data without formal approval or minimal IT resources, this is a critical step. When the information security team identifies an individually managed, departmental or potentially unapproved cloud service, they will need institutional support to help facilitate the engagement and determine how to handle the discovery.

The cloud security policy should account for how new cloud services are initially assessed and the lifecycle around cloud services. As new services are needed or identified, the first basic security aspects of cloud service can be addressed and policies enforced.

This was last published in June 2019

Dig Deeper on Cloud Computing Frameworks and Standards

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How has your organization approached the policy writing process for cloud security?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly.com

Close