Purpose
The policy outlines the security practices and processes for using cloud services in the daily operations, data manipulation and storage and use of applications at SNPO-MC organization.
Scope
The policy will be used by managers, executive, staff and as a guide to negotiating terms with cloud providers.
Definitions
Employees of the organization are people who work in the organization.
Executives who are on the loan are referred to as loaned staff members, and they usually telework for the group on specific days of the week.
Volunteers regularly telework from their homes a few days of the week.
Cloud Computing Services
-
Platform as a Service
The cloud vendor shall provide computing platform where SNPO-MC will develop applications and deploy applications. The service shall be implemented with security protocols both from the vendor and SNPO-MC.
-
Infrastructure as a Service
The cloud vendor shall provide servers to host the companies website, emails, remote access and software applications and file servers. It shall also include networking equipment and VPN configurations.
-
Software as a Service
The cloud vendor shall host some software that will be used by both the employees, teleworkers and volunteers in processing and submission of data for the databases.
The cloud provider shall implement a hybrid cloud where a private cloud dedicated to providing services to SNPO-MC, and it shall also allow employees of SNPO-MC to access its public cloud for other services. The private network will be hosted off SNPO-MC premises, but will be operated by both SNPO-MC cloud provider and IT personnel. The will cause cloud to burst between the private and public clouds.
Policy Statement
Overview
Cloud computing services provide an infrastructure, tools and software that can be accessed by SNPO-MC over the Internet. Big corporations such as Microsoft, Google, Amazon have these services so that consumers can have them easily and cheaply accessible. Most of the cloud services provide support for communication, data storage, data analysis, data processing, project management, and scheduling. Cloud services should be very convenient for SNPO-MC staff and managers to use, since they are readily available via the Internet to workstations, computers, smartphones and laptops. Given the numerous benefits of the cloud, security is a primary concern, especially in the public sector, where unauthorized access to organizational data can compromise the operations of a sector organization and bring a lot of losses.
Standards
SNPO-MC should verify before entering into an agreement with the cloud vendor that it complies with standards from Federal Information Processing (FIPS) and NIST Special Publications (SP). The standards include:
- FIPS 199
- FIPS 200
- SP 800-53, Appendix J
- SP 800-61, Revision 1
- SP 800-122
Cloud Security Considerations
-
Procuring and Licensing Cloud Services
The appointment of a Chief IT Manager would be responsible for all cloud service deals with cloud vendors. The IT manager must take a look at the execution of all security measures affecting both the general and executive staff. In consultation with the firm lawyer, the IT manager will track compliance with the appropriate government requirements with SNPO-MC cloud policies. No single department or manager in SNPO-MC is allowed to procure cloud services for the organization’s daily operations.
-
Ownership of Content
Data and information stored in the cloud databases are owned by the creator of the data. In this case SNPO-MC organization. In no case shall the cloud provider modify, replicate or reuse the data for use in general. The cloud provider will only be allowed to change the data to suit their data base format or to improve its cloud storage performance. The cloud provider is not authorized to obtain or license intellectual property rights and the laws negotiated with SNPO-MC are not subject to change period it is offering services to SNPO-MC. Before the cloud services are rolled out, the cloud provider and SNPO-MC will sign a deal to that effect.
Several catalogs of data assets will be generated to identify levels of access by the level of SNPO-MC staff. Accounting department top financial managers will be granted the freedom to read, write, and change the data from their department. Catalogs will be established for managers, offices, general staff in both New Jersey and San Francisco and they will all have a different level of access. The access levels will be for both local databases and cloud databases.
-
Privacy and Confidentiality
Identity Federation shall handle the identity and access control of the cloud services. Identity union would demand that the cloud provider exchange protection and digital identity attributes in both domains. It will require a single sign-on into the cloud services and infrastructure. Identity federation for SNPO-MC will be implemented through Security Assertion Markup Language (SAML).
The SAML standards will implement authentication to the cloud services. Authentication request failed login, and successful login information will be shared between the provider and SNPO-MC.
Five access control levels will be set with consultation with the cloud provider. The access levels will be based on the level of management, location and type of staff a person is.
An executive access level will be given extra privileges to the resources provided by the cloud vendor. The identity and roles for each executive will be defined depending on the department they come from.
IT Manager access level. The tasks for the IT manager will mainly involve maintenance of the cloud resources for the employees of SNPO-MC. The manager will be given complete access to log reports and authority to alter rules for other employees but in consultancy with the cloud vendor and top management of SNPO-MC.
New Jersey access level will define the roles of employees in New Jersey. Employees in this location will only be given access to resources and software that allow manipulation and processing of day to day data for submission into the cloud.
Los Angeles Access Level will have the same access level as those of New Jersey.
A voluntary Employees access level will allow employees who work from home access to resources. Their roles will be defined according to what department they are volunteering for.
-
Enforcement
The cloud vendor must implement security standards before rolling out the service in accordance with the policies by SNPO-MC and standards created by the USA government. The policies are bound to be reviewed after a period of one and a half years with consultancy with the cloud vendor.
-
Penalties for Violations of Policy
The cloud vendor will be subject to prosecution in a court of law if it violates any signed agreements with SNPO-MC. The violations that arise from the vendor in terms of data ownership or resources it provides may lead to penalty fines and or termination of the contract it has signed with SNPO-MC.
Employees who violate the policies assigned to them will be stripped of their cloud privileges depending on the extent of violations they have committed. Severe violations may lead to termination of the employment which will be done in consultancy with the executive management of SNPO-MC.
Use by Customer Service
-
Use by Public Relations and Corporate Communications
Shareholders will have access to a website hosted by cloud vendor on behalf of the organization.
-
Use for Advertising and E-Commerce
No cloud services will handle any e-commerce processes due to the high level of security needed to handle the transactions. At no time shall the cloud provider use the services allocated to SNPO-MC to create advertisements that support itself or use data held by SNPO-MC to create custom advertisements. SNPO-MC online ads are managed by the public cloud.
-
Use by Teleworkers
Employees who work at home will have a single point of entry into the cloud services. The equipment they will be using to access the cloud resources will have to be registered with the organization. Login authentication has to be approved before they can access the services. The cloud vendor will have to provide an appropriate key encryption protocol for the login details.
The cloud vendor shall provide and configure a VPN for the teleworking employees to access the cloud services securely. For three locations, the vendor will build PVPN, the main SNPO-MC domain, the New Jersey and Los Angeles sites.
Review Requirements (when, by whom)
The security policies will be reviewed after a year and a half with consultancy with the cloud vendor. The analysis will be undertaken by the SNPO-MC IT Manager with at least three members from the SNPO-MC IT team, an executive officer, a consultant from third parties and representatives from the cloud vendor.
Content management and generation an employee will be allocated storage space of 5 GB, an email address personalized according to the organization’s name. The storage space will only be used to store documents associated with the company work and might not at any time be used by employees to store personal data.
References
- Wayne Jansen, Timothy Grance (2014). NIST: Guidelines on Security and Privacy in Public Cloud Computing .NIST. New York.
- Mell, P., & Grance, T. (2011). The NIST Definition of Cloud Computing (Draft): Recommendations of the
- National Institute. Gaithersburg: National Institute of Standards and Technology. https://csrc.nist.gov/publications/drafts/800‐145/Draft‐SP‐800‐145_cloud‐definition.pdf