This policy provides guidelines for secure and effective cloud computing operations to ensure the integrity and privacy of company-owned information.
From the policy:
The list of advantages to cloud computing includes lowered operational costs, greater technological flexibility, and the ability to rapidly implement new systems or services. Gains in business continuity are an especially noteworthy attraction to cloud services, which operate via remote systems that remain running in the event of a local disaster, such as a hurricane or power outage.
However, cloud computing has also opened up new opportunities for impact by security threats or lost data. Storing files outside the organization can pose a greater risk for data breaches due to mishandled files and credentials or failure to follow security best-practice controls. Cloud services might shut down or employ individuals who pry into customer data and extract company secrets. Files kept in the cloud might not be covered by any service agreement relating to the restoration of lost or corrupt data. Files synchronized to unprotected personal devices might then become compromised if these devices are lost or stolen. Finally, many cloud providers may utilize facilities in countries or territories that may utilize different standards or regulations or that might subject company data to international or export restrictions.
In short, a significant set of concerns arises when it comes to the risk of using cloud services. These risks are compounded further by the often decentralized role IT plays in cloud computing, which can easily be set up by users with just a few mouse clicks and no money down. It could take bare moments for critical or sensitive data to be sent offsite, either deliberately or by mistake.
Therefore, to protect the organization and its employees it is critical to establish a clear and firm policy governing how company data is to be kept (or not) in the cloud.