Cloud Usage Policy

The Cloud Usage Policy (P27) provides a unified, mandatory standard for adopting, managing, and governing cloud computing services, encompassing Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) models. It aims to ensure that all organizational use of cloud platforms is secure, compliant with relevant regulations, and supports operational efficiency and innovation while protecting the confidentiality, integrity, and availability of information assets. The policy’s scope is comprehensive, applying to all employees, contractors, third-party vendors, and consultants engaged in any provisioning, configuration, administration, or usage of cloud services. This reach extends to public, private, hybrid, and community cloud deployments, covers all data classifications, and explicitly includes both internal and vendor-hosted environments, as well as the prevention of shadow IT and personal cloud use for business purposes. Key objectives of the policy include: defining clear guidelines and baselines for cloud adoption, minimizing operational and regulatory risks (such as misconfigurations, data breaches, and unauthorized access), and mandating robust security and privacy controls through contractual obligations, continuous assessment, and audit rights for all cloud providers. The policy insists on the central maintenance of a Cloud Services Register, overseen by the CISO, which catalogues approved providers, service types, risk ratings, business owners, and contract attributes, supporting rigorous lifecycle management and ongoing compliance monitoring. Roles and responsibilities are precisely delineated, assigning management and oversight functions across Executive Management, CISO, Cloud Security Architect, IT Operations, Procurement, Legal, Data Owners, and End Users. The policy enforces strict technical and procedural controls: identity-based access management (with mandatory RBAC and MFA for administrative accounts), baseline security configurations, encryption (using NIST-approved standards), logging requirements, and cloud service integration with Security Information and Event Management (SIEM) systems. Contracts with cloud providers must address audit rights, breach notifications, data return/deletion, and compliance monitoring. Data may only be transferred to the cloud following classification, and cross-border transfers must comply with established regulations such as GDPR. Risk management is central: any deviations require documented exceptions, detailed risk treatment plans, approval by the CISO or Cloud Security Architect, and multi-level review for high-risk scenarios. Ongoing governance is enforced through regular compliance monitoring, incident response integration (escalated via the Incident Response Policy), annual reviews, and interim updates driven by incident outcomes, migrations, or regulatory changes. Violations of policy provisions, such as using unapproved cloud accounts or neglecting required controls, trigger a range of consequences, from training to legal action or termination. The Cloud Usage Policy interlinks with related policies on information security, change management, data classification, cryptographic controls, logging and monitoring, incident response, and audit, further reinforcing its role as the authoritative cloud governance foundation.