momius - Fotolia

What is the best way to write a cloud security policy?

Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these policy writing best practices.

One of the key components of an enterprise's information security program is having a strong set of cloud security policies in place. These policies can describe the information security requirements, outline how the information security program meets these requirements, and conduct risk management and prioritization.

Senior management should sign off on cloud security policies. Management provides the information security team with institutional support to protect the entire enterprise from incidents that could potentially negatively affect an individual or part of the enterprise.

Information security programs should stay updated with cloud service environmental changes. Changes like these may prompt an enterprise to create a new cloud security policy or update an existing policy. Enterprises that are new to cloud services or do not have broad usage of cloud services are in a better position to create a new cloud security policy from scratch.

For enterprises with mature or broad usage of cloud services -- where cloud services are integrated into many aspects of enterprise IT -- existing infosec security policies are more likely to be updated than rewritten. The cloud security policy should align with the enterprise cloud strategy so that the cloud security policy can support the benefits of using cloud services securely.

Cloud security policy should be approved by senior management. Given the effect of shadow IT and how easy it is to use cloud services with sensitive data without formal approval or minimal IT resources, this is a critical step. When the information security team identifies an individually managed, departmental or potentially unapproved cloud service, they will need institutional support to help facilitate the engagement and determine how to handle the discovery.

The cloud security policy should account for how new cloud services are initially assessed and the lifecycle around cloud services. As new services are needed or identified, the first basic security aspects of cloud service can be addressed and policies enforced.

Dig Deeper on Compliance