Cloud Storage and BYOD Policy
2025.1
Reviewed: 9/20/2024
Updated: 9/20/2024
Purpose and Scope:
- This cloud storage and Bring Your Own Device (BYOD) policy defines the objectives, requirements and implementing instructions for storing data on removable media, in cloud environments, and on personally-owned devices, regardless of data classification level.
- This policy applies to all information and data within IMPLAN's information security program, as well as all removable media, cloud systems and personally-owned devices either owned or controlled by IMPLAN.
- This policy applies to all users of information systems within IMPLAN. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by IMPLAN (hereinafter referred to as "users"). This policy must be made readily available to all users.
Background:
- This policy defines the procedures for safely using cloud storage and personally-owned devices to limit data loss or exposure. Such forms of storage must be strictly controlled because of the sensitive data that can be stored on them. Because each of these storage types are inherently ephemeral or portable in nature, it is possible for IMPLAN to lose the ability to oversee or control the information stored on them if strict security standards are not followed.
- This document consists of two sections pertaining to cloud storage, and personally-owned devices. Each section contains requirements and implementing instructions for the registration, management, maintenance, and disposition of each type of storage.
- Within this policy, the term sensitive information refers to information that is classified as RESTRICTED or CONFIDENTIAL in accordance with the Data Classification Policy (reference (a)).
Controls and Procedures
BYOD Policy
- Personally-owned Devices:
a. Organizational data that is stored, transferred or processed on personally-owned devices remains under IMPLAN's ownership, and IMPLAN retains the right to control such data even though it is not the owner of the device.
b. The ISM is responsible for conducting overall management of personally-owned devices.
c. Personally-identifiable information (PII) may not be stored, processed or accessed at any time on a personally-owned device.
d. Users of personally owned devices are to follow the guidelines defined in the internal Acceptable Use Policy.
e. IMPLAN must reserve the right to view, edit, and/or delete any organizational information that is stored, processed or transferred on the device.
f. IMPLAN must reserve the right to perform full deletion of all of its data on the device if it considers that necessary for the protection of company-related data, without the consent of the device owner.
g. IMPLAN will not pay the employees (the owners of BYOD) any fee for using the device for work purposes.
h. IMPLAN will pay for any new software that needs to be installed for company use.
i. All security breaches related to personally-owned devices must be reported immediately to the ISM.
Cloud Storage Policy
- Cloud Storage:
a. All cloud storage systems in active use and containing data pertinent to IMPLAN must be registered in the cloud storage manifest. Registration may be accomplished by manual or automated means.
b. All cloud storage systems listed in the cloud storage manifest must be re-inventoried on a quarterly basis to ensure that it is still within the control of IMPLAN. To re-inventory an item, the owner of the cloud storage system must check in the item with IMPLAN's Information Security Manager (ISM) as defined within the Security Incident Response Policy. Re-inventory may be accomplished by manual or automated means.
c. The owner of the cloud storage system must conduct all appropriate maintenance on the system at regular intervals to include system configuration, access control, performance monitoring, etc.
d. Data on cloud storage systems must be replicated to at least one other physical location. Depending on the cloud storage provider, this replication may be automatically configured.
e. IMPLAN must only use cloud storage providers that can demonstrate, either through security accreditation, demonstration, tour, or other means that their facilities are secured, both physically and electronically, using best practices.
f. If the cloud storage system contains sensitive information, that information must be encrypted in accordance with the Encryption Policy.
g. Data must be erased from cloud storage systems using a technology and process that is approved by the ISM.
h. When use of a cloud storage system is discontinued, the system owner must inform the ISM so that it can be removed from the cloud storage manifest.