TargetCW Privacy
Global Privacy & Data Protection Office

Cloud Computing Policy

Cloud Computing

Intro

Cloud computing offers many advantages including low costs, high performance, quick delivery of services and scaleability. However, without adequate controls, it also exposes individuals and organizations to online threats such as data loss or theft, unauthorized access to corporate networks, difficult learning curves regarding administration and so on. It is sometimes so easy, we can forget about the threats.

This cloud computing policy is meant to ensure that cloud services are NOT used without the CTO/CEO's & purchasing knowledge. It is imperative that employees NOT open cloud services accounts or enter into cloud service contracts for the storage, manipulation or exchange of company-related communications or company-owned data without authoirization for both the spend and the service. This is necessary to protect the integrity, confidentiality and data privacy and security of TargetCW.

TargetCW's IT department remains committed to enabling employees to do their jobs as efficiently as possible through the use of technology. The following guidelines are intended to establish a process whereby you can assess the utilization and use cloud services without jeopardizing any policies or circumventing strong established procedures. 


Scope

This policy applies to all employees in all departments of TargetCW. Including the IT and development teams. This includes remote workers. 

This policy pertains to all external cloud services, e.g. cloud-based email, document storage, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), etc. Personal accounts are excluded unless you are established a personal level account that may contain company data. You should never house company data on "personal" accounts, this is a breach of company policy. 

If you are not sure whether a service is cloud-based or not, please contact the IT department.


Policy

Use of cloud computing services for work purposes must be formally authorized by the CTO. The CTO will add to this policy pre-approved vendors that may be utilized by TargetCW staff. Unless an assessment is fully conducted, SaaS service maybe used for assessment and testing, BUT may not be used to house company data or contain or transmit or analyze company information. CTO will certify that security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendor.

For any cloud services that require users to agree to terms of service, such agreements must be reviewed by CTO or the compliance team. Most large vendors will have acceptable terms of service, but these must be reviewed for large scale vendors that are deployed company wide, legal must review the agreements. 

The use of such services must comply with TargetCW's existing Computer Usage Policy/Internet Usage Policy found in the employee handbook. 

Employees must not share log-in credentials with co-workers. TargetCW uses Lastpass for business continuity purposes. The use of such services must comply with all laws and regulations governing the handling of personally identifiable information (PII), corporate financial data or any other data owned or collected by TargetCW. These include compliance with the policies established by the Global Privacy and Data Protection Office. 

An SOW and purchase order must be drawn up and a casual RFP must be created prior to submitting a SaaS for review. This will ensure that we are always identifying the best in class vendors. 

As indicated above, personal cloud services accounts may not be used for the storage, manipulation or exchange of company-related communications or company-owned data.

Pre-approved cloud computing services:

  • Azure (latest certification 11/01/2017; GDPR expected) (SFTP services for various clients; back-up and testing environments)

  • AWS (latest certification 11/01/2017; GDPR expected) - StaffingNation and related support products.

  • Formstack (02/01/2018; GDPR expected) - House data regarding worker on-boarding only;

  • LogMeIn (TBD)

  • GoToMeeting (None necessary)

  • Quickbooks (TBD) - Certain operations

  • Xero (02/01/2018) - Certain operations

  • Office 365 Suite (11/01/2017; GDPR expected) (Email, Sharepoint, Teams etc.)