The document outlines a cloud computing security policy for a non-profit organization in Boston, focusing on best practices for data sharing, processing, management, and storage. It discusses various cloud service models, including SaaS, PaaS, and IaaS, while emphasizing the importance of data security and the deployment of appropriate models for collaboration among employees. Finally, it details the implementation plan, policy statements, and specific requirements for securing organizational data in the cloud environment.

1. Running head: CLOUD COMPUTING SECURITY
1
CLOUD COMPUTING SECURITY
5
Cloud Computing Security Policy
Name:
Institution:

2. Cloud Computing Security Policy
Purpose
The policy is centered on the best practices, as well as the
approval process in making use of cloud computing services,
particular in the support of sharing, processing, management,
and storage of data in a non-profit organization based in Boston.
Scope
The policy covers all the employees working within the
organization, including those working as volunteers in different
parts of the country and those considered on-loan employees in
the organization.
Policy Organization and Presentation
Cloud computing services are desirable in non-profiting making
organization, given the convenience it brings in reducing the
cost in acquiring new system. The organization is bound to
benefit in taking most of its operations on the cloud, through
entering into a contract with some of renown companies in
cloud computing. In the United States, companies such as
Amazon, Google, and Apple have entered the cloud computing
market (Haghighat, 2015). What is more, the acquisition of the
cloud services is ideal, considering the cost of the services and

3. the quality of the services provided to the companies opting to
move to the cloud (Winkler 2011). Cloud services have been
tailored in a way that they meet business needs and they have a
capability to support a wide range of businesses and non-profit
organization. In this sense, the adoption of the cloud services in
operating a non-profit organization is centered services that will
foster collaboration among the employees, enabling sharing of
data and information, enhance project management, improve
communication, as well as data analysis. An evaluation of the
companies that have embraced cloud services reveals that the
cloud services are generally easier to use. With the increased
use of the internet in last ten years, the accessibility of the
cloud services using internet connection has made it desirable
for the organization to consider cloud services. In this sense,
the non-profit organization employees are able to access some
of the important data using different platforms such as personal
computers, smartphones, workstations, and tablets (Haghighat,
2015).
Cloud Computing Definitions & Concepts
Considering organizations have moved to the cloud computing
platforms in storing of private data, choosing a computing
model that is compliant to the legislation is essential. To do
this, it is relevant to understand computing models that are in
line with objectives of the organization. Software-as-a-service
(SaaS)
The model encompasses pre-installed software, which was
created to match the needs of the customers who have chosen to
manage their applications and infrastructures. Some of the
dominant players in Saas are Google Apps and Salesforce.com.
These cloud based software has the capability to manage data
for the clients and ensure that application run smoothly.
Platform-as-a-Service (PaaS)
The PaaS model is designed in a hosted environment, which
comprises of application programming interface. The software
has the ability to run on various operating systems, for instance,
Microsoft Windows, Mac OS, and Linux among others. The

4. organization using this service enjoys a more granular control
over the applications that run in their system and the securely
stored data in the cloud. In fact, the organization can devise
controls that would be used to ensure that cloud services are
compliant with stipulated regulation (Kundra, 2010).
Infrastructure-as-a-service (IaaS)
This model is desirable for organizations that desire a better
segmentation and ensure that their applications are controlled.
What is more, it gives customers the option of leasing their
physical system and sometimes both the hardware and software
service to cloud computing service provide (Sans Institute,
2010). In other cases, the customer is permitted to install and
maintain the operating system and the security components. As
such, the customer is at liberty to come up with ways in which
data security could be enhanced.
It is worth noting that the deployment of the mentioned service
could be made possible through a number of ways. The cloud
service customer may prefer a public deployment model, in
order to make the information available to everyone (Tufts
University, 2014). In some cases, private deployment would be
ideal (Rittinghouse & Ransome, 2009). This happens after
contacting a third party service provider to provide a cloud
computing service that will be only available to one
organization. For organization that believe in sharing and
working in collaboration, the community models helps in
sharing information across organizational employees, in
particular those with similar goals and objectives. Sometimes,
organization may deem it appropriate to combine either two or
more deployment models. The combination of the models makes
it easier to integrate the data and application into a clouds
computing system (Brown, 2013).
Transition Plan & Deployment Strategy
In the deployment of a cloud service, one of the important
aspects is data security. For this reason, an appropriate model
should ensure that data is safe, and at the same time, ensure that
applications operate seamless. In the past, customers have

5. questioned the ability of the service providers in keeping
information safe, with most organization preferring the private
deployment model. Either way, the public model should still be
effective in protecting private information. In most cases, this is
possible through setting up of an authorization and restrictions
that ensures that only authentic users access information and
application in the cloud. In other words, safeguarding
information and application in the cloud is necessary in winning
customers to use a cloud-based service. In the organization, the
hybrid model is considered ideal. The model provides an
alternative to use private deployment, the community model,
and the public model. The employees in both Boston and New
Orleans offices will primarily use the private model
(Rittinghouse & Ransome, 2009). The appropriateness of the
hybrid model is linked to the fact that it gives the organization
some control over the data stored in the cloud, meaning the
organization technical department can monitor the cloud
services, and devise controls that would ensure that confidential
information is secured. Indeed, most of the organizations have
been worried, when it comes to overdependence on cloud
service provider in managing data, application, and storage,
considering the uncertainties on the failure of the cloud
services. Nonetheless, the control of the information provided
in private development restores some hope in the organization
managing its data and information (Winkler 2011).
In the organization, employees are classified as either
permanent, on loan, and volunteers. The company encourages
collaboration among permanent employees, the outsourced
personnel, and those who have accepted to volunteer. It is
important for the employees to work together in the realization
of the common goals. For this reason, the community
deployment connects all these employees to the resources that
could be useful in sharing important information. In choosing a
model that makes it easier for the employees to collaborate, it
become relatively easier to push the agenda of realizing the
objectives set by the organization (Mather, Kumaraswamy &

6. Latif, 2009).
Implementation Plan Requirements
Before the implementation process starts, the management needs
to indentify the cloud service provider. The selection criteria is
based on meeting the needs of cloud computing, for instance,
data security and response to the disruptions of services, and
the cost of the services among others. What is more, the process
of planning in the implementation of cloud solution has a closer
similarity with that of outsourcing arrangements (Tufts
University, 2014). In this case, the organization leadership will
indentify activities that would be effective if done internally.
For instance, performance of risk and security assessment,
updating of the architectural artifacts, updating of the
organizations continuity plans, as well as performing of the
acceptance tests. It is vital for the agencies to design the
internal capacities and resource, which will effectively serve to
manage the cloud services day-to-day operations. Some of the
activities at the implementation stage include the monitoring of
the performance and services offered, response to the incidents
and service disruption, managing of the configuration
documentation, coordination of the planned upgrades, and
administering of the governance arrangement (Winkler, 2011).
In addition, the organization should consider reconciling
invoices based on the services provided and handling of
disputes related to service and violation of the contract.
Protection of information is critical and the license policies
spell out how information could be circulated and data used,
once it is stored in a cloud computing system.
Policy Section: Policy Statements to Implement Cloud Security
Requirements
Considering the use of third parties in handling the organization
data, it is important to ensure that data is properly secured.
Based on the information stewardship policy, it is expected that
employees in the organization maintain and use organizational

7. data. Security policy state that the cloud service providers
should incorporate security means, in a bid to protect data.
Privacy policies are designed to restrict unauthorized access of
information. In the organization, some information needs to be
kept private. Information roles and responsibility policy states
that the managers’ role is to ensure that information is managed
responsibly. Records kept in the cloud have a set timeframe, in
which they could stay in the cloud services. In this case, the
record policy specifies the period that information can be
retained in a system. In case this information has to be
destroyed, the data destruction process should be secure.
Entering into a contract with a cloud service provider (CSP)
means that CSP should honor the contractual obligations
(American University, 2015). The core obligation of a CSP is
securing data. Given the organization has classified employees
differently, the implementation of the cloud storage services
would require following information classification and handling
policy. In this sense, the organizational management should
come up with a way of classifying data. In some cases, it is
possible that information or data access rights are violated.
Thus, handling of the data violation cases makes use of the
legal policies, which points the procedure that should be taken
in case a data security breach (Winkler, 2011). Data backup and
recovery policies are important, especially in recovering data
that may have accidentally lost from the system or sometimes
from failures of the cloud computing system. The backup of the
data is important is important in preventing huge losses of data,
in particular when there are disruptions (Ottenheimer, 2012). In
this case, the CSP cannot claim that they are not responsible for
the disappearance of important information. Security breach
policies form an important part in the implementation of the
cloud computing services. Data sharing policy is designed to
guide the sharing of data, in order to ensure that only
information is shared between the right parties.
References

8. Kundra, V. (2010). 25 Point Implementation Plan to Reform
Federal Information Technology Management. Retrieved on
February 23, 2016 from
http://www.nsa.gov/ia/_files/support/Cloud_Computing_Guidan
ce.pdf
Sans Institute (2010). Cloud Security and Compliance.
Retrieved on February 23, 2016 from
http://www.sans.org/reading-room/whitepapers/analyst/cloud-
security-compliance-primer-34910
Brown, E. (2013). NIST Publishes Draft Cloud Computing
Security Document for Comment. Retrieved on February 23,
2016 from http://csrc.nist.gov/publications/nistpubs/800-
144/SP800-144.pdf
Tufts University (2014). Cloud Computing Policies. Retrieved
on February 23, 2016 from https://it.tufts.edu/cloud-pol
American University (2015). IT Security Policy. Retrieved on
February 23, 2016 from
https://www.american.edu/policies/upload/IT-Security-Policy-
2013.pdf
Winkler, V. (2011). Securing the Cloud: Cloud Computer
Security Techniques and Tactics. Waltham: Elsevier.
Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud
Security and Privacy: An Enterprise Perspective on Risks and
Compliance. Boston: O'Reilly Media, Inc.
Ottenheimer, D. (2012). Securing the Virtual Environment: How
to Defend the Enterprise Against Attack. New Jersey: Wiley and
Sons.
Haghighat, M. (2015). CloudID: Trustworthy Cloud-based and
Cross-Enterprise Biometric Identification. Expert Systems with
Applications 42 (21): 7905–7916.
Pearson, S., & Yee, G. (2012). Privacy and Security for Cloud
Computing. New York: Springer Science & Business Media.
Rittinghouse, J., & Ransome, J. (2009). Cloud Computing:
Implementation, Management, and Security. San Francisco:
CRC Press.