Business changes from the cloud plan
Cloud plans affect most parts of organisations. It’s important to update the affected policies, classify information properly and, if needed, form a cloud adoption team.
Existing policies affected by your cloud plan
Your organisation’s cloud plan might impact:
- codes of conduct in human resources
- assurance and risk management frameworks
- internet and social media policies
- information security policies
- bring-your-own-device (BYOD) and cloud computing policies — including policies for working remotely
- acceptable use policies
- frameworks and models for enterprise architecture.
Update existing policies using your cloud plan
Your cloud plan helps your organisation to have a strategy instead of being reactive to public cloud services.
In the same way, update your organisation’s other policies to be strategic instead of reactive. They should fit with the approach in your cloud plan.
Current approach to public cloud
To get to a point of maturity with using public cloud services, see how good your organisation is at:
Strong, partnership approach to public cloud
When your organisation strengthens its approach to public cloud services, you can move your information technology (IT) and security teams towards partnership approaches with business units.
Being close to the work and business needs, people in business units look for solutions that help. By listening to business units’ insights, IT and security teams can proactively seek out new public cloud services that meet the needs of 1 or more of the business units.
Train your people to classify information
This is a must-have for respectfully and responsibly using information for the NZ government and New Zealanders. Properly classifying information should already be actively done in the day-to-day life of your organisation.
To safely use public cloud services in your organisation, you need to know how to apply the Government Security Classification System.
Importance of classifying information
Train your people to make wise decisions about classifying information. This affects your approach to security controls in public cloud services — such as setting up a meeting using video conferencing software.
Example — UNCLASSIFIED and IN-CONFIDENCE information in a video conference
Let your people use their judgement to decide when to:
- allow guests, or lock down the meeting to internal staff because it may contain sensitive information
- send out a link that allows anyone to join the meeting, or a link that asks for a login and password to prevent unknown people from joining.
Example — SENSITIVE and RESTRICTED information in a video conference
Set the security configurations so that certain features are turned off.
Form a cloud adoption team
As part of your cloud plan, it might make sense for your organisation to create a team for adopting public cloud services. The team works best by having members from different roles within your organisation, such as:
- risk and security
- information technology — for example, enterprise architects
- human resources