Sample – Cloud Privacy and Data Loss Prevention Policy
July 20, 2020Purpose:
This document outlines the privacy policy for Corporate cloud file storage systems.
Scope:
This applies to all files stored on all cloud storage systems centrally managed by Client.
Policy:
- Expectation of Privacy:
- End users can and should expect that all files stored on organizational file systems are private to the individual file owner and any others who have functional access to the location the file is stored.
- Administrative access to files:
- Personnel providing technical support of organizational file systems may access files only with prior authorization and only for assisting a user in the resolving technical issues pertaining to a given file or folder containing files.
- Personnel providing technical support of organizational file systems may need to move or copy files to or from a different location in order to service a file. In these instances, employees will not access the file beyond what is necessary to change the location of the file.
- If an employee has been terminated files in the cloud, storage system may be reviewed by an administrator and access may be granted to the terminated employee’s supervisor.
- Storage of sensitive data
- Storage of sensitive data within cloud storage systems presents risks that extend beyond those of on-premise storage systems.
- Payment Card Information:
- Payment card information is a special class of protected data governed by Payment Card Industry (PCI) standards.
- Payment card information is not permitted to be stored on any organizational system.
- Payment Card Information:
- Storage of sensitive data within cloud storage systems presents risks that extend beyond those of on-premise storage systems.
- Personal Health Information (PII / PHI)
- PHI is a special class of data of protected data governed by the Health Insurance Portability and Accountability Act (HIPAA).
- Personal health information may only be stored on systems designated and authorized by Institutional Technology and the department producing the data to be stored.
- Personal health information may not be stored on general organizational systems.
- Other sensitive data may be stored on organizational systems on a case-by-case basis with prior approval by Institutional Technology.
- Cloud storage data loss prevention:
- As a means of preventing unauthorized or unintentional dissemination of sensitive data, Client deploys third party software that can monitor organizational managed cloud storage systems for inappropriately shared protected information. This monitoring is governed by the following:
- The software matches specific patterns of characters in order to identify:
- Social Security Numbers
- Credit card or other payment card information
- Personal identifiable and personal health information
- Monitoring for these patterns happens for files that are shared publicly, with the entire domain or with users external to the domain.
- Where documents containing the above-mentioned sensitive data are shared publicly or across the domain, the software may revoke public or domain wide sharing.
- In such a case, the end user will be notified of the specific changes made to file permissions.
- Where documents containing the above-mentioned sensitive data are shared with users external to the domain or where a high number of incidents of sensitive data are found, the software will notify the owner of the document. The owner of the document will be responsible to assess the permissions of the document and remediate any inappropriate levels of sharing.
- All of the above processes are automated and do not require Institutional Technology access to files or documents by application administrators.
- All scanning and activity by software is logged for auditing purposes.
- Do not back up files that are stored in off-premise cloud systems beyond the backup and redundancy offered by the service provider.