Needed capacities or functions - Cloud Computing and Policies
- Have policies addressing staff use of program-controlled cloud services and governance around staff use of personal cloud services accounts not controlled by the program. Staff should not be storing case-related or client information in personal accounts.
- Understand terms of use, privacy policy, data ownership, security, and data portability when moving applications or data to the cloud.
- Review the backup policies of cloud services vendors to assess the need for a third-party backup solution (e.g., some programs may have to restore files that their cloud services vendor no longer backs up after a certain period). If data is encrypted and you have your own backup, third-party backups may make restoring data easier in the event of a security incident. The legal team or general counsel should review its cloud-services policies.
- Users with access to company data in the cloud or office should be accessing data from an organization's device or app unless BYOD and Mobile Device Management ("MDM") are in place. Keeping data on devices or apps managed by the legal aid organization allows IT to have control over the data.
Important Considerations and Best PracticesIf staff need access to third-party applications through personal accounts, programs should consider business accounts managed by the organization. With any cloud-based provider, programs should be aware of the levels of access that the provider has to your data and the controls in place that could limit access as needed (e.g., Office 365's Customer Lockbox). Cloud-based providers typically have a range of security features and tools that can be configured based on your organization's specific needs and requirements. |