Understand most internet use Policies were written at a time when all you do was to browse websites.
Now with over 25,000 cloud services where users can actually store data, the need to govern who uses what and where your critical data goes is the #1 challenge.
+ Internet User Policy
Is your Internet Use Policy relevant? Many we have seen use generic terms like "acceptable use" or "appropriate services" without defining what these actually mean.
Most IUP’s are simply ignored or aren’t relevant when users bring phones and use wifi and mobile networks.
How do you align your IUP with the new cloud services landscape? We can help you reconcile both your historical internet use policy and this new, ever changing cloud requirement.
+ What does “risk” mean to you?
Every cloud service has over 50 attributes that can be used to judge their risk. Things like: Where are they hosted, are their data centres secure, do they encrypt, do they share your data or sell your data. Is their legal framework similar to NZ’s? Do they claim your IP or retain your data even if you terminate the service?
How do you decide what constitutes unacceptable risk for you?
We help you rank the importance of all these attributes so that your list of High Risk services is specific to you and your areas of concern. We help you establish your own risk appetite and to “overlay” this over all the known Cloud Services (more than 25,000).
+ Sanctioned Services
Do you have a list of sanctioned services that you would prefer your users to use?
If you do, how do users know what these are?
If you have a service for a particular purpose already sanctioned or licensed for use, what should happen when someone tries to use a different, unsanctioned or unlicensed service?
A classic example here is HR services. Our experience is that you will have at least 25 overseas HR cloud services in use and that you probably also have an in-house application for HR.
We help you work out why users think they need these other cloud services and whether they are sending sensitive Personally Identifiable Information offshore to places they shouldn’t.
We also help you educate users to use the right services.
+ User education and intervention
What happens when a user actually tries to use a high risk service? What do or should they see?
Should you present an education screen that directs them to better services? If so, which ones?
Should you warn them and have them acknowledge that it is for personal use and that they won’t put “agency” data in that service?
Should you just block it out-right? We help you work out the right strategy for your agency and your users.
And while we are thinking about this: who within your agency is permitted to know what the users are doing? Who should have visibility to this without falling foul of any privacy laws?
We help you navigate this tricky new landscape.
+ What about Medium Risk services?
Around 85% of all services your users visit will be medium risk. This means they aren’t high risk but might be risky enough for you to want to avoid them.
As an example, dating apps are normally medium risk. Just because something isn’t high risk doesn’t mean you can ignore it.
Resultex can help you work out a strategy for medium risk services (85% of all your services in use).
+ Personal Cloud services?
Many services are used for personal use, especially social media, collaboration, dating, personal interest, shopping, auction sites and thousands of others.
How do you stop users from putting your information in their personal cloud storage account (e.g. Dropbox) to work on over the weekend? Or sending it to their own gmail account?
What should be permitted here, and what controls are possible?
We can help you to know what is happening and to put guidelines and controls in place.
+ Getting the most out of your infrastructure investment
You will likely have highly capable firewalls, proxies and SIEMS. Many of these can be automatically “fed” scripts from McAfee MVISION for control.
We help you automate with these and get a better return on these investments by using their capabilities to the fullest extent possible, with minimum human intervention.
Even if you lock down the corporate desktop and LAN, users can often reach cloud services via their phones and tablets and guest wifi networks.
BYOD is increasingly becoming Bring Your Own Cloud. Tackling the desktops and laptops is important but only half the potential use cases.
We help you control BYOD and BYOC in a sensible and pragmatic way.
QUESTIONS QUESTIONS QUESTIONS!
We can also…
Help you set up your governance team
Help you quantify your own risks and actions
Make recommendations to remediate the risks
Help you implement automatic workflows to guide users and stay ahead of the changing cloud landscape
Help you with reporting and communications to not only users but also upwards for your Managers, your Governance Group and your Leadership teams
… all to put you and keep you ahead of this rapidly evolving cloud service landscape.