psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
draft
ISMS/01-policies/cloud-security-policy.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.3 KiB
Raw Permalink Blame History

Title: Cloud Security Policy Document ID: [POL-CLOUD-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Cloud Security Policy

Purpose

This policy defines BlackDice's high-level requirements for securing cloud services and cloud-hosted workloads used to deliver and support its business operations.

Scope

This policy applies to cloud platforms, managed cloud services, cloud administration functions, infrastructure as code, and cloud-hosted workloads within the ISMS scope.

Objectives

  • maintain secure and controlled use of cloud services
  • reduce risk arising from misconfiguration, excessive privilege, and unmanaged change
  • support resilient and auditable cloud-native operations

Principles / Policy Statements

Cloud services must be selected, configured, and operated according to approved security requirements and risk assessments.

Responsibilities between BlackDice and cloud providers must be understood and reflected in control design.

Production cloud environments, management planes, and supporting automation must be subject to stronger access, change, and monitoring controls.

Security requirements for cloud-native workloads must consider identity, networking, secrets, logging, configuration management, and resilience.

Material cloud architecture changes must be assessed for security impact before implementation.

Roles and Responsibilities

  • [Role] must define cloud security expectations and oversight.
  • Platform and service owners must ensure secure operation of their cloud resources.
  • Engineering and operations teams must implement approved controls in cloud environments.

Compliance / Exceptions

Cloud control gaps or deviations from baseline requirements must be documented and addressed through remediation or approved exception.

Monitoring and Review

This policy should be reviewed through configuration assurance, access review, incidents, supplier oversight, and audit.

Related Documents

  • Information Security Policy
  • Kubernetes Security Standard
  • Secure Configuration Standard
  • Network and Infrastructure Security Policy

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink