In terms of cloud security policy, where should we draw the line with transparency? How much should we divulge?
The policies, procedures, standards and controls should be clear, but you don't need to divulge the actual technologies used. How you report adherence to these policies needs to be thorough, however. A good cloud security policy should give customers access to historical data on performance, outages and the nature of breaches, as well as the remediation actions, if any, the provider has taken to mitigate or prevent similar problems in the future. You should also divulge the hiring practices of personnel and what background checks are conducted. For example, customers will want to know: Are background checks only conducted during the hiring process, or are they also conducted regularly during employment? Are the employees required to sign a non-disclosure agreement during and after the employment?
This was first published in January 2013