Professional Documents
Culture Documents
2017-GMG-IMT-PMA005 Appendix D - Cloud Computing Policy
2017-GMG-IMT-PMA005 Appendix D - Cloud Computing Policy
November 2015
1
Information Technology and Telecommunications / 2015-26 (August) Proposed Cloud Computing Policy v15.docx
This policy outlines best practices and approval processes in relation to the use of cloud
computing solutions that WHO may decide to use to support the processing, sharing,
storage and management of WHO data. The policy also provides guidance to users of cloud
computing solutions in the course and scope of executing their duties as well as in the
context of their private use of cloud solutions IT that may interface with certain WHO data.
II. Overview
Cloud computing refers to the delivery of computing services over a third party proprietary
system (i.e. not completely controlled by WHO) via the Internet. These services primarily
involve infrastructure (i.e. servers, storage devices etc.), development platforms, and software
applications. The cloud refers to numerous data centers managed by third party vendors and
located throughout the world that have installed hardware necessary for the purpose of
providing cloud-based solutions accessible via the Internet.
Cloud computing offers many advantages such as lower costs, higher performance, faster
delivery of IT services, better IT security, increased scalability of services and more reliable
disaster recovery and business continuity. On the other hand, cloud computing potentially
generates corporate risks in addition to those that exist with the electronic storage of data
generally. These include compliance related difficulties, sudden loss of service without
notification and intellectual property rights may be compromised.
The regulation of cloud computing solutions is therefore necessary in order to protect the
integrity and confidentiality of certain WHO data and ensure the security of its corporate IT
systems.
III. Scope
This policy applies to individuals that have been granted access by WHO to its IT systems.
This primarily involves WHO staff, interns, consultants and certain contractors but could
also involve other persons such as WHO experts and technical advisers etc. This policy
pertains to all WHO cloud services.
2
Information Technology and Telecommunications / 2015-26 (August) Proposed Cloud Computing Policy v15.docx
IV. Definitions
4. Hybrid cloud or virtual private cloud model: This model, comprised of both
private and public clouds, allows for certain components to be hosted by an external
party while others remain within the organization’s control.
As per the current WHO Information Classification Policy, WHO information is classified as:
a. Confidential
b. Internal Use Only
c. Public
Internal Use Only: The security classification ‘internal use only’ is assigned to information
that is somewhat sensitive. Unauthorized disclosure, modification, inaccuracy or
incompleteness of ‘internal use only’ information may cause inconvenience to the
Organization and its staff. Examples of "Internal Use Only" information shall include
without limitation are E-mail correspondence of a non-confidential nature, audit reports and
employment history.
Public: Information which is not sensitive and which is freely available to anyone is classified
as "Public". Security requirements for "Public" information are minimal. Such documents
may be freely accessible but not modifiable by the public.
For examples of “Confidential”, “Internal Use Only” and “Public” WHO information, and
any further information on the WHO Information Classification Policy, please refer to the
WHO eManual > XIV - Information Technology > XIV.2 Information security > XIV.2.3
Information Classification Policy.
To support the CIO in the risk assessment of the recommended solution, a Cloud
Computing Committee (“CCC”) will be established.
The CCC will be primarily responsible for evaluating the necessity to encrypt data on the
basis of a risk, cost and benefit analysis. Such analysis will therefore include consideration of
risks such as security, privacy, protection and recovery of WHO data, as well as other IT
management and legal requirements related to a cloud based solution.
If the CCC is unable to reach consensus on a given recommendation, the matter will be
brought by the CCC to the attention of DGO.
The specific scope and method of work and composition of the CCC will be set out in
Terms of Reference approved by the Director-General.
4
Information Technology and Telecommunications / 2015-26 (August) Proposed Cloud Computing Policy v15.docx
The list of WHO cloud services, that have in principle been approved, is available on the
ITT department intranet.
Notwisthanding the fact that a certain cloud service has been approved for use by ITT, the
fact that such a service requires proper encryption, means that technical units must seek
approval of the use of such service from ITT which will be responsible for ensuring that
proper encryption is in place . Use of cloud computing services involving WHO data must
be formally authorized on a case-by-case basis by the CIO.
For confidential or internal data, cloud solutions are normally acceptable only if proper
encryption (AES-256 or higher encryption standard) is implemented with encryption keys
generated and stored at WHO.
If proper encryption, pre-approved by ITT, is not available, cloud services may not be used.
Exception can be obtained with approval of the CCC.
This policy recommends the creation of a CCC to support the CIO in evaluating the
necessity to encrypt data in the cloud or not. Basically this is about successfully classifying
data based on its sensitivity.
The use of cloud computing services must comply with all WHO Information Technology
policies, including the Information Classification Policy.
The following non-exhaustive list of issues should be taken into account before considering
any cloud computing solutions involving WHO data:
1. the IT priority needs of the Organization and the related business case;
2. the type of information and data to be stored, their confidentiality and sensitivity (e.g.
e-mails, old archival records, correspondence with third parties, HR or medical
information, financial information, meeting records, etc.);
3. the country where the service provider or the cloud servers is located;
4. the type of cloud solutions and configurations available and their cost and efficiency;
5. the available risk mitigation measures and mitigation costs for external, public and
hybrid clouds, including through encryption of data, segregation of data, and
appropriate contractual clauses;
6. Whether storage of the information and data in question requires the agreement of,
or at least consultation with, staff and/or third parties.
5
Information Technology and Telecommunications / 2015-26 (August) Proposed Cloud Computing Policy v15.docx
1) Encryption mechanisms
3) Use of cloud services located in countries with less intrusive security laws, such as
Switzerland; and
X. Awareness raising
In connection with the implementation of this policy, ITT shall hold periodic training and
awareness raising sessions throughout WHO in partnership with regional offices. Key users
are encouraged to attend these sessions.
It is the responsibility of key users to take privacy and security into consideration when
evaluating the potential the use of cloud-based IT solutions. In addition, staff that grant
access to WHO IT systems need to ensure that authorized users are aware of this policy.
XI. Compliance
Implementation of this Policy will be subject to periodic review by CRE and Internal Audit,
as appropriate, as part of WHO's risk management framework.