Cloud Computing Policy

information technology and telecommunications

Cloud Computing Policy

Responsible Department : WHO/GMG/ITT

Office of the CIO

November 2015
 1
Information Technology and Telecommunications / 2015-26 (August) Proposed Cloud Computing Policy v15.docx

Cloud Computing Policy

I. Purpose

This policy outlines best practices and approval processes in relation to the use of cloud
computing solutions that WHO may decide to use to support the processing, sharing,
storage and management of WHO data. The policy also provides guidance to users of cloud
computing solutions in the course and scope of executing their duties as well as in the
context of their private use of cloud solutions IT that may interface with certain WHO data.

II. Overview

Cloud computing refers to the delivery of computing services over a third party proprietary
system (i.e. not completely controlled by WHO) via the Internet. These services primarily
involve infrastructure (i.e. servers, storage devices etc.), development platforms, and software
applications. The cloud refers to numerous data centers managed by third party vendors and
located throughout the world that have installed hardware necessary for the purpose of
providing cloud-based solutions accessible via the Internet.

Cloud computing offers many advantages such as lower costs, higher performance, faster
delivery of IT services, better IT security, increased scalability of services and more reliable
disaster recovery and business continuity. On the other hand, cloud computing potentially
generates corporate risks in addition to those that exist with the electronic storage of data
generally. These include compliance related difficulties, sudden loss of service without
notification and intellectual property rights may be compromised.

The regulation of cloud computing solutions is therefore necessary in order to protect the
integrity and confidentiality of certain WHO data and ensure the security of its corporate IT
systems.

III. Scope

This policy applies to individuals that have been granted access by WHO to its IT systems.
This primarily involves WHO staff, interns, consultants and certain contractors but could
also involve other persons such as WHO experts and technical advisers etc. This policy
pertains to all WHO cloud services.
2
Information Technology and Telecommunications / 2015-26 (August) Proposed Cloud Computing Policy v15.docx

IV. Definitions

There are four primary cloud computing deployment models.

1. External cloud: External cloud is defined as an off-premise infrastructure made

available over the Internet which combines the resources of a broad network of users
into one or more shared servers (e.g. Dropbox, Apple iCloud, Microsoft Office 365
and iLearn). A cloud environment that can be accessible by authorized users.

2. Internal cloud: A cloud environment that is managed or owned by an organization

on dedicated and usually on-premise servers that can provide high level control over
cloud services and infrastructure. This can be an appropriate model for highly
sensitive data (e.g. WHO Data Centers).

3. Community model: A cloud computing environment that shared or managed by a

specific community of users from organizations that have shared concerns. This
normally involves several related organizations on dedicated and on-premise servers
of their choice and location (e.g. UNICC).

4. Hybrid cloud or virtual private cloud model: This model, comprised of both
private and public clouds, allows for certain components to be hosted by an external
party while others remain within the organization’s control.

The Cloud computing service models are defined as follows.

1. Software as a Service (SaaS): Capability to use the provider’s applications running

on cloud infrastructure. The applications are accessible from various client devices
through a thin client interface such as a web browser (e.g., Dropbox, iLearn, and MS
O365).

2. Platform as a Service (PaaS): Capability to deploy onto the cloud infrastructure

customer-created or acquired applications created using programming languages and
tools supported by the provider (e.g., Amazon Cloud Service, Microsoft Azure).

3. Infrastructure as a Service (IaaS): Capability to provision processing, storage,

networks and other fundamental computing resources, offering the customer the
ability to deploy and run arbitrary software, which can include operating systems and
applications. IaaS puts these IT operations into the hands of a third party (e.g.,
Amazon Cloud Service, Microsoft Azure).
 3
Information Technology and Telecommunications / 2015-26 (August) Proposed Cloud Computing Policy v15.docx

V. Classification of WHO information and data

As per the current WHO Information Classification Policy, WHO information is classified as:

a. Confidential
b. Internal Use Only
c. Public

Confidential: The security classification "Confidential" is assigned to information which is

highly sensitive. Unauthorized disclosure, modification, inaccuracy or incompleteness of
confidential information would be expected to cause damage or embarrassment to the
Organization. Adequate information security controls must be in place at all times to protect
such information. Examples of "Confidential" information shall include without limitation
are Staff medical records and contracts containing information which WHO is legally obliged
to retain on a confidential basis.

Internal Use Only: The security classification ‘internal use only’ is assigned to information
that is somewhat sensitive. Unauthorized disclosure, modification, inaccuracy or
incompleteness of ‘internal use only’ information may cause inconvenience to the
Organization and its staff. Examples of "Internal Use Only" information shall include
without limitation are E-mail correspondence of a non-confidential nature, audit reports and
employment history.

Public: Information which is not sensitive and which is freely available to anyone is classified
as "Public". Security requirements for "Public" information are minimal. Such documents
may be freely accessible but not modifiable by the public.

For examples of “Confidential”, “Internal Use Only” and “Public” WHO information, and
any further information on the WHO Information Classification Policy, please refer to the
WHO eManual > XIV - Information Technology > XIV.2 Information security > XIV.2.3
Information Classification Policy.

VI. Cloud Computing Committee

To support the CIO in the risk assessment of the recommended solution, a Cloud
Computing Committee (“CCC”) will be established.

The CCC will be primarily responsible for evaluating the necessity to encrypt data on the
basis of a risk, cost and benefit analysis. Such analysis will therefore include consideration of
risks such as security, privacy, protection and recovery of WHO data, as well as other IT
management and legal requirements related to a cloud based solution.

If the CCC is unable to reach consensus on a given recommendation, the matter will be
brought by the CCC to the attention of DGO.

Meetings of the CCC will be facilitated and convened by ITT.

The specific scope and method of work and composition of the CCC will be set out in
Terms of Reference approved by the Director-General.
4
Information Technology and Telecommunications / 2015-26 (August) Proposed Cloud Computing Policy v15.docx

VII. Use of cloud computing services

The list of WHO cloud services, that have in principle been approved, is available on the
ITT department intranet.

Notwisthanding the fact that a certain cloud service has been approved for use by ITT, the
fact that such a service requires proper encryption, means that technical units must seek
approval of the use of such service from ITT which will be responsible for ensuring that
proper encryption is in place . Use of cloud computing services involving WHO data must
be formally authorized on a case-by-case basis by the CIO.

For confidential or internal data, cloud solutions are normally acceptable only if proper
encryption (AES-256 or higher encryption standard) is implemented with encryption keys
generated and stored at WHO.

If proper encryption, pre-approved by ITT, is not available, cloud services may not be used.
Exception can be obtained with approval of the CCC.

This policy recommends the creation of a CCC to support the CIO in evaluating the
necessity to encrypt data in the cloud or not. Basically this is about successfully classifying
data based on its sensitivity.

The use of cloud computing services must comply with all WHO Information Technology
policies, including the Information Classification Policy.

For public data, cloud solutions are acceptable.

VIII. Risk assessment

The following non-exhaustive list of issues should be taken into account before considering
any cloud computing solutions involving WHO data:

1. the IT priority needs of the Organization and the related business case;

2. the type of information and data to be stored, their confidentiality and sensitivity (e.g.
e-mails, old archival records, correspondence with third parties, HR or medical
information, financial information, meeting records, etc.);

3. the country where the service provider or the cloud servers is located;

4. the type of cloud solutions and configurations available and their cost and efficiency;

5. the available risk mitigation measures and mitigation costs for external, public and
hybrid clouds, including through encryption of data, segregation of data, and
appropriate contractual clauses;

6. Whether storage of the information and data in question requires the agreement of,
or at least consultation with, staff and/or third parties.
 5
Information Technology and Telecommunications / 2015-26 (August) Proposed Cloud Computing Policy v15.docx

IX. Risk Management

1) Encryption mechanisms

2) Physical segregation of WHO’s records on dedicated servers at its request;

3) Use of cloud services located in countries with less intrusive security laws, such as
Switzerland; and

4) Development of special contractual terms and conditions to ensure the protection of

WHO’s privileges and immunities.

5) Appropriate Service Level Agreements with vendors.

X. Awareness raising

In connection with the implementation of this policy, ITT shall hold periodic training and
awareness raising sessions throughout WHO in partnership with regional offices. Key users
are encouraged to attend these sessions.

It is the responsibility of key users to take privacy and security into consideration when
evaluating the potential the use of cloud-based IT solutions. In addition, staff that grant
access to WHO IT systems need to ensure that authorized users are aware of this policy.

XI. Compliance

Implementation of this Policy will be subject to periodic review by CRE and Internal Audit,
as appropriate, as part of WHO's risk management framework.