Although the National Rifle Association uses cloud computing to manage only a fraction of its data-processing needs, the group's tax and risk management director, Emily Cummins, takes the risks associated with the cloud very seriously.

Even small bits of personally identifiable information belonging to the controversial Fairfax, Va.-based association's more than 4 million members demands a rigorous cyber risk management strategy, Ms. Cummins said last week during Business Insurance's 2013 Risk Management Summit in New York.

The association's use of cloud services is limited solely to processing event-based donations managed by its charitable arm, the NRA Foundation, Ms. Cummins said.

Still, she said, “people are obsessed with our membership.”

“It's not that it's embarrassing to be a member or a donor, but it's the kind of information that someone could steal in order to gain access to our members' credit cards and then perpetrate fraud on our members,” Ms. Cummins said.

During her presentation last week, Ms. Cummins outlined the multiple layers of interdepartmental risk assessment the NRA Foundation took before contracting with a cloud services provider, including contract due diligence, data classification and breach response planning.

“It's something that we got our teams together to do, which meant bringing people together from different parts of the enterprise, so that we all understand each other's language,” Ms. Cummins said.

Additionally, Ms. Cummins detailed the risk control measures that remain in place to safeguard NRA membership data and other sensitive information from a potential loss or data breach, including top-to-bottom user training on safe data management policies and protocols.

“These policies need to have teeth and they need to be reinforced, and they can only be reinforced through regular training,” Ms. Cummins said.

“What matters is how we carry these messages through at every level of the organization, from the board-level statement to every employee who's using a device to access company data, whether it's their own device or a company-issued device,” Ms. Cummins said.