Data Security Governance Policy
VerifiedAdded on 2020/03/16
|32
|9650
|39
AI Summary
This assignment focuses on creating a comprehensive Data Security Governance Policy for a COTS (Commercial Off-the-Shelf) payroll suite. The policy addresses key aspects such as user access control, privacy compliance (ISO/IEC 29100:2011, ISO 2018, Privacy Act), data encryption, authentication mechanisms, and risk management strategies. It emphasizes the importance of audits to ensure ongoing compliance and identify potential vulnerabilities. The document outlines responsibilities for implementing and enforcing security measures, with a focus on minimizing acceptable risks as defined by the Risk Management Committee.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running Head: Cloud Privacy and Security: The DAS Case 1
APPENDIX A: Cloud Privacy and Security: The DAS Case
Name
Date
APPENDIX A: Cloud Privacy and Security: The DAS Case
Name
Date
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Running Head: Cloud Privacy and Security: The DAS Case 2
Introduction and Background
Due to the developments in technology and the increasing amounts of data that agencies
must handle, along with the need for reduced costs and better management, agencies such as DAS
are increasingly changing and modernizing their information systems (Akella, Buckow & Rey,
2009) https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/it-architecture-
cutting-costs-and-complexity . This is achieved through measures such as consolidation of IT
systems, modernization of information systems, outsourcing some services, such as hardware
devices, computing power, and backup, and re-aligning information systems (Bond, 2015). Many
organizations are transforming their legacy systems by migrating to the cloud and making use of
technologies such as PaaS (platform as a service), SaaS (software as a service), and IaaS
(infrastructure as a service). These moves have their benefits, including better service delivery,
reducing workload for staff be enabling on-line self service portals, reduced costs as well as reduced
complexity of information systems (Akella, Buckow & Rey, 2009), (Bond, 2015). These benefits of
information systems (IS) modernization through consolidation and using outsourced services also
come with associated risks. Cloud computing environments are highly scalable as well as being
highly available and reliable, making them attractive propositions, especially for public
organizations that have to handle large amounts of public data and manage thousands of employees.
Migrating applications to the cloud helps public organizations run their internal systems better and
serve the public better (Antonopoulos & Gillam, 2017).
By handling public information on individuals with personal and personal identifiable
information (PII), these IS become increasingly attractive for malicious entities such as hackers.
The information system repositories and portals hold information valuable for hackers such as their
contacts, addresses, biometric information, and even financial information details such as credit
card numbers an details (Mather, Kumaraswamy & Latif, 2010). As such, consolidating and
migrating services to cloud portals carriers with attendant risks and threats to the security and
privacy of PII and even staff information at these agencies. To ensure a safe migration to modern
computing platforms, agencies and organization need to fully understand the risks that storing PII in
such platforms as online portals (cloud computing) carries through undertaking a risk and threat
analysis, for example. Based on such an analysis, the organization will be aware of the risk faced in
having PII and organization data stored in cloud platforms and running some of their operations on
cloud platforms such as PaaS and IaaS (Pfleeger & Pfleeger, 2012). The threat and risk analysis will
help the organization make informed decisions and develop appropriate measures to protect their
data and well as the PII of people (citizens in the case of government bodies or clients/ customers in
the case of private/ corporate organizations). Moving data and applications to the cloud is a major
Introduction and Background
Due to the developments in technology and the increasing amounts of data that agencies
must handle, along with the need for reduced costs and better management, agencies such as DAS
are increasingly changing and modernizing their information systems (Akella, Buckow & Rey,
2009) https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/it-architecture-
cutting-costs-and-complexity . This is achieved through measures such as consolidation of IT
systems, modernization of information systems, outsourcing some services, such as hardware
devices, computing power, and backup, and re-aligning information systems (Bond, 2015). Many
organizations are transforming their legacy systems by migrating to the cloud and making use of
technologies such as PaaS (platform as a service), SaaS (software as a service), and IaaS
(infrastructure as a service). These moves have their benefits, including better service delivery,
reducing workload for staff be enabling on-line self service portals, reduced costs as well as reduced
complexity of information systems (Akella, Buckow & Rey, 2009), (Bond, 2015). These benefits of
information systems (IS) modernization through consolidation and using outsourced services also
come with associated risks. Cloud computing environments are highly scalable as well as being
highly available and reliable, making them attractive propositions, especially for public
organizations that have to handle large amounts of public data and manage thousands of employees.
Migrating applications to the cloud helps public organizations run their internal systems better and
serve the public better (Antonopoulos & Gillam, 2017).
By handling public information on individuals with personal and personal identifiable
information (PII), these IS become increasingly attractive for malicious entities such as hackers.
The information system repositories and portals hold information valuable for hackers such as their
contacts, addresses, biometric information, and even financial information details such as credit
card numbers an details (Mather, Kumaraswamy & Latif, 2010). As such, consolidating and
migrating services to cloud portals carriers with attendant risks and threats to the security and
privacy of PII and even staff information at these agencies. To ensure a safe migration to modern
computing platforms, agencies and organization need to fully understand the risks that storing PII in
such platforms as online portals (cloud computing) carries through undertaking a risk and threat
analysis, for example. Based on such an analysis, the organization will be aware of the risk faced in
having PII and organization data stored in cloud platforms and running some of their operations on
cloud platforms such as PaaS and IaaS (Pfleeger & Pfleeger, 2012). The threat and risk analysis will
help the organization make informed decisions and develop appropriate measures to protect their
data and well as the PII of people (citizens in the case of government bodies or clients/ customers in
the case of private/ corporate organizations). Moving data and applications to the cloud is a major
Running Head: Cloud Privacy and Security: The DAS Case 3
long term term trend, but fraught with challenges and risks, not least the threats to PII and enterprise
data and information (Mahmood, 2014). When data and information, including PII is migrated to
cloud platforms there are inherent risks due to the nature and sensitivity of the information; the
threat and risks to migrating to the cloud start right before the migration begins, when data is being
stored in the cloud platforms, and when there is exchange of data and information between the
cloud environment and access points.
This paper will evaluate the threats and risks that the Department of Administrative Services
(DAS) would face when consolidating and migrating its applications and data, including PI for its
staff and members of the general public, to a cloud environment. In the DAS scenario, there is a
new cloud first policy in which the DAS wants to consolidate all the services offered to the public
by various departments including contractor management and procurement, as well as licensing to
its own data centers. Further, the DAS wants to migrate its application services including HR and
personnel management, contract tendering management, payroll, procurement, and contractor
management to a consolidated data center; a strategy that will see the ful adoption of the shared
services model. DAS will centralize several services for the whole of government (WofG) such that
every Agency or Department that offers any of the targeted services for its internal users and for
members of the public, will have to migrate them into the DAS data center where it will all be
consolidated into the DAS database. These services will then be centrally provided by DAS to all
other government departments. DAS has commenced the switch to the cloud first policy and is
presently implementing the following services;
A HR and personnel suite in the SaaS model,
A Contractor management suite also in the SaaS model
A COTS Payroll solution implemented in the AWS cloud
A Share Point PaaS platform that is the basis of its intended Intranet platform for the WofG
Further, a decision has been made for all applications for, and renewal of licenses form various
government agencies to be taken to a single web portal, named MyLicense. Citizens will then be
encouraged to register in the MyLicense portal for renewal of nearly all licenses, and have designed
this process to follow one process flow for all licenses. The Government will use the portal to better
view licenses held by every citizen thereby having PII for citizens in its web portal and exposing
citizens data to possible data risks. This paper will develop a suitable data protection and data
privacy policy for DAS staff and for citizens with relation to PII. In this paper, a threat and risk
assessment for PII data in the MyLicense portal is developed with regard to privacy and protection
of this data. Thereafter, a PII strategy proposal for the MyLicense portal is also developed for
threats and risks to the PII data and measures for control. The paper also develops a strategy for the
long term term trend, but fraught with challenges and risks, not least the threats to PII and enterprise
data and information (Mahmood, 2014). When data and information, including PII is migrated to
cloud platforms there are inherent risks due to the nature and sensitivity of the information; the
threat and risks to migrating to the cloud start right before the migration begins, when data is being
stored in the cloud platforms, and when there is exchange of data and information between the
cloud environment and access points.
This paper will evaluate the threats and risks that the Department of Administrative Services
(DAS) would face when consolidating and migrating its applications and data, including PI for its
staff and members of the general public, to a cloud environment. In the DAS scenario, there is a
new cloud first policy in which the DAS wants to consolidate all the services offered to the public
by various departments including contractor management and procurement, as well as licensing to
its own data centers. Further, the DAS wants to migrate its application services including HR and
personnel management, contract tendering management, payroll, procurement, and contractor
management to a consolidated data center; a strategy that will see the ful adoption of the shared
services model. DAS will centralize several services for the whole of government (WofG) such that
every Agency or Department that offers any of the targeted services for its internal users and for
members of the public, will have to migrate them into the DAS data center where it will all be
consolidated into the DAS database. These services will then be centrally provided by DAS to all
other government departments. DAS has commenced the switch to the cloud first policy and is
presently implementing the following services;
A HR and personnel suite in the SaaS model,
A Contractor management suite also in the SaaS model
A COTS Payroll solution implemented in the AWS cloud
A Share Point PaaS platform that is the basis of its intended Intranet platform for the WofG
Further, a decision has been made for all applications for, and renewal of licenses form various
government agencies to be taken to a single web portal, named MyLicense. Citizens will then be
encouraged to register in the MyLicense portal for renewal of nearly all licenses, and have designed
this process to follow one process flow for all licenses. The Government will use the portal to better
view licenses held by every citizen thereby having PII for citizens in its web portal and exposing
citizens data to possible data risks. This paper will develop a suitable data protection and data
privacy policy for DAS staff and for citizens with relation to PII. In this paper, a threat and risk
assessment for PII data in the MyLicense portal is developed with regard to privacy and protection
of this data. Thereafter, a PII strategy proposal for the MyLicense portal is also developed for
threats and risks to the PII data and measures for control. The paper also develops a strategy for the
Running Head: Cloud Privacy and Security: The DAS Case 4
protection of informal digital identities created by users in the MyLicense portal for privacy and
data protection, along with measures to mitigate the identified risks. Finally, a governance plan will
be developed PII data for both the public and DAS staff.
Threat Risk Assessment for PII Data in MyLicense Portal
Internal and External Threats
The cloud platform amplifies internal threats to PII data security and privacy in the cloud; the figure
below illustrates the threats due to external factors and those due to internal factors;
Source: Cipher Cloud
The threats and risks will be discussed in the context of both internal and external threats;
while internal threats pose the biggest risks, the external threats usually have the biggest impacts,
such as ransomware attacks, and most external attacks occur as a result of internal human factors,
such as poor strategies, deliberate actions, and mistakes/ ignorance (Vohradski, 2012). The nature of
the cloud means that the attack surface can only get bigger and wider, so reducing the attack surface
is not an option. The threats and risks are discussed below;
Malicious Insiders
protection of informal digital identities created by users in the MyLicense portal for privacy and
data protection, along with measures to mitigate the identified risks. Finally, a governance plan will
be developed PII data for both the public and DAS staff.
Threat Risk Assessment for PII Data in MyLicense Portal
Internal and External Threats
The cloud platform amplifies internal threats to PII data security and privacy in the cloud; the figure
below illustrates the threats due to external factors and those due to internal factors;
Source: Cipher Cloud
The threats and risks will be discussed in the context of both internal and external threats;
while internal threats pose the biggest risks, the external threats usually have the biggest impacts,
such as ransomware attacks, and most external attacks occur as a result of internal human factors,
such as poor strategies, deliberate actions, and mistakes/ ignorance (Vohradski, 2012). The nature of
the cloud means that the attack surface can only get bigger and wider, so reducing the attack surface
is not an option. The threats and risks are discussed below;
Malicious Insiders
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Running Head: Cloud Privacy and Security: The DAS Case 5
An example of this is the Edward Snowden case in which lots of the NSA information was
made public, creating headlines around the world (Waxman, 2017). When there is a malicious
employee insider an organization with a a huge cloud portal having lots of information, the risks are
magnified several times over. The insiders can steal information and sell it for financial benefit or
just to get back at their employee, or for the Snowden case, to operationalize a private crusade.
Employees can also modify data or delete them irretrievably, especially those trusted to manage
such data. Further, its possible for employees to leave backdoors or vulnerabilities that allow
external collaborators to access PII for use for other purposes, either for profit or due to
disgruntlement (Subashini & Kavitha, 2011).
Breaches to PII Data
Cloud computing entails having the data in different states; data at rest, data in transit, and
data under use in the cloud platform. Cloud computing has forced malicious entities to innovate
new ways of circumventing security protocols in the cloud and administer new attack methods.
Breaches to PII has serious consequences, including legal, reputation, and financial; it is also
embarrassing for the top person in the organization to have to face an irate public and the media and
try to explain what happened and what they will do (Metheny, 2017). Cloud Service Providers
(CSPs) usually provide strong and rigorous security protocols to guard against such attacks, cyber
criminals still always find a way through, such s the recent case of Equifax (Gressin, 2017).
However, the same threats that traditional IS (information systems ) face also pose threats to PII in
the cloud. Inherent weaknesses such as side channeling timing exposure, where a user in a VM
(virtual machine) is able to listen to activity signaling that an encryption key has arrived on another
VM sharing the same host can result in sensitive data for the DSA falling into the wrong hands,
more so because of the cloud nature where many users share services and resources (Ren, Wang &
Wang, 2012).
Loss of Data Permanently
Data breaches are due to intrusive actions or the result of malicious action, including by
insiders in the organization. The loss of data means that information is lost an a manner in which it
cannot be retrieved or recovered, for instance a disk drive dying/ failing when no backup for the
data stored in it was created; this is especially a risk for DAS in a hybrid cloud architecture. It is
also possible for data to be permanently lost when the data owner of encrypted data loses the
decryption key, or forgets it (LeClair & Keeley, 2015). An example is when some data (small) were
lost by AWS when Amazon’s EC2 Cloud suffered whet they termed a re-mirroring storm caused by
an error by a human operator in 2011(Goldman, 2011). data can also be lost due to deliberate
actions of insiders deleting or modifying data by encrypting it, or externally due to malware attacks
An example of this is the Edward Snowden case in which lots of the NSA information was
made public, creating headlines around the world (Waxman, 2017). When there is a malicious
employee insider an organization with a a huge cloud portal having lots of information, the risks are
magnified several times over. The insiders can steal information and sell it for financial benefit or
just to get back at their employee, or for the Snowden case, to operationalize a private crusade.
Employees can also modify data or delete them irretrievably, especially those trusted to manage
such data. Further, its possible for employees to leave backdoors or vulnerabilities that allow
external collaborators to access PII for use for other purposes, either for profit or due to
disgruntlement (Subashini & Kavitha, 2011).
Breaches to PII Data
Cloud computing entails having the data in different states; data at rest, data in transit, and
data under use in the cloud platform. Cloud computing has forced malicious entities to innovate
new ways of circumventing security protocols in the cloud and administer new attack methods.
Breaches to PII has serious consequences, including legal, reputation, and financial; it is also
embarrassing for the top person in the organization to have to face an irate public and the media and
try to explain what happened and what they will do (Metheny, 2017). Cloud Service Providers
(CSPs) usually provide strong and rigorous security protocols to guard against such attacks, cyber
criminals still always find a way through, such s the recent case of Equifax (Gressin, 2017).
However, the same threats that traditional IS (information systems ) face also pose threats to PII in
the cloud. Inherent weaknesses such as side channeling timing exposure, where a user in a VM
(virtual machine) is able to listen to activity signaling that an encryption key has arrived on another
VM sharing the same host can result in sensitive data for the DSA falling into the wrong hands,
more so because of the cloud nature where many users share services and resources (Ren, Wang &
Wang, 2012).
Loss of Data Permanently
Data breaches are due to intrusive actions or the result of malicious action, including by
insiders in the organization. The loss of data means that information is lost an a manner in which it
cannot be retrieved or recovered, for instance a disk drive dying/ failing when no backup for the
data stored in it was created; this is especially a risk for DAS in a hybrid cloud architecture. It is
also possible for data to be permanently lost when the data owner of encrypted data loses the
decryption key, or forgets it (LeClair & Keeley, 2015). An example is when some data (small) were
lost by AWS when Amazon’s EC2 Cloud suffered whet they termed a re-mirroring storm caused by
an error by a human operator in 2011(Goldman, 2011). data can also be lost due to deliberate
actions of insiders deleting or modifying data by encrypting it, or externally due to malware attacks
Running Head: Cloud Privacy and Security: The DAS Case 6
that deletes all data, as happened to the Saudi State Oil Company or Ransomware as happened to
the UK National Health Service.
Hijacked Accounts
This would normally be expected to happen in traditional computing; but it is also a major
risk in the cloud environment. Accounts in the cloud can be hijacked through loss of credentials and
passwords, such as when employee devices they use to access cloud services containing PII are lost.
It can also happen due to exploitation of vulnerabilities in software, for instance, buffer flow attacks
or through Phishing and Social Engineering attacks (Pearson & Benameur, 2010). Intruders that
hijack accounts of DAS staff can manipulate transactions, eavesdrop, give false damaging
information, or simply steal crucial information such as addresses and credit card numbers, or
obtain information to use for other nefarious acts such as identity theft. If the account(s) with PII is
connected to other accounts, there can be a quick loss of control over other accounts as well. The
passwords given or developed by the users can also be weak and lead to their passwords being
stolen. Further, its common for citizens to access government cloud portals such as MyLicense
portal using their devices, the work/ office device, or a public portal and even forget to sign out. If
these devices had malware that steals passwords, the user account can be hijacked and the password
changed (Robinson, 2011).
Hacking of Interfaces and APIs that are Insecure
Another major threat is interfaces and APIs that are weak/ insecure that get hacked; the
MyLicense platform aims at providing services to millions through various government agencies
and also attempting to limit the damage these millions of users can cause the service, given they
they are mostly anonymous users. The solution lies in developing APIs (application programming
interfaces) that are ‘public facing’ that define how third parties connect to applications (Abraham &
Thampi, 2013)in the MyLicense portal service. Further, communication with other cloud services
also utilize APIs in many cases meaning that the APIs security also have direct impacts on the
security of PI in the cloud. Chances of these APIs increase when access to the APIs are granted to
third parties and the result would be the loss of PII or having the exposed to the general public (loss
of privacy) (Dinh, Lee, Niyato & Wang, 2013).
DDoS (Distributed Denial of Service) Type Attacks
DDoS are common forms of cyber attacks; however, when targeted at cloud platforms, the
effects can be devastating as these attacks affect the ability of DAS and government agencies to run
critical services while consuming significant amounts of resources, including processing power,
raising bills for cloud services (Yu, 2013).
Cloud Services Abuse
that deletes all data, as happened to the Saudi State Oil Company or Ransomware as happened to
the UK National Health Service.
Hijacked Accounts
This would normally be expected to happen in traditional computing; but it is also a major
risk in the cloud environment. Accounts in the cloud can be hijacked through loss of credentials and
passwords, such as when employee devices they use to access cloud services containing PII are lost.
It can also happen due to exploitation of vulnerabilities in software, for instance, buffer flow attacks
or through Phishing and Social Engineering attacks (Pearson & Benameur, 2010). Intruders that
hijack accounts of DAS staff can manipulate transactions, eavesdrop, give false damaging
information, or simply steal crucial information such as addresses and credit card numbers, or
obtain information to use for other nefarious acts such as identity theft. If the account(s) with PII is
connected to other accounts, there can be a quick loss of control over other accounts as well. The
passwords given or developed by the users can also be weak and lead to their passwords being
stolen. Further, its common for citizens to access government cloud portals such as MyLicense
portal using their devices, the work/ office device, or a public portal and even forget to sign out. If
these devices had malware that steals passwords, the user account can be hijacked and the password
changed (Robinson, 2011).
Hacking of Interfaces and APIs that are Insecure
Another major threat is interfaces and APIs that are weak/ insecure that get hacked; the
MyLicense platform aims at providing services to millions through various government agencies
and also attempting to limit the damage these millions of users can cause the service, given they
they are mostly anonymous users. The solution lies in developing APIs (application programming
interfaces) that are ‘public facing’ that define how third parties connect to applications (Abraham &
Thampi, 2013)in the MyLicense portal service. Further, communication with other cloud services
also utilize APIs in many cases meaning that the APIs security also have direct impacts on the
security of PI in the cloud. Chances of these APIs increase when access to the APIs are granted to
third parties and the result would be the loss of PII or having the exposed to the general public (loss
of privacy) (Dinh, Lee, Niyato & Wang, 2013).
DDoS (Distributed Denial of Service) Type Attacks
DDoS are common forms of cyber attacks; however, when targeted at cloud platforms, the
effects can be devastating as these attacks affect the ability of DAS and government agencies to run
critical services while consuming significant amounts of resources, including processing power,
raising bills for cloud services (Yu, 2013).
Cloud Services Abuse
Running Head: Cloud Privacy and Security: The DAS Case 7
The cloud platform means resources and services are shared by different users; including
hackers who can use the same cloud services and their processing power and resources cause
attacks, such as decrypting encryption keys within a short time. Cloud servers that are shared can
also be used by cyber criminals to launch attacks such as DDoS, serve malware to steal or
compromise PII. While CSPs are responsible for cloud services use, it may be difficult for them to
detect abuse and improper use (Daimi et al., 2017), (Ren, Wang & Wang, 2012)
Weak identity and Authentication Management
Failure to implement strong identity and authentication protocols has been a major cause of
PII data being breached. There is always a challenge for organizations to manage identity and
authentication to access various IS resources commensurate with their job roles. If these credentials
and authentication methods are weak, cyber criminals can hijack or crack them, resulting in them
breaching and accessing millions of PII data that they can use for any other malicious purpose. If
identity management is poor, huge cyber security holes is the result, leaving the system at the mercy
of hackers and cyber attackers (Ghorbel, Ghorbel & Jmaiel, 2017), (Mock & Desai, 2013).
Advanced Persistent Threats
These are parasitic types of attacks where APT s infiltrate the DAS IS infrastructure and
establish a foothold. The APT s then extract and ex-filtrate PII data and information over long term
periods. APT s move across networks laterally; the fact that DAS will use a PaaS Share Point
Intranet further compounds this problem because the APT s can move laterally across its entire IS
network. Because APT s easily blend with normal traffic making their detection difficult. APT s
gain entry into enterprise networks through infected external storage drives, direct attacks, and
spear Phishing (Auer & Zutin, 2017).
PaaS Intranet Vulnerabilities
DAS will build an Intranet using a PaaS platform; this increases the attack surface due to
resource sharing and the risk of the root access to servers that will be running many of the instances
on MyLicense portal. If cyber criminals gain unauthorized access to this infrastructure, they can
change configurations and breach PII or even cause data loss and modification. Failure to properly
configure security and other settings in the PaaS platform will escalate threats of cyber attacks;
PaaS provides a self service platform, implying that DAS must undertake all protocols to ensure
safety and security, including installing and updating anti malware software (Korshed & Wasimi,
2012).
Insufficient Diligence
Migrating and having PII on cloud portals with external access by millions of anonymous
users will greatly expose their PII data to attacks and breaches. If DAS does not fully understand the
The cloud platform means resources and services are shared by different users; including
hackers who can use the same cloud services and their processing power and resources cause
attacks, such as decrypting encryption keys within a short time. Cloud servers that are shared can
also be used by cyber criminals to launch attacks such as DDoS, serve malware to steal or
compromise PII. While CSPs are responsible for cloud services use, it may be difficult for them to
detect abuse and improper use (Daimi et al., 2017), (Ren, Wang & Wang, 2012)
Weak identity and Authentication Management
Failure to implement strong identity and authentication protocols has been a major cause of
PII data being breached. There is always a challenge for organizations to manage identity and
authentication to access various IS resources commensurate with their job roles. If these credentials
and authentication methods are weak, cyber criminals can hijack or crack them, resulting in them
breaching and accessing millions of PII data that they can use for any other malicious purpose. If
identity management is poor, huge cyber security holes is the result, leaving the system at the mercy
of hackers and cyber attackers (Ghorbel, Ghorbel & Jmaiel, 2017), (Mock & Desai, 2013).
Advanced Persistent Threats
These are parasitic types of attacks where APT s infiltrate the DAS IS infrastructure and
establish a foothold. The APT s then extract and ex-filtrate PII data and information over long term
periods. APT s move across networks laterally; the fact that DAS will use a PaaS Share Point
Intranet further compounds this problem because the APT s can move laterally across its entire IS
network. Because APT s easily blend with normal traffic making their detection difficult. APT s
gain entry into enterprise networks through infected external storage drives, direct attacks, and
spear Phishing (Auer & Zutin, 2017).
PaaS Intranet Vulnerabilities
DAS will build an Intranet using a PaaS platform; this increases the attack surface due to
resource sharing and the risk of the root access to servers that will be running many of the instances
on MyLicense portal. If cyber criminals gain unauthorized access to this infrastructure, they can
change configurations and breach PII or even cause data loss and modification. Failure to properly
configure security and other settings in the PaaS platform will escalate threats of cyber attacks;
PaaS provides a self service platform, implying that DAS must undertake all protocols to ensure
safety and security, including installing and updating anti malware software (Korshed & Wasimi,
2012).
Insufficient Diligence
Migrating and having PII on cloud portals with external access by millions of anonymous
users will greatly expose their PII data to attacks and breaches. If DAS does not fully understand the
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Running Head: Cloud Privacy and Security: The DAS Case 8
cloud environment and its risks, or adopt an unsuitable policy, starting from migration and how this
data is accessed, managed and used in the cloud based web portal, there are risks of the PII data
being breached (Herold, 2011). Everything must be carefully planned, starting with the clod
architecture, the migration policy, control policies, and management of users
After evaluating the threats, a TRA is undertaken to create a threat profile for PII on the MyLicense
portal, as shown in the Figure below;
Threat Risk Analysis
Below is the TRA for the threats and risks inherent to using cloud service platforms (the
PaaS and SasS) and the use of public clouds and a data center for storing public information and
software suite instances
Threat/ Risk
Number
Threat /Risk Rank
1 Malicious Insiders Extreme
2 Breaches to PII Data Extreme
3 Insufficient Diligence Extreme
4 Weak identity and Authentication
Management
Extreme
5 Advanced persistent Threats Extreme
6 Loss of Data Permanently Very High
7 Hijacked Accounts Very High
8 PaaS Intranet Vulnerabilities Very High
9 Hacking of Interfaces and APIs that are
Insecure
High
10 Cloud Services Abuse High
Conclusions
Agencies are increasingly migrating to the cloud because of its inherent benefits, including a
highly scalable platform, greater security, streamline operations, ability to share resources,
consolidation of IT systems, and providing users an easy form to access services through self
cloud environment and its risks, or adopt an unsuitable policy, starting from migration and how this
data is accessed, managed and used in the cloud based web portal, there are risks of the PII data
being breached (Herold, 2011). Everything must be carefully planned, starting with the clod
architecture, the migration policy, control policies, and management of users
After evaluating the threats, a TRA is undertaken to create a threat profile for PII on the MyLicense
portal, as shown in the Figure below;
Threat Risk Analysis
Below is the TRA for the threats and risks inherent to using cloud service platforms (the
PaaS and SasS) and the use of public clouds and a data center for storing public information and
software suite instances
Threat/ Risk
Number
Threat /Risk Rank
1 Malicious Insiders Extreme
2 Breaches to PII Data Extreme
3 Insufficient Diligence Extreme
4 Weak identity and Authentication
Management
Extreme
5 Advanced persistent Threats Extreme
6 Loss of Data Permanently Very High
7 Hijacked Accounts Very High
8 PaaS Intranet Vulnerabilities Very High
9 Hacking of Interfaces and APIs that are
Insecure
High
10 Cloud Services Abuse High
Conclusions
Agencies are increasingly migrating to the cloud because of its inherent benefits, including a
highly scalable platform, greater security, streamline operations, ability to share resources,
consolidation of IT systems, and providing users an easy form to access services through self
Running Head: Cloud Privacy and Security: The DAS Case 9
service model. However, migration to the cloud has its own risks and dangers, especially where
dealing with public data that contain personally identifiable information such as addresses and
names or gender. To remain on top of the game, an elaborate threat risk assessment is necessary to
ensure informed decisions and choices are made based on available data and information from the
threat risk assessment. DAS is in the process of consolidating its IT systems and services for
various departments using its new ‘cloud first policy’. Already, it is in the process of migrating its
HR and contract management systems to a SaaS platform. Also, DAS is migrating its payroll
system, which is a COTS to the AWS. It will also have an Intranet implemented in a PaaS Share
Point platform. The threats and risks that PII and personal data for users are exposed to include
malicious insiders, breaches to PII data, loss of data permanently, hijacked accounts, hacking of
interfaces and API s that are insecure, DDoS (distributed denial of service) type attacks, cloud
services abuse, weak identity and authentication management, advanced persistent threats, PaaS
Intranet vulnerabilities, and insufficient diligence
service model. However, migration to the cloud has its own risks and dangers, especially where
dealing with public data that contain personally identifiable information such as addresses and
names or gender. To remain on top of the game, an elaborate threat risk assessment is necessary to
ensure informed decisions and choices are made based on available data and information from the
threat risk assessment. DAS is in the process of consolidating its IT systems and services for
various departments using its new ‘cloud first policy’. Already, it is in the process of migrating its
HR and contract management systems to a SaaS platform. Also, DAS is migrating its payroll
system, which is a COTS to the AWS. It will also have an Intranet implemented in a PaaS Share
Point platform. The threats and risks that PII and personal data for users are exposed to include
malicious insiders, breaches to PII data, loss of data permanently, hijacked accounts, hacking of
interfaces and API s that are insecure, DDoS (distributed denial of service) type attacks, cloud
services abuse, weak identity and authentication management, advanced persistent threats, PaaS
Intranet vulnerabilities, and insufficient diligence
Running Head: Cloud Privacy and Security: The DAS Case 10
References
Abraham, A. & Thampi, S. M.. (2013). Intelligent Informatics: Proceedings of the International
Symposium on Intelligent Informatics ISI'12 Held at August 4-5 2012, Chennai, India.
Berlin: Springer.
Antonopoulos, N., & Gillam, L. (2017). Cloud computing: Principles, systems and applications.
Computer communications and networks
Auer, Michael E., & Zutin, Danilo G. (2017). Online Engineering & Internet of Things:
Proceedings of the 14th International Conference on Remote Engineering and Virtual
Instrumentation Rev 2017, Held 15-17 March 2017, Columbia Universit. Springer
Verlag.
Bond, J. (2015). The enterprise cloud: Best practices for transforming legacy IT.
Sebastopol, CA: O'Reilly Media.
Dinh, H. T., Lee, C., Niyato, D., & Wang, P. (December 25, 2013). A survey of mobile cloud
computing: architecture, applications, and approaches. Wireless Communications and
Mobile Computing, 13, 18, 1587-1611.
Gressin, S. (2017). The Equifax Data Breach: What to Do. Consumer Information. Retrieved 8
October 2017, from https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-
do
Goldman, D. (2011). Amazon explains and apologizes for cloud disaster - Apr. 29, 2011.
Money.cnn.com. Retrieved 8 October 2017, from
http://money.cnn.com/2011/04/29/technology/amazon_apology/index.htm
Ghorbel, A., Ghorbel, M., & Jmaiel, M. (June 01, 2017). Privacy in cloud computing environments:
a survey and research challenges. The Journal of Supercomputing : an International Journal
of High-Performance Computer Design, Analysis, and Use, 73, 6, 2763-2800.
Herold, R. (2011). Managing an information security and privacy awareness and training program.
Boca Raton, FL: CRC Press.
Khorshed, M. T., Ali, A. B. M. S., & Wasimi, S. A. (June 01, 2012). A survey on gaps, threat
remediation challenges and some thoughts for proactive attack detection in cloud
computing. Future Generation Computer Systems, 28, 6, 833-851.
LeClair, J., & Keeley, G. (2015). Cybersecurity in Our Digital Lives. BookBaby.
Mather, T., Kumaraswamy, S., & Latif, S. (2010). Cloud security and privacy: [an enterprise
perspective on risks and compliance]. Beijing: O'Reilly.
References
Abraham, A. & Thampi, S. M.. (2013). Intelligent Informatics: Proceedings of the International
Symposium on Intelligent Informatics ISI'12 Held at August 4-5 2012, Chennai, India.
Berlin: Springer.
Antonopoulos, N., & Gillam, L. (2017). Cloud computing: Principles, systems and applications.
Computer communications and networks
Auer, Michael E., & Zutin, Danilo G. (2017). Online Engineering & Internet of Things:
Proceedings of the 14th International Conference on Remote Engineering and Virtual
Instrumentation Rev 2017, Held 15-17 March 2017, Columbia Universit. Springer
Verlag.
Bond, J. (2015). The enterprise cloud: Best practices for transforming legacy IT.
Sebastopol, CA: O'Reilly Media.
Dinh, H. T., Lee, C., Niyato, D., & Wang, P. (December 25, 2013). A survey of mobile cloud
computing: architecture, applications, and approaches. Wireless Communications and
Mobile Computing, 13, 18, 1587-1611.
Gressin, S. (2017). The Equifax Data Breach: What to Do. Consumer Information. Retrieved 8
October 2017, from https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-
do
Goldman, D. (2011). Amazon explains and apologizes for cloud disaster - Apr. 29, 2011.
Money.cnn.com. Retrieved 8 October 2017, from
http://money.cnn.com/2011/04/29/technology/amazon_apology/index.htm
Ghorbel, A., Ghorbel, M., & Jmaiel, M. (June 01, 2017). Privacy in cloud computing environments:
a survey and research challenges. The Journal of Supercomputing : an International Journal
of High-Performance Computer Design, Analysis, and Use, 73, 6, 2763-2800.
Herold, R. (2011). Managing an information security and privacy awareness and training program.
Boca Raton, FL: CRC Press.
Khorshed, M. T., Ali, A. B. M. S., & Wasimi, S. A. (June 01, 2012). A survey on gaps, threat
remediation challenges and some thoughts for proactive attack detection in cloud
computing. Future Generation Computer Systems, 28, 6, 833-851.
LeClair, J., & Keeley, G. (2015). Cybersecurity in Our Digital Lives. BookBaby.
Mather, T., Kumaraswamy, S., & Latif, S. (2010). Cloud security and privacy: [an enterprise
perspective on risks and compliance]. Beijing: O'Reilly.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Running Head: Cloud Privacy and Security: The DAS Case 11
Pearson, S., Benameur, A., & 2010 IEEE 2nd International Conference on Cloud Computing
Technology and Science (CloudCom). (November 01, 2010). Privacy, Security and Trust
Issues Arising from Cloud Computing. 693-702.
Pfleeger, C. P., & Pfleeger, S. L. (2012). Analyzing computer security: A
threat/vulnerability/countermeasure approach. Upper Saddle River, N.J: Pearson Education
International.
Robinson, N., Rand Corporation., & European Commission. (2011). The Cloud: Understanding the
security, privacy and trust challenges. Santa Monica: Rand.
Mahmood, Z. (2014). Cloud Computing: Challenges, Limitations and R&D Solutions. Cham :
Springer International Publishing
Metheny, M. (2017). Federal cloud computing: The definitive guide for cloud service providers.
Amsterdam : Syngress
Mock, K., & Desai, A. M. (January 01, 2013). Security in Cloud Computing. InfoSci-Books
Ren, K., Wang, C., & Wang, Q. (January 01, 2012). Security Challenges for the Public Cloud. IEEE
Internet Computing, 16, 1, 69-73.
Subashini, S., & Kavitha, V. (January 01, 2011). A survey on security issues in service delivery
models of cloud computing. Journal of Network and Computer Applications, 34, 1, 1-
Vohradsky, D. (2012). Cloud Risk—10 Principles and a Framework for Assessment. ISACA,
5(1). Retrieved from https://www.isaca.org/Journal/archives/2012/Volume-5/Pages/Cloud-
Risk-10-Principles-and-a-Framework-for-Assessment.aspx
Waxman, A. B. (2017). Rogues of Wall Street: How to manage risk in the cognitive era.
Hoboken, NJ : Wiley/IBM Press
Yu, S. (2014). Distributed Denial of Service Attack and Defense. (Springer eBooks.) New York,
NY: Springer New York.
Pearson, S., Benameur, A., & 2010 IEEE 2nd International Conference on Cloud Computing
Technology and Science (CloudCom). (November 01, 2010). Privacy, Security and Trust
Issues Arising from Cloud Computing. 693-702.
Pfleeger, C. P., & Pfleeger, S. L. (2012). Analyzing computer security: A
threat/vulnerability/countermeasure approach. Upper Saddle River, N.J: Pearson Education
International.
Robinson, N., Rand Corporation., & European Commission. (2011). The Cloud: Understanding the
security, privacy and trust challenges. Santa Monica: Rand.
Mahmood, Z. (2014). Cloud Computing: Challenges, Limitations and R&D Solutions. Cham :
Springer International Publishing
Metheny, M. (2017). Federal cloud computing: The definitive guide for cloud service providers.
Amsterdam : Syngress
Mock, K., & Desai, A. M. (January 01, 2013). Security in Cloud Computing. InfoSci-Books
Ren, K., Wang, C., & Wang, Q. (January 01, 2012). Security Challenges for the Public Cloud. IEEE
Internet Computing, 16, 1, 69-73.
Subashini, S., & Kavitha, V. (January 01, 2011). A survey on security issues in service delivery
models of cloud computing. Journal of Network and Computer Applications, 34, 1, 1-
Vohradsky, D. (2012). Cloud Risk—10 Principles and a Framework for Assessment. ISACA,
5(1). Retrieved from https://www.isaca.org/Journal/archives/2012/Volume-5/Pages/Cloud-
Risk-10-Principles-and-a-Framework-for-Assessment.aspx
Waxman, A. B. (2017). Rogues of Wall Street: How to manage risk in the cognitive era.
Hoboken, NJ : Wiley/IBM Press
Yu, S. (2014). Distributed Denial of Service Attack and Defense. (Springer eBooks.) New York,
NY: Springer New York.
Running Head: Cloud Privacy and Security: The DAS Case 12
APPENDIX B: Cloud Privacy and Security: The DAS Case
PII strategy proposal for the DAS MyLicence portal
Name
Date
APPENDIX B: Cloud Privacy and Security: The DAS Case
PII strategy proposal for the DAS MyLicence portal
Name
Date
Running Head: Cloud Privacy and Security: The DAS Case 13
PII strategy proposal for the DAS MyLicence portal
Introduction
Securing the privacy and security of PII in the MyLicense portal requires understanding
what PII is in the context of applicable laws in order to develop a fitting strategy proposal.
According to the Privacy Act of Australia, Section 6 defines PI (personal information) as being an
opinion or information about a person who is identified or a person that can be identified
reasonably. The identity may include the medical records, the address, photos, bank account and
credit/ debit card details, videos, or biographic information such as gender and age, along with their
names. The strategy being proposed in this report must adhere to the Privacy Act of Australia, along
with other standards including the Australian Policy Principles also found in the 1988 Privacy Act
('Office of the Australian Information Commissioner', 2014)).
DAS must first define what PII is and establish why they must collect personal information
(such as to view the various licenses that the citizens have). Based on this, DAS must then decide
on what personal information it needs to collect, based on the requirements for specific cases. Based
on these, DAS must then decide on how to handle this information and asses the associated risks to
this information with a view t taking the appropriate measures for mitigating these risks to PII.
Finally, once used, based on the information life cycle, DAS must ensure De-identification or
destruction of this information/ data (PII) when no needed any more. This is the proposed overall
framework that DAS should employ whenever there is intention to acquire PII. Based on the TRA
undertaken with regard to PII on the MyLicense Portal (Appendix A); a strategy is hereby proposed
to ensure the privacy and security of PII for citizens and even DAS staff are maintained and
effectively managed. Ensuring PII privacy and security requires measures aimed at
Preventing the interference, misuse, unauthorized access loss of, disclosure, or modification
(without authority) of all PII.
Detecting any breaches to PII data privacy and security promptly
Being ready to timely respond to possible PII data privacy or security breaches in a suitable
and appropriate manner. The image below shows the process flows for the entry and management of
citizens PII by the DAS MyLicense portal;
PII strategy proposal for the DAS MyLicence portal
Introduction
Securing the privacy and security of PII in the MyLicense portal requires understanding
what PII is in the context of applicable laws in order to develop a fitting strategy proposal.
According to the Privacy Act of Australia, Section 6 defines PI (personal information) as being an
opinion or information about a person who is identified or a person that can be identified
reasonably. The identity may include the medical records, the address, photos, bank account and
credit/ debit card details, videos, or biographic information such as gender and age, along with their
names. The strategy being proposed in this report must adhere to the Privacy Act of Australia, along
with other standards including the Australian Policy Principles also found in the 1988 Privacy Act
('Office of the Australian Information Commissioner', 2014)).
DAS must first define what PII is and establish why they must collect personal information
(such as to view the various licenses that the citizens have). Based on this, DAS must then decide
on what personal information it needs to collect, based on the requirements for specific cases. Based
on these, DAS must then decide on how to handle this information and asses the associated risks to
this information with a view t taking the appropriate measures for mitigating these risks to PII.
Finally, once used, based on the information life cycle, DAS must ensure De-identification or
destruction of this information/ data (PII) when no needed any more. This is the proposed overall
framework that DAS should employ whenever there is intention to acquire PII. Based on the TRA
undertaken with regard to PII on the MyLicense Portal (Appendix A); a strategy is hereby proposed
to ensure the privacy and security of PII for citizens and even DAS staff are maintained and
effectively managed. Ensuring PII privacy and security requires measures aimed at
Preventing the interference, misuse, unauthorized access loss of, disclosure, or modification
(without authority) of all PII.
Detecting any breaches to PII data privacy and security promptly
Being ready to timely respond to possible PII data privacy or security breaches in a suitable
and appropriate manner. The image below shows the process flows for the entry and management of
citizens PII by the DAS MyLicense portal;
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Running Head: Cloud Privacy and Security: The DAS Case 14
Source: Author
After understanding the process flows, the next step is to ensure the information remains
private and secure, at all states; when the data is at rest (in storage), when the data is being moved/
transported across networks, and when in use, when data is being updated, for example (Ruan,
2013). At the edge of the DAS IS, the users can access the MyLicense portal the aim is to have a
strong security and privacy layer as the image below depicts;
Source: Author
After understanding the process flows, the next step is to ensure the information remains
private and secure, at all states; when the data is at rest (in storage), when the data is being moved/
transported across networks, and when in use, when data is being updated, for example (Ruan,
2013). At the edge of the DAS IS, the users can access the MyLicense portal the aim is to have a
strong security and privacy layer as the image below depicts;
Running Head: Cloud Privacy and Security: The DAS Case 15
Source: Cipher Cloud
To protect PII data privacy and security when the data is at rest, DAS needs to implement
the following;
Encryption of the data: The data must be encrypted using a strong encryption method, such
as AES 256 to ensure the data cannot be used/ accessed, in the unlikely situation it is actually
breached (Kawser, Tonny, Sayed & Hashem, 2012).
Backup: The data must be backed up using multiple geographical locations by the CSP and
also in the DAS data center (Hybrid cloud) using off-site storage. The backup should entail DS
using VM s so that there is always continuity and the data is protected from loss. The backup
system can be implemented together with RAID configurations in physical servers
To protect the PII data security and privacy, during transfer/ transport or when being used, DAS
must encrypt all data (Mather, Kumaraswamy & Latif, 2010)
Encryption End-to End: The PII data must have end to end encryption during transport so
that users can only access it from the destination and at the point of sending. Because citizens will
provide this data from a web portal, the portal must have web based security, including the use of
the HTTPS protocol and have the data encrypted as it is entered. This surface must have very strong
encryption features since it is not practical to have multiple authentication for all citizens; however,
basic two step authentication can be used to identify users when they log in to their account through
their mobile phones and have an e-mail notification sent to them whenever their accounts are
accessed externally (likely by them). The decryption keys must be effectively managed to prevent
loss that would occasion data loss due to inability to access the data (Mather, Kumaraswamy &
Latif, 2010)
Authentication and use of Tokens by staff: Any staff accessing the data for any purpose,
such as processing must be authenticated using a multi factor authentication approach. Further, they
must have tokens to log into cloud servers that expire after some period of non-use, just to guard
against accidental failure to log out. This should also be applied to the citizens (Mather,
Kumaraswamy & Latif, 2010), (Nickel, 2016).
Securing PaaS infrastructure: The DAS will be having a PaaS Share Point Intranet; this
must be secured using methods applied to other networks, including setting the Intranet in a VPN
(Virtual Private Network) configuration to include remote access mobile devices such as laptops,
tablets, and smart phones. This will ensure the Intranet is not easy to breach from a shared cloud
platform. The infrastructure must also have strong security configurations, including firewalls and
anti malware software. Further, the Intranet must be constantly monitored. All routers and network
Source: Cipher Cloud
To protect PII data privacy and security when the data is at rest, DAS needs to implement
the following;
Encryption of the data: The data must be encrypted using a strong encryption method, such
as AES 256 to ensure the data cannot be used/ accessed, in the unlikely situation it is actually
breached (Kawser, Tonny, Sayed & Hashem, 2012).
Backup: The data must be backed up using multiple geographical locations by the CSP and
also in the DAS data center (Hybrid cloud) using off-site storage. The backup should entail DS
using VM s so that there is always continuity and the data is protected from loss. The backup
system can be implemented together with RAID configurations in physical servers
To protect the PII data security and privacy, during transfer/ transport or when being used, DAS
must encrypt all data (Mather, Kumaraswamy & Latif, 2010)
Encryption End-to End: The PII data must have end to end encryption during transport so
that users can only access it from the destination and at the point of sending. Because citizens will
provide this data from a web portal, the portal must have web based security, including the use of
the HTTPS protocol and have the data encrypted as it is entered. This surface must have very strong
encryption features since it is not practical to have multiple authentication for all citizens; however,
basic two step authentication can be used to identify users when they log in to their account through
their mobile phones and have an e-mail notification sent to them whenever their accounts are
accessed externally (likely by them). The decryption keys must be effectively managed to prevent
loss that would occasion data loss due to inability to access the data (Mather, Kumaraswamy &
Latif, 2010)
Authentication and use of Tokens by staff: Any staff accessing the data for any purpose,
such as processing must be authenticated using a multi factor authentication approach. Further, they
must have tokens to log into cloud servers that expire after some period of non-use, just to guard
against accidental failure to log out. This should also be applied to the citizens (Mather,
Kumaraswamy & Latif, 2010), (Nickel, 2016).
Securing PaaS infrastructure: The DAS will be having a PaaS Share Point Intranet; this
must be secured using methods applied to other networks, including setting the Intranet in a VPN
(Virtual Private Network) configuration to include remote access mobile devices such as laptops,
tablets, and smart phones. This will ensure the Intranet is not easy to breach from a shared cloud
platform. The infrastructure must also have strong security configurations, including firewalls and
anti malware software. Further, the Intranet must be constantly monitored. All routers and network
Running Head: Cloud Privacy and Security: The DAS Case 16
tool (virtual) in the Intranet PaaS must be secured through encryption and constant updating of firm
ware (Chen & Zhao, 2012)
Security Audits: Because DAS will also have a data center linked to public clouds to form a
hybrid cloud, it must ensure scheduled security audits are undertaken by the CSP and be able to
evaluate these security audits. This will require that the audits are expressly defined in the SLA
(service level agreements) with th CSP. Internally, it must also undertake frequent security audits on
its infrastructure. All activities have to be logged to created an audit trail for review (Winkler &
Meine, 2012)
Policies and Procedures: DAS must sensitize employees in all departments on safety
protocols, how to identify social engineering and Phishing attacks and provide mechanisms for
prompt reporting of suspicious activity, Staff must have external devices disabled from copying data
(Ras & Slamanig, 2014).
Security tools: AT the data center, all data must also be encrypted and security tools
including firewalls (software and physical), anti malware and anti viruses, along with constant
updating of firmware and patches. The PaaS must be monitored constantly and audited for
malicious activity (Ras & Slamanig, 2014).
DAS must have response plans, such as what to do during DDoS attacks, or when an
employee personal device with access credentials gets lost or is stolen. The devices used on the
PaaS and DAS portal must be identified and authorized to access resources with secure APIs and
authentication; in the event of theft or if suspicious activity is reported, then these devices must be
disabled from accessing the DAS cloud resources and the access tokens disabled.
tool (virtual) in the Intranet PaaS must be secured through encryption and constant updating of firm
ware (Chen & Zhao, 2012)
Security Audits: Because DAS will also have a data center linked to public clouds to form a
hybrid cloud, it must ensure scheduled security audits are undertaken by the CSP and be able to
evaluate these security audits. This will require that the audits are expressly defined in the SLA
(service level agreements) with th CSP. Internally, it must also undertake frequent security audits on
its infrastructure. All activities have to be logged to created an audit trail for review (Winkler &
Meine, 2012)
Policies and Procedures: DAS must sensitize employees in all departments on safety
protocols, how to identify social engineering and Phishing attacks and provide mechanisms for
prompt reporting of suspicious activity, Staff must have external devices disabled from copying data
(Ras & Slamanig, 2014).
Security tools: AT the data center, all data must also be encrypted and security tools
including firewalls (software and physical), anti malware and anti viruses, along with constant
updating of firmware and patches. The PaaS must be monitored constantly and audited for
malicious activity (Ras & Slamanig, 2014).
DAS must have response plans, such as what to do during DDoS attacks, or when an
employee personal device with access credentials gets lost or is stolen. The devices used on the
PaaS and DAS portal must be identified and authorized to access resources with secure APIs and
authentication; in the event of theft or if suspicious activity is reported, then these devices must be
disabled from accessing the DAS cloud resources and the access tokens disabled.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Running Head: Cloud Privacy and Security: The DAS Case 17
References
Kawser , W., N., Tonny S., K., Sayed A., H., & Dr. M. M. A Hashem. (2012). A Newer User
Authentication, File encryption and Distributed Server Based Cloud Computing security
architecture. The Science and Information (SAI) Organization.
Mather, T., Kumaraswamy, S., & Latif, S. (2010). Cloud security and privacy: [an enterprise
perspective on risks and compliance]. Beijing: O'Reilly.
Nickel, J. (2016). Mastering identity and access management with Microsoft Azure: Start
empowering users and protecting corporate data, while managing identities and access with
Microsoft Azure in different environments. Birmingham : Packt Publishing
'Office of the Australian Information Commissioner'. (2014). Privacy fact sheet 17: Australian
Privacy Principles. Sydney: Office of the Australian Information Commissioner.
Rass, S., & Slamanig, D. (2014). Cryptography for security and privacy in cloud computing. Boston
: Artech House
Ruan, K. (2013). Cybercrime and cloud forensics: Applications for investigation processes.
Hershey, Pa: IGI Global.
Winkler, V., & Meine, B. (2011). Securing the cloud: Cloud computer security techniques and
tactics. Waltham, Mass: Syngress.
References
Kawser , W., N., Tonny S., K., Sayed A., H., & Dr. M. M. A Hashem. (2012). A Newer User
Authentication, File encryption and Distributed Server Based Cloud Computing security
architecture. The Science and Information (SAI) Organization.
Mather, T., Kumaraswamy, S., & Latif, S. (2010). Cloud security and privacy: [an enterprise
perspective on risks and compliance]. Beijing: O'Reilly.
Nickel, J. (2016). Mastering identity and access management with Microsoft Azure: Start
empowering users and protecting corporate data, while managing identities and access with
Microsoft Azure in different environments. Birmingham : Packt Publishing
'Office of the Australian Information Commissioner'. (2014). Privacy fact sheet 17: Australian
Privacy Principles. Sydney: Office of the Australian Information Commissioner.
Rass, S., & Slamanig, D. (2014). Cryptography for security and privacy in cloud computing. Boston
: Artech House
Ruan, K. (2013). Cybercrime and cloud forensics: Applications for investigation processes.
Hershey, Pa: IGI Global.
Winkler, V., & Meine, B. (2011). Securing the cloud: Cloud computer security techniques and
tactics. Waltham, Mass: Syngress.
Running Head: Cloud Privacy and Security: The DAS Case 18
APPENDIX C: Cloud Privacy and Security: The DAS Case
Strategy for Protecting Formal Digital Identity
Name
Date
APPENDIX C: Cloud Privacy and Security: The DAS Case
Strategy for Protecting Formal Digital Identity
Name
Date
Running Head: Cloud Privacy and Security: The DAS Case 19
Introduction
Digital identity refers to information about an entity that computer systems use for
representing external agents; of which agent can be a person, application, organization, department,
or a device. Identity is a set of attributes that re related to a given entity. Digital Identities are used
to identify and assign specific information to entities without human intervention such that
accessing computers or resources can be automated, as are the services offered by the computer
systems (Windley, 2015). People are increasingly being represented by personal and civil identity
information in computer systems such as the DAS systems. The data on entities such as persons is
used in ways in which there is a requirement that the stored data is also linked to their national or
civil identities, for instance, their passport number or PIN. Digital Identities may include all the
collections of information created form the on-line activity or entities, such as persons and include
details such as their search activities on-line, passwords, social security, credit card use, and
biometric data such as gender and age (Ben, 2014). Millions of citizens can will creating formal
Digital Identities (DI s) on-line whenever they visit the MyLicense portal of DAS and these can be
exploited by hackers over the web or through institutional devices, even by insiders. The security
and privacy of this information is therefore paramount for DAS. DAS must therefore understand
what constitutes DI s and use the following strategy to ensure this information remains safe and
private.
Use Pseudonyms: DAS should encourage the use of pseudonyms by users of the MyLicense
portal that can be confirmed and used for future transactions; this will ensure privacy by reducing
the amount of identifiable information that can be attributed to the person. It will also ensure greater
security for the users of the portal and any transactions they undertake, including making payments.
This will enable users to be identified without them having to reveal their identity digital
representation (Bhargav-Spantzel, Squicciarini & Bertino, 2006)
Anonymous identifiers; DAS should also enable users to be identified using an anonym;
this is an attribute that is authenticated but is not linked with/ to an identifier. The anonymous
identifiers identify users only once and using it more than once makes it a pseudonym. When
combined with two factor authentication with limited time token, this can be effective since their
pseudonym is sent to a mobile phone for use over a limited time period (Yee, 2012). This way, even
patient hackers or APT s cannot associate a pseudonym to a specific person through repeated use of
one anonym.
Strong authentication policy for user access credentials: Often, users will want to have
passwords that are easy for them to remember, or that they use on other on-line platforms, such as
their social media accounts. DAS should set the authentication credentials to ensure complexity so
Introduction
Digital identity refers to information about an entity that computer systems use for
representing external agents; of which agent can be a person, application, organization, department,
or a device. Identity is a set of attributes that re related to a given entity. Digital Identities are used
to identify and assign specific information to entities without human intervention such that
accessing computers or resources can be automated, as are the services offered by the computer
systems (Windley, 2015). People are increasingly being represented by personal and civil identity
information in computer systems such as the DAS systems. The data on entities such as persons is
used in ways in which there is a requirement that the stored data is also linked to their national or
civil identities, for instance, their passport number or PIN. Digital Identities may include all the
collections of information created form the on-line activity or entities, such as persons and include
details such as their search activities on-line, passwords, social security, credit card use, and
biometric data such as gender and age (Ben, 2014). Millions of citizens can will creating formal
Digital Identities (DI s) on-line whenever they visit the MyLicense portal of DAS and these can be
exploited by hackers over the web or through institutional devices, even by insiders. The security
and privacy of this information is therefore paramount for DAS. DAS must therefore understand
what constitutes DI s and use the following strategy to ensure this information remains safe and
private.
Use Pseudonyms: DAS should encourage the use of pseudonyms by users of the MyLicense
portal that can be confirmed and used for future transactions; this will ensure privacy by reducing
the amount of identifiable information that can be attributed to the person. It will also ensure greater
security for the users of the portal and any transactions they undertake, including making payments.
This will enable users to be identified without them having to reveal their identity digital
representation (Bhargav-Spantzel, Squicciarini & Bertino, 2006)
Anonymous identifiers; DAS should also enable users to be identified using an anonym;
this is an attribute that is authenticated but is not linked with/ to an identifier. The anonymous
identifiers identify users only once and using it more than once makes it a pseudonym. When
combined with two factor authentication with limited time token, this can be effective since their
pseudonym is sent to a mobile phone for use over a limited time period (Yee, 2012). This way, even
patient hackers or APT s cannot associate a pseudonym to a specific person through repeated use of
one anonym.
Strong authentication policy for user access credentials: Often, users will want to have
passwords that are easy for them to remember, or that they use on other on-line platforms, such as
their social media accounts. DAS should set the authentication credentials to ensure complexity so
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Running Head: Cloud Privacy and Security: The DAS Case 20
that users, for example, are forced to use multiple characters including numbers, upper and lower
case letters, numbers, and special symbols and have passwords with a minimum length. This will
make their passwords strong and difficult to crack, say using key logging APT s and malware
(Yeluri & Castro-Leon, 2014)
Disable cookies on web portal: The MyLicense wen portal should not have any form of
cookies and disable third party cookies on the web portal; this is because often, users will engage in
other web activity after visiting the MyLicense web portal such as opening their mails or visiting
social media. Cookies collect information on web users and track them across different websites,
possibly compromising their DI s or helping link their information (Yee, 2012).
Use the HTTPS standard: This is a standard that stands for HTTP over TLS (Transport
Layer Security) for secure communications over networks where the HTTP is used within an
encrypted layer, the TLS (or in some cases SSL [Secure Sockets Layer]). The HTTPS will
authenticated the MyLicense web portal and protect the integrity and privacy of exchanged data,
especially PI s (Ben, 2014)
Use SaaS for password and authentication management: While this will increase the
surface of the DAS cloud and increase the entire attack surface, it will enhance the security of the
users because third parties that specialize in authentication, password management, and the use of
pseudonyms to protect DI s (Bin et al., 2009) will be more specialized and have greater expertise in
managing the thousands or millions of user DI s when they use the MyLicense portal.
Use Block-Chain Approach to DI Security and Privacy: DAS will be consolidating all
services for various departments into a single platform with cloud architecture and a data center;
with citizens using the web portal to access services. Because of multiple agencies and departments,
it is likely there will be disjointed and fallible identity management systems for user authentication
(Asharaf & Adarsh, 2017). This can be overcome through the use of a distributed trust model such
as the IBM Block-chain technology that gives the users greater power and control over their digital
identity; it also enables sharing between entities that are trusted with their (users) consent (Buck,
2017). Further, Block-chain makes it difficult for any single organization, department, or entity to
compromise the identity of the users. It is a simple approach that will be simple for users to make
use of, ensures greater privacy, and gives the users greater control over their DI and PII; it is only
used once at the point where it is needed and not stored anywhere on-line where malicious users can
access it. Block-chain is a secure network of sharing to enable authentication across different users
and platforms (Zyskind, Nathan & Pentland, 2015). This can be implemented by using an
application (for mobile devices) which users can then use to manage their on-line identity whenever
accessing any services from the DAS portal.
that users, for example, are forced to use multiple characters including numbers, upper and lower
case letters, numbers, and special symbols and have passwords with a minimum length. This will
make their passwords strong and difficult to crack, say using key logging APT s and malware
(Yeluri & Castro-Leon, 2014)
Disable cookies on web portal: The MyLicense wen portal should not have any form of
cookies and disable third party cookies on the web portal; this is because often, users will engage in
other web activity after visiting the MyLicense web portal such as opening their mails or visiting
social media. Cookies collect information on web users and track them across different websites,
possibly compromising their DI s or helping link their information (Yee, 2012).
Use the HTTPS standard: This is a standard that stands for HTTP over TLS (Transport
Layer Security) for secure communications over networks where the HTTP is used within an
encrypted layer, the TLS (or in some cases SSL [Secure Sockets Layer]). The HTTPS will
authenticated the MyLicense web portal and protect the integrity and privacy of exchanged data,
especially PI s (Ben, 2014)
Use SaaS for password and authentication management: While this will increase the
surface of the DAS cloud and increase the entire attack surface, it will enhance the security of the
users because third parties that specialize in authentication, password management, and the use of
pseudonyms to protect DI s (Bin et al., 2009) will be more specialized and have greater expertise in
managing the thousands or millions of user DI s when they use the MyLicense portal.
Use Block-Chain Approach to DI Security and Privacy: DAS will be consolidating all
services for various departments into a single platform with cloud architecture and a data center;
with citizens using the web portal to access services. Because of multiple agencies and departments,
it is likely there will be disjointed and fallible identity management systems for user authentication
(Asharaf & Adarsh, 2017). This can be overcome through the use of a distributed trust model such
as the IBM Block-chain technology that gives the users greater power and control over their digital
identity; it also enables sharing between entities that are trusted with their (users) consent (Buck,
2017). Further, Block-chain makes it difficult for any single organization, department, or entity to
compromise the identity of the users. It is a simple approach that will be simple for users to make
use of, ensures greater privacy, and gives the users greater control over their DI and PII; it is only
used once at the point where it is needed and not stored anywhere on-line where malicious users can
access it. Block-chain is a secure network of sharing to enable authentication across different users
and platforms (Zyskind, Nathan & Pentland, 2015). This can be implemented by using an
application (for mobile devices) which users can then use to manage their on-line identity whenever
accessing any services from the DAS portal.
Running Head: Cloud Privacy and Security: The DAS Case 21
Biometric security: For the DAS staff, their DI s can be secured using biometric security, so
that they must have their biometrics, such as facial features or thumb prints used and verified (Sahai
& Waters, 2005) whenever they access the DAS cloud services or instances to undertake important
tasks such as modifying information, creating reports, updating employee data, or managing
contractor information. Users that log in remotely (Government Employees) using mobile devices
must be authenticated using biometric features to also help protect their DI s because if these are
compromised, hackers and cyber criminals will be able to gain entry into the DAS IS, possibly with
elevated access rights and engage in nefarious activities.
Biometric security: For the DAS staff, their DI s can be secured using biometric security, so
that they must have their biometrics, such as facial features or thumb prints used and verified (Sahai
& Waters, 2005) whenever they access the DAS cloud services or instances to undertake important
tasks such as modifying information, creating reports, updating employee data, or managing
contractor information. Users that log in remotely (Government Employees) using mobile devices
must be authenticated using biometric features to also help protect their DI s because if these are
compromised, hackers and cyber criminals will be able to gain entry into the DAS IS, possibly with
elevated access rights and engage in nefarious activities.
Running Head: Cloud Privacy and Security: The DAS Case 22
References
Asharaf, S., & Adarsh, S. (2017). Decentralized computing using blockchain technologies and
smart contracts: Emerging research and opportunities. Hershey, PA : Information
Science Reference
Bhargav-Spantzel, A., Squicciarini, A. C., & Bertino, E. (January 01, 2006). Establishing and
protecting digital identity in federation systems. Journal of Computer Security, 14, 3, 269-
300.
Ben, A. G. (January 01, 2014). Digital Identity Management. Springer Link
Ben, A. G. (2016). Architecting user-centric privacy-as-a-set-of-services: Digital identity-related
privacy framework. Cham : Springer
Bin, W., Yuan, H. H., Xi, L. X., Min, X. J., & 2009 IEEE International Conference on e-Business
Engineering (ICEBE). (October 01, 2009). Open Identity Management Framework for SaaS
Ecosystem. 512-517.
Buck, G. (2017). IBM, SecureKey Technologies, use blockchain to beef up security »
GTNews.com. Gtnews.com. Retrieved 8 October 2017, from
https://www.gtnews.com/2017/03/20/ibm-securekey-technologies-use-blockchain-to-beef-
up-security/
Sahai, A., & Waters, B. (January 01, 2005). Fuzzy Identity-Based Encryption. Lecture Notes in
Computer Science, 3494, 457-473.
Windley, P. J. (2005). Digital Identity. Sebastopol, CA: O'Reilly Media.
Yee, G. (2012). Privacy protection measures and technologies in business organizations: Aspects
and standards. Hershey, PA: Information Science Reference.
Yeluri, R., & Castro-Leon, E. (2014). Building the Infrastructure for Cloud Security: A Solutions
view. Berkeley, CA: Apress.
Zyskind, G., Nathan, O., & Pentland, A. S.(May 01, 2015). 2015 IEEE Security and Privacy
Workshops (SPW).Decentralizing Privacy: Using Blockchain to Protect Personal Data. 180-
184.
References
Asharaf, S., & Adarsh, S. (2017). Decentralized computing using blockchain technologies and
smart contracts: Emerging research and opportunities. Hershey, PA : Information
Science Reference
Bhargav-Spantzel, A., Squicciarini, A. C., & Bertino, E. (January 01, 2006). Establishing and
protecting digital identity in federation systems. Journal of Computer Security, 14, 3, 269-
300.
Ben, A. G. (January 01, 2014). Digital Identity Management. Springer Link
Ben, A. G. (2016). Architecting user-centric privacy-as-a-set-of-services: Digital identity-related
privacy framework. Cham : Springer
Bin, W., Yuan, H. H., Xi, L. X., Min, X. J., & 2009 IEEE International Conference on e-Business
Engineering (ICEBE). (October 01, 2009). Open Identity Management Framework for SaaS
Ecosystem. 512-517.
Buck, G. (2017). IBM, SecureKey Technologies, use blockchain to beef up security »
GTNews.com. Gtnews.com. Retrieved 8 October 2017, from
https://www.gtnews.com/2017/03/20/ibm-securekey-technologies-use-blockchain-to-beef-
up-security/
Sahai, A., & Waters, B. (January 01, 2005). Fuzzy Identity-Based Encryption. Lecture Notes in
Computer Science, 3494, 457-473.
Windley, P. J. (2005). Digital Identity. Sebastopol, CA: O'Reilly Media.
Yee, G. (2012). Privacy protection measures and technologies in business organizations: Aspects
and standards. Hershey, PA: Information Science Reference.
Yeluri, R., & Castro-Leon, E. (2014). Building the Infrastructure for Cloud Security: A Solutions
view. Berkeley, CA: Apress.
Zyskind, G., Nathan, O., & Pentland, A. S.(May 01, 2015). 2015 IEEE Security and Privacy
Workshops (SPW).Decentralizing Privacy: Using Blockchain to Protect Personal Data. 180-
184.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Running Head: Cloud Privacy and Security: The DAS Case 23
APPENDIX D: Cloud Privacy and Security: The DAS Case
Governance Outline Plan
Name
Date
APPENDIX D: Cloud Privacy and Security: The DAS Case
Governance Outline Plan
Name
Date
Running Head: Cloud Privacy and Security: The DAS Case 24
Governance Outline Plan
Governance Outline for PII data and digital identities for MyLicense Portal Users
Version 1
Ratified By
Date of Ratification
Author(s)
Date of Coming Into Effect
Target Audience
Responsible Committee
Date of Review
Policy Summary
This governance tool kit is aimed at ensuring that the PII (Personal identifiable Information)
and the DI s (Digital Identities) of users at the DAS MyLicense portal ensures that the PII and DI of
users remain secure and private and are managed and used in accordance with existing laws and
policies, including the Privacy Act. This Governance Outline recognizes and appreciates the need
for having an appropriate balance between confidentiality, security, and privacy of user PII and the
need for providing better services to the public and other users through a web portal and cloud
computing. DAS fully recognizes its duty for public accountability and places importance on the
security and privacy of PII. The governance policy will cover the areas of PII and DI information
security and privacy of all MyLicense web portal users ('Office of the Australian Information
Commissioner', 2014)
DAS will remain committed to protecting the PII and DI data of MyLicense portal users
against external and internal threats to their security and privacy
The security and privacy of data requires roles associated with them; an IT security expert
will have overall responsibility for enforcing the governance policy, and report to a relevant IT
security committee created by DAS. The Security Expert/ Head will have a team each responsible
for various areas and surfaces of the MyLicense Portal to ensure PII and DI data for users remain
private and secure. The Head will be the owner of Information Security and Privacy and appoint
people in charge of various including audits, risk, control, and compliance (Lowrance, 2013). With
Governance Outline Plan
Governance Outline for PII data and digital identities for MyLicense Portal Users
Version 1
Ratified By
Date of Ratification
Author(s)
Date of Coming Into Effect
Target Audience
Responsible Committee
Date of Review
Policy Summary
This governance tool kit is aimed at ensuring that the PII (Personal identifiable Information)
and the DI s (Digital Identities) of users at the DAS MyLicense portal ensures that the PII and DI of
users remain secure and private and are managed and used in accordance with existing laws and
policies, including the Privacy Act. This Governance Outline recognizes and appreciates the need
for having an appropriate balance between confidentiality, security, and privacy of user PII and the
need for providing better services to the public and other users through a web portal and cloud
computing. DAS fully recognizes its duty for public accountability and places importance on the
security and privacy of PII. The governance policy will cover the areas of PII and DI information
security and privacy of all MyLicense web portal users ('Office of the Australian Information
Commissioner', 2014)
DAS will remain committed to protecting the PII and DI data of MyLicense portal users
against external and internal threats to their security and privacy
The security and privacy of data requires roles associated with them; an IT security expert
will have overall responsibility for enforcing the governance policy, and report to a relevant IT
security committee created by DAS. The Security Expert/ Head will have a team each responsible
for various areas and surfaces of the MyLicense Portal to ensure PII and DI data for users remain
private and secure. The Head will be the owner of Information Security and Privacy and appoint
people in charge of various including audits, risk, control, and compliance (Lowrance, 2013). With
Running Head: Cloud Privacy and Security: The DAS Case 25
the roles in mind, DAS must ensure measures are taken to enhance user data security and privacy,
as well as integrity.
The team will ensure legal compliance with the relevant laws and regulations pertaining to PII and
DI including the Privacy Act and the APPs. The team shall ensure that there is compliance with
global standards of user PII and DI privacy and security including ISO 27018 for cloud security and
ISO/ IEC 29100 (Maggiore, 2016)
Ensure high level planing, testing, implementing, and updating/ improvement of the data
management plan for DAS as related to PII and DI with requirements for regulatory compliance
Audits must be frequently undertaken so as to ensure new threats are identified and mitigation
measures either put in place or updated. This will entail putting in place preventive measures that
help stop or mitigate risks and threats before they occur and measures that mitigate security threats
and risks when they occur (McAllister, Grance & Kant, 2010).
Ensure security measures and tools are put in place, including ensuring that the PII remains
encrypted at all states and the keys are properly managed (McAllister, Grance & Kant, 2010).
Ensure policies that control and restrict access to PII and DI data are put in place and adhered to
including setting access rights for government staff and that these are complied with
Destroying or De-identifying PII and DI when the information are no longer required by the
relevant departments or by DAS
Continuously updating the governance outline and plan to improve PII and DI data security
and privacy for MyLicense portal users
The databases must be managed according to industry standards operations
There must be meta data and master data management
Proof of compliance to be confirmed and documented along with the process (McAllister,
Grance & Kant, 2010)
the roles in mind, DAS must ensure measures are taken to enhance user data security and privacy,
as well as integrity.
The team will ensure legal compliance with the relevant laws and regulations pertaining to PII and
DI including the Privacy Act and the APPs. The team shall ensure that there is compliance with
global standards of user PII and DI privacy and security including ISO 27018 for cloud security and
ISO/ IEC 29100 (Maggiore, 2016)
Ensure high level planing, testing, implementing, and updating/ improvement of the data
management plan for DAS as related to PII and DI with requirements for regulatory compliance
Audits must be frequently undertaken so as to ensure new threats are identified and mitigation
measures either put in place or updated. This will entail putting in place preventive measures that
help stop or mitigate risks and threats before they occur and measures that mitigate security threats
and risks when they occur (McAllister, Grance & Kant, 2010).
Ensure security measures and tools are put in place, including ensuring that the PII remains
encrypted at all states and the keys are properly managed (McAllister, Grance & Kant, 2010).
Ensure policies that control and restrict access to PII and DI data are put in place and adhered to
including setting access rights for government staff and that these are complied with
Destroying or De-identifying PII and DI when the information are no longer required by the
relevant departments or by DAS
Continuously updating the governance outline and plan to improve PII and DI data security
and privacy for MyLicense portal users
The databases must be managed according to industry standards operations
There must be meta data and master data management
Proof of compliance to be confirmed and documented along with the process (McAllister,
Grance & Kant, 2010)
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Running Head: Cloud Privacy and Security: The DAS Case 26
Governance Outline Plan
Personal data and PII data for DAS users of the HR Personnel Management suite.
Version 1
Ratified By
Date of Ratification
Author(s)
Date of Coming Into Effect
Target Audience
Responsible Committee
Date of Review
Summary
SaaS security for personal data PII for DAS users in the HR suite implemented in a SaaS has
the following security control areas;
Controlling identity and access management: These are controls that help make sure that
only appropriate users access the HR and personnel management SaaS suite using devices that have
been approved
Implementing audits and security measures: Continuously carrying out TRA’s and
creating a risk profile and counter measures
Compliance: Ensuring compliance with internal security standards and processes and
regulatory and statutory standards, including with the Privacy Act
The senior managers at DAS form a risk management committee that will set a risk level for
data privacy and security that is acceptable (minimum levels)
The person in charge will ensure that the risk measures that have been put in place are
commensurate with the minimum standards set by the risk management committee (McAllister,
Grance & Kant, 2010)
Data and application controls: All applications need to be registered and analyzed to
establish if they meet all security requirements and standards. The use of tokens, encryption, and
preventing the loss of data tools help protect the PII data as well as aiding the detection of storage,
access, or transmission of sensitive information
Governance Outline Plan
Personal data and PII data for DAS users of the HR Personnel Management suite.
Version 1
Ratified By
Date of Ratification
Author(s)
Date of Coming Into Effect
Target Audience
Responsible Committee
Date of Review
Summary
SaaS security for personal data PII for DAS users in the HR suite implemented in a SaaS has
the following security control areas;
Controlling identity and access management: These are controls that help make sure that
only appropriate users access the HR and personnel management SaaS suite using devices that have
been approved
Implementing audits and security measures: Continuously carrying out TRA’s and
creating a risk profile and counter measures
Compliance: Ensuring compliance with internal security standards and processes and
regulatory and statutory standards, including with the Privacy Act
The senior managers at DAS form a risk management committee that will set a risk level for
data privacy and security that is acceptable (minimum levels)
The person in charge will ensure that the risk measures that have been put in place are
commensurate with the minimum standards set by the risk management committee (McAllister,
Grance & Kant, 2010)
Data and application controls: All applications need to be registered and analyzed to
establish if they meet all security requirements and standards. The use of tokens, encryption, and
preventing the loss of data tools help protect the PII data as well as aiding the detection of storage,
access, or transmission of sensitive information
Running Head: Cloud Privacy and Security: The DAS Case 27
Controls for monitoring and logging: These are controls that help in the detection of
violations to information security and privacy and send necessary alerts to the right staff for action.
Further, appropriate responses are initiated and corrective action taken.
DAS must develop a suitable security strategy for PII for HR and personnel management
SaaS users and build a reference architecture corresponding to it. All IT staff are to be educated on
the HR SaaS what it is used for and functionality. Enterprise security controls to be identified and
residual risk determined. The Security Team must comprehend risk calculation and mitigation of
risks
The person responsible for the security controls of the HR and Personnel management suite
implemented in the SaaS must be identified and defined; the controls should then be implemented,
such as the staff with rights to access the HR SaaS and make changes and provide strong
authentication mechanisms
DAS will monitor changes in the technology environment and adjust accordingly, such as
new technologies while keeping an eye for new threats to existing security and privacy technology
and making responses
The management/ decision makers at DAS will provide full support for ensuring security
and privacy
The critical business processes relating to the HR and personnel management system will be
fully documented, along with inherent risks to the processes at different levels in the business
processes
Employees will be sensitized and trained on best use policies and educated on how to
recognize threats and what actions to take. They will also be held responsible for any breaches that
they are engaged in either if this is because of a deliberate cat or an accidental act; this implies that
the set security and best practice policies shall be fully enforced.
TRA and risk analyses will be undertaken continuously and a threat profile created; this
threat profile will be updated continuously as circumstances change. Based on the threat analysis,
suitable products to enhance security including software system to be installed in the PaaS Share
Point Intranet, encryption of HR data in the SaaS at all levels (end to end encryption), will be
implemented in a manner that is informed. The security measures will also be reviewed periodically
to be updated with prevailing threat and risk environment.
Business processes, security, and assets will be reviewed on a continuous basis with the aim
of attaining continuous improvements
Compliance with relevant policies and standards, including the ISO/IEC 29100:2011 and ISO 2018
as well as the Privacy Act ('Office of the Australian Information Commissioner', 2014)
Controls for monitoring and logging: These are controls that help in the detection of
violations to information security and privacy and send necessary alerts to the right staff for action.
Further, appropriate responses are initiated and corrective action taken.
DAS must develop a suitable security strategy for PII for HR and personnel management
SaaS users and build a reference architecture corresponding to it. All IT staff are to be educated on
the HR SaaS what it is used for and functionality. Enterprise security controls to be identified and
residual risk determined. The Security Team must comprehend risk calculation and mitigation of
risks
The person responsible for the security controls of the HR and Personnel management suite
implemented in the SaaS must be identified and defined; the controls should then be implemented,
such as the staff with rights to access the HR SaaS and make changes and provide strong
authentication mechanisms
DAS will monitor changes in the technology environment and adjust accordingly, such as
new technologies while keeping an eye for new threats to existing security and privacy technology
and making responses
The management/ decision makers at DAS will provide full support for ensuring security
and privacy
The critical business processes relating to the HR and personnel management system will be
fully documented, along with inherent risks to the processes at different levels in the business
processes
Employees will be sensitized and trained on best use policies and educated on how to
recognize threats and what actions to take. They will also be held responsible for any breaches that
they are engaged in either if this is because of a deliberate cat or an accidental act; this implies that
the set security and best practice policies shall be fully enforced.
TRA and risk analyses will be undertaken continuously and a threat profile created; this
threat profile will be updated continuously as circumstances change. Based on the threat analysis,
suitable products to enhance security including software system to be installed in the PaaS Share
Point Intranet, encryption of HR data in the SaaS at all levels (end to end encryption), will be
implemented in a manner that is informed. The security measures will also be reviewed periodically
to be updated with prevailing threat and risk environment.
Business processes, security, and assets will be reviewed on a continuous basis with the aim
of attaining continuous improvements
Compliance with relevant policies and standards, including the ISO/IEC 29100:2011 and ISO 2018
as well as the Privacy Act ('Office of the Australian Information Commissioner', 2014)
Running Head: Cloud Privacy and Security: The DAS Case 28
Governance for Personal data and PII data for contractors in the Contractor
Management suite
Version 1
Ratified By
Date of Ratification
Author(s)
Date of Coming Into Effect
Target Audience
Responsible Committee
Date of Review
Summary
SaaS security for Personal data and PII data for contractors in the Contractor Management
suite implemented in a SaaS has the following security control areas;
Controlling identity and access management: These are controls that help make sure that
only appropriate users access the HR and personnel management SaaS suite using devices that have
been approved
Implementing audits and security measures: Continuously carrying out TRA’s and
creating a risk profile and counter measures
Compliance: Ensuring compliance with internal security standards and processes and
regulatory and statutory standards, including with the Privacy Act
The security and privacy measures put in place in this context will also be set by the risk
management committee for the minimum acceptable levels of risks that can be accepted
The security protocol swill be implemented using suitable tools, including training and
education of staff on best practices and evaluations for compliance undertaken and recorded
Contractors will be provided with safe and secure multi factor authentication and access
point with which they can get into the system remotely and update their information or data, such as
new product lines
TRA’s on all possible security threats to personal and PII information for the Contractor
management suite users will be undertaken periodically (quarterly) and the risk profile updated as
necessary
Governance for Personal data and PII data for contractors in the Contractor
Management suite
Version 1
Ratified By
Date of Ratification
Author(s)
Date of Coming Into Effect
Target Audience
Responsible Committee
Date of Review
Summary
SaaS security for Personal data and PII data for contractors in the Contractor Management
suite implemented in a SaaS has the following security control areas;
Controlling identity and access management: These are controls that help make sure that
only appropriate users access the HR and personnel management SaaS suite using devices that have
been approved
Implementing audits and security measures: Continuously carrying out TRA’s and
creating a risk profile and counter measures
Compliance: Ensuring compliance with internal security standards and processes and
regulatory and statutory standards, including with the Privacy Act
The security and privacy measures put in place in this context will also be set by the risk
management committee for the minimum acceptable levels of risks that can be accepted
The security protocol swill be implemented using suitable tools, including training and
education of staff on best practices and evaluations for compliance undertaken and recorded
Contractors will be provided with safe and secure multi factor authentication and access
point with which they can get into the system remotely and update their information or data, such as
new product lines
TRA’s on all possible security threats to personal and PII information for the Contractor
management suite users will be undertaken periodically (quarterly) and the risk profile updated as
necessary
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Running Head: Cloud Privacy and Security: The DAS Case 29
After sensitizing staff and developing this policy, there will be strict enforcement with any
staff held personally responsible for any involvement in acts of omission or commission, whether
deliberate or accidental
Security measures will be put in place and reviewed for their effectiveness and these will
also be documented; measures include end to end encryption of all personal and PII data for the
suite users at all states of data (at rest, in transit, and when being used). Pseudonyms will be used
for identification of users for internal purposes to ensure their identities remain hidden and Block-
chaining will be implemented internally for purposes of authenticating users internally when using
the system.
This governance policy along with security measures put in place will be documented during
the analysis process and approved by the risk management committee for compliance with the
internal minimum acceptable security risks
The person in charge shall ensure there is full compliance with the relevant standards
ISO/IEC 29100:2011 and ISO 2018 (Maggiore, 2016) as well as the Privacy Act and these will be
documented ('Office of the Australian Information Commissioner', 2014)
Authentication for all employees will be reviewed and changed periodically and those for
employees that leave the company/ retire will be disabled, along wit tokens and authentication for
employee remote access devices that are lost or stolen, or no longer in use
After sensitizing staff and developing this policy, there will be strict enforcement with any
staff held personally responsible for any involvement in acts of omission or commission, whether
deliberate or accidental
Security measures will be put in place and reviewed for their effectiveness and these will
also be documented; measures include end to end encryption of all personal and PII data for the
suite users at all states of data (at rest, in transit, and when being used). Pseudonyms will be used
for identification of users for internal purposes to ensure their identities remain hidden and Block-
chaining will be implemented internally for purposes of authenticating users internally when using
the system.
This governance policy along with security measures put in place will be documented during
the analysis process and approved by the risk management committee for compliance with the
internal minimum acceptable security risks
The person in charge shall ensure there is full compliance with the relevant standards
ISO/IEC 29100:2011 and ISO 2018 (Maggiore, 2016) as well as the Privacy Act and these will be
documented ('Office of the Australian Information Commissioner', 2014)
Authentication for all employees will be reviewed and changed periodically and those for
employees that leave the company/ retire will be disabled, along wit tokens and authentication for
employee remote access devices that are lost or stolen, or no longer in use
Running Head: Cloud Privacy and Security: The DAS Case 30
Governance for PII data and financial data for users and DAS staff in the COTS
payroll suite
Version 1
Ratified By
Date of Ratification
Author(s)
Date of Coming Into Effect
Target Audience
Responsible Committee
Date of Review
Summary
The security measures to protect personal and PII data for users and DAS staff in the
COTS payroll suite will have the following areas of control;
Control of the users access to the system
Compliance with internal policies of privacy and security
Audits to ensure compliance and identify and update new risks
The risk management committee will set the minimum acceptable risk levels that
will be enforced by the Security head
Actions and tools for security will be implemented fully as put forth by AWS
including the use of the AWS EBS (Elastic Block Store) for data encryption
Access to the suite will be restricted through suitable methods for authentication
Security measures will be put in place at the edge access points
Compliance will be enforced through audits and holding any persons going contrary to the
set policies accountable
Governance for PII data and financial data for users and DAS staff in the COTS
payroll suite
Version 1
Ratified By
Date of Ratification
Author(s)
Date of Coming Into Effect
Target Audience
Responsible Committee
Date of Review
Summary
The security measures to protect personal and PII data for users and DAS staff in the
COTS payroll suite will have the following areas of control;
Control of the users access to the system
Compliance with internal policies of privacy and security
Audits to ensure compliance and identify and update new risks
The risk management committee will set the minimum acceptable risk levels that
will be enforced by the Security head
Actions and tools for security will be implemented fully as put forth by AWS
including the use of the AWS EBS (Elastic Block Store) for data encryption
Access to the suite will be restricted through suitable methods for authentication
Security measures will be put in place at the edge access points
Compliance will be enforced through audits and holding any persons going contrary to the
set policies accountable
Running Head: Cloud Privacy and Security: The DAS Case 31
References
Lowrance, W. W. (2013). Privacy, confidentiality, and health research. Cambridge : Cambridge
University Press
Maggiore, d. (2016). The interplay between information security standards and security measures
under the EU data protection legal framework. | Maschietto Maggiore Besseghini. Mmlex.it.
Retrieved 8 October 2017, from http://www.mmlex.it/en/the-interplay-between-information-
security-standards-and-security-measures-under-the-eu-data-protection-legal-framework/
McCallister, E., Grance, T., & Kent, K. (2009). Guide to protecting the confidentiality of Personally
Identifiable Information (PII) (draft): Recommendations of the National Institute of
Standards and Technology. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute
of Standards and Technology.
'Office of the Australian Information Commissioner'. (2014). Privacy fact sheet 17: Australian
Privacy Principles. Sydney: Office of the Australian Information Commissioner.
References
Lowrance, W. W. (2013). Privacy, confidentiality, and health research. Cambridge : Cambridge
University Press
Maggiore, d. (2016). The interplay between information security standards and security measures
under the EU data protection legal framework. | Maschietto Maggiore Besseghini. Mmlex.it.
Retrieved 8 October 2017, from http://www.mmlex.it/en/the-interplay-between-information-
security-standards-and-security-measures-under-the-eu-data-protection-legal-framework/
McCallister, E., Grance, T., & Kent, K. (2009). Guide to protecting the confidentiality of Personally
Identifiable Information (PII) (draft): Recommendations of the National Institute of
Standards and Technology. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute
of Standards and Technology.
'Office of the Australian Information Commissioner'. (2014). Privacy fact sheet 17: Australian
Privacy Principles. Sydney: Office of the Australian Information Commissioner.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Running Head: Cloud Privacy and Security: The DAS Case 32
1 out of 32
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.