Community Charity Cloud Security: PII Protection and Risk Mitigation

Verified

Added on 2023/06/04

AI Summary

This report addresses the privacy and security concerns of a community-based charity migrating to the cloud. It includes a Threat and Risk Assessment (TRA) for the MySupport Portal, focusing on Personally Identifiable Information (PII). The report identifies key risks such as stolen credentials, malware infection via phishing, stolen storage devices, hacking, and operational risks. Mitigation strategies are proposed for each risk, including risk reduction, risk avoidance, and risk transfer. Furthermore, the report outlines a comprehensive PII strategy, emphasizing cybersecurity awareness, data protection in the public cloud, and anti-phishing measures. It also covers digital identity strategy and governance plan to ensure data security and regulatory compliance. The document concludes with recommendations for ongoing monitoring and improvement of the charity's cloud security posture.

Running head: CLOUD PRIVACY AND SECURITY
Cloud Privacy and Security
Name of the Student
Name of the University
Author Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
CLOUD PRIVACY AND SECURITY
Table of Contents
Appendix A: The TRA........................................................................................................2
References........................................................................................................................6
Appendix B: PII Strategy.....................................................................................................7
Cyber security Attack and Mitigation Strategy...............................................................7
Malware Infection by Phishing and Mitigation Strategy.................................................8
Risk of Stolen Storage devices and its mitigation...........................................................9
Risk of Hacking or gaining Physical access to the network and its Mitigation..............9
Operational Risk and Mitigation strategy......................................................................10
References......................................................................................................................11
Appendix C: Digital Identity.............................................................................................12
Strategy..........................................................................................................................12
References......................................................................................................................14
Appendix D: Governance Plan..........................................................................................15
References......................................................................................................................17

2
CLOUD PRIVACY AND SECURITY
Appendix A: The TRA
The Community based charity is planning to move to cloud. The organization will be
implementing a SaaS HR and Personnel management suite, a COTS payroll solution and the
PaaS SharePoint services. The MySupport Portal that has been developed to make the charity’s
client register on the MySupport portal is needed to undertake threat and risk assessment. This is
needed since MyPortal will be considering the storage of personally identifiable information.
Personally identifiable information can be defined as the information that helps in identifying an
individual (Majeed, Ullah & Lee, 2017). This information directly defines the identity of an
individual. The threat and risk assessment for the data stored in MySupport portal is necessary
since it will be storing the digital data of the clients. This data is private and confidential and
therefore the threat and risk assessment of the data is essential.
In general, all the information that is termed as personally identifiable information is
sensitive. In this case PII data includes personally identifiable financial information, social
security number and so on. There are certain threats and security challenges associated with the
PII challenges. The PII data that is stored in MySupport portal is put at risk mainly due to the
risks of cyber attacks and data breaches (Barocas & Nissenbaum, 2014). Data breach is a
significant threat associated with PII data. Attackers mainly target the personally identifiable
data as it can facilitates identity threat, fraud and attacks including social engineering attacks and
phishing. Thus the need for protecting the personally identifiable information is immense. Thus a
threat and risk assessment is documented for MySupport Portal that has the capability of
identification and mitigation of the threats.

3
CLOUD PRIVACY AND SECURITY
The major risks that have been identified for the MySupport portal include the privacy
and the data protection aspects. Threat and risk assessment can be considered as a pillar of
security risk management for protection of the PII data. The TRA for MySupport Portal is
represented in the following table-
Threat Probability Severity Description Mitigation
Approach
Stolen Credentials
(Li, 2013)
High High This risk of stolen
credential is
considerably high
since the Charity
company is making
use of a public
cloud platform
(Louw & von
Solms, 2013). Since
the probability and
the severity of this
risk is high, this risk
is needed to be
mitigated.
Risk reduction
is the
mitigation
approach that is
recommended
for this
particular
scenario
Malware Infection
by Phishing
High High The use of public
cloud platform
gives rise to the
possibility of
MySupport portal in
Risk avoidance
is the
recommended
risk mitigation
strategy for this

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
CLOUD PRIVACY AND SECURITY
facing this risk.
Since both the
probability and
severity of this risk
is high, an
appropriate risk
mitigation approach
is needed.
identified risk.
Stolen Storage
devices
Low High Since the data will
be stored in cloud,
this risk the chances
of facing this risk is
considerably low
Risk Avoidance
Hacking or gaining
Physical access to
the network
Medium Medium Hacking is a
significant threat to
which the PII data
of MySupport portal
is exposed to.
Risk Reduction.
It is a risk
mitigation
strategy that
has been
proposed and
reduction in the
risk can be
achieved by
ensuring proper
security of the
network.
Operational Risk Low Low Operational risks Risk transfer is

5
CLOUD PRIVACY AND SECURITY
mainly refers to the
situation that can be
faced by the charity
company and
therefore mitigation
of this is essential
the proposed
risk mitigation
strategy for this
identified
threat. The
operational risk
can be
transferred to a
third party who
is willing to
take this risk.
The public
cloud vendor
can act as the
third party
willing to take
the risk.
The table above represents the threats and the risks to which the MySupport Portal of the
charity company is exposed to. The PII data of the client that will be stored in the MySupport
Portal is exposed to the risks that are identified in the table above. The need for management and
mitigation of these risks is immense mainly because protection of the clients’ data is essential
since the data is confidential.
References

6
CLOUD PRIVACY AND SECURITY
Barocas, S., & Nissenbaum, H. (2014). Big data's end run around procedural privacy
protections. Communications of the ACM, 57(11), 31-33.
Li, J. (2013). Privacy policies for health social networking sites. Journal of the American
Medical Informatics Association, 20(4), 704-707.
Louw, C., & von Solms, S. (2013, October). Personally identifiable information leakage through
online social networks. In Proceedings of the South African Institute for Computer
Scientists and Information Technologists Conference (pp. 68-71). ACM.
Majeed, A., Ullah, F., & Lee, S. (2017). Vulnerability-and diversity-aware anonymization of
personally identifiable information for improving user privacy and utility of publishing
data. Sensors, 17(5), 1059.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
CLOUD PRIVACY AND SECURITY
Appendix B: PII Strategy
The risks associated with the privacy and data protection of the personally identifiable
information stored in the MySupport portal is needed to be mitigated as the portal will be storing
the details of the clients of the charity company. The TRA document has identified the risks
associated with the protection of the privacy and confidentially of the data stored. The document
further gives an overview of the mitigation approaches of each of the identified risk. The aim of
this document is to identify the strategies and the approaches that can possibly mitigate the risks
associated with the storage of data (Ward, Ibarra & Ruddle, 2013). The risks associated with the
privacy and data protection aspects of the storage of PII data in portal include the risk of stolen
credentials due to the cyber security attack, the risk of malware infection or phishing, the risk of
stolen storage device, the risk of hacking and operational risk leading to certain issues with
protection and preservation of data confidentiality (Jang-Jaccard & Nepal, 2014). The strategy
proposal for the data stored in the MySupport portal is discussed in the following sections.
Cyber security Attack and Mitigation Strategy
Cyber security awareness is necessary to avoid the risks of cyber security attack on the
personally identifiable information that is stored in the MySupport portal. Cyber security of the
personal identifiable information is needed mainly because this information can be used to locate
or identify an individual (Ullah, Khan & Aboalsamh, 2013). This is a significant risk associated
with PII and according to the TRA, the probability of occurrence of the risk and the severity of
this risk is high.

8
CLOUD PRIVACY AND SECURITY
The cyber security attack or data breach is a significant threat to the PII data mainly
because the data is being stored in a public cloud which is prone to attacks. Therefore the
strategy that has been identified or proposed to mitigate the risk is it reduction.
The strategy for reducing this risk includes enforcing data protection in public cloud. The
process of enforcing the needed security involves the use of different data protection paradigms
or choosing a trusted vendor (Mills & Goldsmith, 2014). The In-house system designing is
another recommended approach for enforcing security in public cloud.
Malware Infection by Phishing and Mitigation Strategy
Another significant threat associated with the PII data that is being stored in the portal is
malware infection. This malware infection can be implanted in the stored data by phishing. The
data of the registered clients is stored in public cloud to make it easily accessible. However, the
data stored is exposed to the threats of malware infection. Therefore proper risk management is
necessary (Khonji, Iraqi & Jones, 2013). Malware infection is spread through phishing and
therefore it is necessary to identify an approach that will help in mitigation of the risks associated
with malware infection and phishing.
The severity of malware threat is high mainly because the data is being stored in public
cloud environment that increases the chances of data breach. Phishing is considered one of the
significant reasons that might result in malware attack as it is the easiest way to infuse malware
into a system. It is a type of social engineering attack that can possibly steal the users’ data, login
credentials of the clients and their credit card numbers thus risking their privacy (Kumar,
Srikanth & Tejeswini, 2016). A malware attack can therefore possibly risk the data protection
aspects of the portal and therefore this risk is needed to be mitigated with high priority. In the

9
CLOUD PRIVACY AND SECURITY
TRA, a risk mitigation strategy for the malware risk is proposed. This risk is needed to be
avoided and the strategy for risk avoidance includes not responding to the spam mails.
Furthermore, the clients should be kept aware of the different phishing techniques. The portal
should be installed with an anti phishing toolbar that can possibly help in avoiding this risk. The
use of firewalls is also recommended as the risk mitigation strategy for mitigation of the risks
associated with malware and phishing.
Risk of Stolen Storage devices and its mitigation
Another risk associated with the portal that has been identified in the TRA is risk of
stolen devices. The data of the client are being stored in public cloud. It is known that there are
certain security risks associated with the use of public cloud. According to the TRA, it can be
seen that the probability of occurrence of this risk is quite low. However, if this risk occurs, it
might act as a significant issue since the severity of the risk is quite high. Therefore, it is
necessary to mitigate this risk as well. As a risk mitigation strategy, it is recommended that this
particular risk is needed to be avoided. This can be done by allowing only the registered
individuals an access to the data that is stored in the public cloud linked to portal. This might
help in considerably reducing this risk.
Risk of Hacking or gaining Physical access to the network and its Mitigation
The TRA has identified the risk of hacking into the network. This risk is needed to be
analysed and addressed as well. Risks reduction is the mitigation strategy recommended by the
TRA. The probability of occurrence and severity of the risk is medium and therefore this risk
may not be addressed with high priority. The mitigation strategy that has been identified by the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10
CLOUD PRIVACY AND SECURITY
TRA is risk reduction. This risk can be reduced by making use of firewalls in network protection
to eliminate the illegal access into the system.
Operational Risk and Mitigation strategy
Another risk that can possibly affect the privacy and the security of the data stored into
the portal include the operational risk (Hopkin, 2018). Any disruption in the normal operation of
the portal will mainly be because of the issues arising due to risk in privacy and security.
However, the TRA has identified that the probability of occurrence and the severity of this risk is
quite low. The risk mitigation strategy of this particular risk includes the risk transfer (Cruz,
Peters & Shevchenko, 2014). The cloud vendor should take the charge of mitigation of this risk
and ensure smooth operation of the MySupport portal.

11
CLOUD PRIVACY AND SECURITY
References
Cruz, M. G., Peters, G. W., & Shevchenko, P. V. (2014). Fundamental aspects of operational
risk and insurance analytics: A handbook of operational risk. John Wiley & Sons.
Hopkin, P. (2018). Fundamentals of risk management: understanding, evaluating and
implementing effective risk management. Kogan Page Publishers.
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of
Computer and System Sciences, 80(5), 973-993.
Khonji, M., Iraqi, Y., & Jones, A. (2013). Phishing detection: a literature survey. IEEE
Communications Surveys & Tutorials, 15(4), 2091-2121.
Kumar, J. D., Srikanth, V., & Tejeswini, L. (2016). Email phishing attack mitigation using server
side email addon. Indian Journal of Science and Technology, 9(19).
Mills, S., & Goldsmith, R. (2014). Cybersecurity challenges for program managers. DEFENSE
ACQUISITION UNIV FT BELVOIR VA.
Ullah, I., Khan, N., & Aboalsamh, H. A. (2013, April). Survey on botnet: Its architecture,
detection, prevention and mitigation. In Networking, Sensing and Control (ICNSC), 2013
10th IEEE International Conference on (pp. 660-665). IEEE.
Ward, D., Ibarra, I., & Ruddle, A. (2013). Threat analysis and risk assessment in automotive
cyber security. SAE International Journal of Passenger Cars-Electronic and Electrical
Systems, 6(2013-01-1415), 507-513.