Privacy and Security Reflection: Smart State Plan and SaaS

Verified

Added on  2019/09/25

|22
|8571
|378
Report
AI Summary
This assignment presents two assessment items focusing on information security and privacy within the context of a hypothetical Smart State Plan and SaaS applications. The first item requires a reflection on the personal and ethical implications of a government's proposed Smart Sensor Network, Smart WiFi Network, and the use of digital identities. Students are tasked with discussing the impact on different categories of people, potential behavioral changes, and steps to ensure security and privacy. The second item involves a risk assessment for a community-based charity transitioning to SaaS applications for HR management. The report requires an analysis of existing and potential security and privacy threats to employee data, including risks associated with digital identities and the operational solutions of the SaaS provider. The report also addresses ethical considerations, data sensitivity, and jurisdictional issues. The assignment emphasizes critical analysis of legal, ethical, and business concerns for data security and privacy in cloud deployments.
Document Page
Assessment item 1
Privacy and Security Reflection
value- 10%
Due Date: 25-Jul-2018
Length: Approx. 3000 words
Task
This assignment is designed to get you to reflect on your personal approach and feelings on
information security and privacy.
Read:
Lau, Y. (2015). Cybercrime in cloud: Risks and responses in Hong Kong, Singapore. In Ko,
R., & Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal, Business and
Management Issues. Waltham, MA: Syngress.
This chapter discusses some of the approaches to cybercrime that are taken by both the Hong
Kong and Singapore governments. But, any approach to cybercrime comes with risks to
information security and privacy.
Tasks:
Assume that an Australian State Government has reviewed the Singapore Government’s
Smart Nation Plan and has decided to implement their own Smart State Plan. This will
initially consist of a network of smart sensors and cameras at traffic lights, bus stops, rubbish
bins, etc. in their CBD to monitor citizens behaviour and address street crime.
1. Discuss what you see as the personal and ethical implications for your privacy of the
proposed Government’s Smart Sensor Network by looking at:
a. The types or categories of people affected by this proposal,
b. What behavioural changes you might expect to see from normal citizens,
c. Would you expect to see changes in individual behaviours, such as choice of activities,
changes in time schedules, etc.
The next part of the Government’s plan is to deploy a Smart WiFi Network which will
consist of a series of sensor boxes to act as WiFi hotspots throughout the city. This would
allow the introduction of a heterogeneous network where smart phones and other devices
could seamless switch between mobile data and WiFi.
2. Discuss what you see as the personal and ethical implications for your privacy of the
proposed Government’s Smart WiFi Network by looking at:
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
a. The types or categories of people affected by this proposal,
b. What behavioural changes you might expect to see from normal citizens using their
mobile devices in the CBD,
c. Would you expect to see changes in individual behaviours, such as choice of activities,
changes in time schedules, etc.
d. What are the implications for you If you had sensitive information on your mobile
device that you did not want to share?
The Smart State Plan will also enrol all citizens with a Digital Identity to ensure that they can
correctly be identified and access services provided by the state both electronically and
physically.
3. If you were visiting the State Capital after the Smart State Plan has rolled out, do you think
that the use of a digital identity would assist you to maintain your privacy while using your
mobile phone or devices during your visit? Discuss the reasons for your answer.
4. What steps do you think that you could take to ensure the security and privacy of your
digital identity while operating your mobile device(s) in this environment? Discuss each step
that you would take along with its advantages and disadvantages.
Each question is worth 25 marks and your overall score will be scaled out of 10. As a guide,
your word limit for this assignment should be around 3,000 words.
Rationale
back to top
This assessment task will assess the following learning outcome/s:
be able to critically analyse the legal, ethical and business concerns for the security
and privacy of data to be deployed to the cloud.
Marking criteria and standards
Document Page
Question HD
Q1. Smart Sensors (25 marks)
Comprehensive
exploration of privacy
and ethical issues
from both personal
and behavioural
viewpoints
Thoro
ugh
explor
ation
of
privac
y and
ethical
issues
with
good
person
al and
behavi
oural
viewp
oints
Q2. WiFi hotspots (25 marks)
Comprehensive exploration of security
& sensitive data issues from both
personal and behavioural viewpoints
Thorough explor
sensitive data issu
personal and beh
Q3. Digital Identity (25 marks) Comprehensive discussion of issues
with use of digital identity
Thorough discuss
of digital identity
Q4. Security & privacy controls (25
marks)
Comprehensive exploration of steps to
take to enhance security and privacy
of mobile devices
Thorough explor
enhance security
devices
Presentation
Document Page
Assessment item 2
Risk Assessment
Due Date: 1-Aug-2018
Length-5000 words
Value-25%
Task
Scenario
You are the principal consultant for a community based Charity. The Charity is involved in
locating and providing accommodation, mental health services, training and support services
to disadvantaged people in the community.
The Charity currently runs a small data centre that has some 50 x86 64 bit servers running
mainly Windows Server 2008 R2 for desktop services, database and file services. It also has
10 Red Hat Enterprise Linux 5 servers to service public facing Web pages, Web services and
support.
The Charity is considering joining a community cloud provided by a public cloud vendor in
order to provide a number of applications to all 500 support staff and administrative users. A
small number of the Charity's applications are mission critical and the data that those
applications use is both confidential and time sensitive.
The community cloud would also be used to store the Charity's 200TB of data. The data
would be held in a SaaS database run by the public cloud vendor. The Charity's data contains
a considerable amount of confidential information about the people to whom the Charity
provides services.
The Charity collects PII data on the clients who use its services so that it can assist them to
manage their different service requirements. This PII data also includes holding some digital
identity data for some of the more disadvantaged clients, particularly if they also have mental
health issues.
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
The cloud vendor has made a presentation to management that indicates that operational costs
will drop dramatically if the cloud model is adopted. However, the Board of the Charity is
concerned with the privacy and security of the data that it holds on the people that it provides
services to in the community. It is concerned that a data breach may cause considerable
damage to substantially disadvantaged people in the community.
The Board asks that you prepare a report that proposes appropriate privacy and security
policies for the Charity's data.
The charity has also decided to:
Purchase a HR and personnel management application from a US based company that
provides a SaaS solution.
o The application will provide the charity with a complete HR suite, which will also
include performance management. The application provider has advised that the
company's main database is in California, with a replica in Dublin, Ireland. However,
all data processing, configuration, maintenance, updates and feature releases are
provided from the application provider's processing centre in Bangalore, India.
o Employee data will be uploaded from the charity daily at 12:00 AEST. This will be
processed in Bangalore before being loaded into the main provider database.
o Employees can access their HR and Performance Management information through
a link placed on the Charity intranet. Each employee will use their internal charity
digital ID to authenticate to the HR and Performance management system. The
internal digital ID is generated by the charity's Active Directory instance and is used
for internal authentication and authorisation.
Move the charity payroll to a COTS (Commercial Off The Shelf) application that it will
manage in a public cloud;
Move the charity Intranet into a Microsoft SharePoint PaaS offering so that it can provide
Intranet services to all agencies in the WofG.
Tasks
You have been engaged to provide a risk assessment for the planned moves to SaaS
application offerings.
You are to write a report that assesses the risks to the charity for just their planned moves in
the HR area:
1. Consider the data and information that the charity holds on its employees in the current HR
system.
1. Establish the existing threats and risks to the security of that data and information
contained in the in-house HR database. (10 marks)
2. Are there any additional risks and threats to employee data that may arise after
migration to an SaaS application? (10 marks)
3. Assess the resulting severity of risk and threat to employee data. (10 marks)
2. Consider the privacy of the data for those employees who will move to an SaaS application.
Document Page
1. Establish the existing threats and risks to the privacy of that data and information
contained in the in house HR database. (10 marks)
2. Are there any additional risks and threats to the privacy of the employee data after
migration to an SaaS application? (10 marks)
3. Assess the resulting severity of risk and threat to the privacy of employee data. (10
marks)
3. What are the threats and risks to the digital identities of charity employees from the move
to SaaS applications? (10 marks)
4. Consider the operational solution and location(s) of the SaaS provider for HR management.
Does either the operational solution, or the operational location, or both, increase or
mitigate the threats and risks identified for the security and privacy of employee data? (20
marks)
5. Are there any issues of ethics, data sensitivity or jurisdiction that should be considered by
the charity? (10 marks)
You are to provide a written report with the following headings:
Security of Employee Data
Privacy of Employee Data
Digital Identity Issues
Provider Solution Issues
Data Sensitivity
As a rough guide, the report should not be longer than about 5,000 words.
Rationale
This assessment task will assess the following learning outcome/s:
be able to examine the legal, business and privacy requirements for a cloud deployment
model.
be able to evaluate the risk management requirements for a cloud deployment model.
be able to critically analyse the legal, ethical and business concerns for the security and
privacy of data to be deployed to the cloud.
Marking criteria and standards
Question HD DI
Q1.1. Existing threats to Security of Comprehensive exploration of threatsThorough exploration of threats
Document Page
employee data (10 marks) and risks to security of data that
includes well thought out reasoning
risks to security of data that incl
good reasoning
Q1.2. New threats to security of
employee data (10 marks)
Comprehensive exploration of new
threats and risks to security of data that
includes well thought out reasoning
Thorough exploration of new th
and risks to security of data that
includes good reasoning
Q1.3 Severity of risk to security
employee data (10 marks)
Comprehensive security risk
assessment with excellent severity
ratings
Thorough security risk assessme
very good severity ratings
Q2.1 Existing threats to privacy of
employee data (10 marks)
Comprehensive exploration of threats
and risks to privacy of data that
includes well thought out reasoning
Thorough exploration of threats
risks to privacy of data that inclu
good reasoning
Q2.2 New threats to privacy of
employee data (10 marks)
Comprehensive exploration of new
threats and risks to privacy of data that
includes well thought out reasoning
Thorough exploration of new th
and risks to privacy of data that
includes good reasoning
Q2.3 Severity of risk to privacy
employee data (10 marks)
Comprehensive privacy risk assessment
with excellent severity ratings Thorough privacy risk assessme
very good severity ratings
Q3. Digital Identity issues (10 marks)
Comprehensive exploration of digital
identity threats and risks that includes
well thought out reasoning
Thorough exploration of digital
threats and risks that includes go
reasoning
Q4. Provider issues (20 marks)
Comprehensive exploration of provider
operations issues that includes well
thought out reasoning
Thorough exploration of provide
operations issues that includes g
reasoning
Q5. Data sensitivity issues (10 marks)
Comprehensive exploration of data
sensitivity issues that includes well
thought out reasoning
Thorough exploration of data
sensitivity issues that includes g
reasoning
Presentation and Referencing Up to 5 ma
Up to 5 mark
Presentation
You are to provide a written report in Word format with the following headings:
Security of Employee Data
Privacy of Employee Data
Digital Identity Issues
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Provider Solution Issues
Data Sensitivity
As a rough guide, the report should not be longer than about 5,000 words.
Assessment item 3
Privacy and Data Protection
Value: 25%
Due Date: 22 aug-2018
Submission method options: Alternative submission method
TaskScenario
You are the principal consultant for a community based Charity. The Charity is involved in
locating and providing accommodation, mental health services, training and support services to
disadvantaged people in the community.
The Charity currently runs a small data centre that has some 50 x86 64 bit servers running
mainly Windows Server 2008 R2 for desktop services, database and file services. It also has 10
Red Hat Enterprise Linux 5 servers to service public facing Web pages, Web services and
support.
The Charity is considering joining a community cloud provided by a public cloud vendor in
order to provide a number of applications to all 500 support staff and administrative users. A
small number of the Charity’s applications are mission critical and the data that those
applications use is both confidential and time sensitive.
The community cloud would also be used to store the Charity’s 200TB of data. The data would
be held in a SaaS database run by the public cloud vendor. The Charity’s data contains a
considerable amount of confidential information about the people to whom the Charity
provides services.
The Charity collects PII data on the clients who use its services so that it can assist them to
manage their different service requirements. This PII data also includes holding some digital
identity data for some of the more disadvantaged clients, particularly if they also have mental
health issues.
The cloud vendor has made a presentation to management that indicates that operational costs
will drop dramatically if the cloud model is adopted. However, the Board of the Charity is
Document Page
concerned with the privacy and security of the data that it holds on the people that it provides
services to in the community. It is concerned that a data breach may cause considerable
damage to substantially disadvantaged people in the community.
The Board asks that you prepare a report that proposes appropriate privacy and security
policies for the Charity’s data.
The charity has also decided to:
Purchase a HR and personnel management application from a US based company that
provides a SaaS application.
o The application will provide the charity with a HR suite that will provide a complete
HR suite which will also include performance management. The application provider
has advised that the company’s main database is in California, with a replica in
Dublin, Ireland. However, all data processing, configuration, maintenance, updates
and feature releases are provided from the application provider’s processing centre
in Bangalore, India.
o Employee data will be uploaded from DAS daily at 12:00 AEST. This will be processed
in Bangalore before being loaded into the main provider database.
o Employees can access their HR and Performance Management information through
a link placed on the charity intranet. Each employee will use their internal charity
digital ID to authenticate to the HR and Performance management system. The
internal digital ID is generated by the charity’s Active Directory Instance and is used
for internal authentication and authorisation.
Move the the charity payroll to a COTS (Commercial Off The Shelf) application that it will
manage in a public cloud;
o This application will provide the Charity with the suite of tools necessary to process
and manage payrolls for all agencies within DAS. The application provider has
advised that their software is distributed throughout the AWS cloud with instances
in US East, US West, Europe, Asia Pacific, China and South America.
o All configuration, maintenance, updates and feature releases are provided from the
provider’s offices in San Francisco, Beijing, Singapore, Mumbai and Dublin.
o The provider does not do any additional processing of data entered into the
application.
o The charity payroll staff may access the payroll application through a SSO (Single
Sign On) link to a secure URL. Authentication is made using the user’s charity ID
credentials. Each authorised user’s authentication credentials are uploaded to the
application to allow them to logon and access the payroll.
o Data is uploaded to the application by the charity's payroll staff for each agency staff
member, but can also be uploaded in bulk using a CSV file. CSV files are uploaded
using an upload link in the application.
o Completed payroll files are sent to the appropriate banking institutions through a
secure link provided by each bank.
o Regular transaction and audit reports for each agency are available to the charity's
payroll staff.
Move the charity Intranet into a Microsoft SharePoint PaaS platform so that it can provide
Intranet services to all users in the charity no matter where they are located.
o This solution will provide the charity with the ability to provide Intranet services to
all users with each charity location having its own site within the overall structure.
Document Page
o The PaaS offering has been chosen as it gives the charity administrators the ability to
configure the sites for all separate charity locations, and still allow users to access
any of those individual sites.
o The application provider has advised that their software is distributed throughout
the Azure cloud with instances in US East, US West, Europe, Asia Pacific, China and
Australia.
o It is proposed that users will be able to access the platform through an SSO (Single
Sign On) link to the platform portal. Authentication will be made using the user’s
charity ID credentials . The charity will need to use Active Directory Federated
Services (ADFS) to federate to an Azure AD instance for authentication and
authorisation. This authentication process will be validated with a SAML 2.0
certificate.
o The charity’s web staff will be able to configure all the separate charity location sites
to reflect their own internal news, along with a range of news provided by the
charity.
Tasks
After your successful engagement to provide a security and privacy risk assessment for the charity,
you and your team have again been engaged to develop privacy and personal data protection
strategies for the charity.
Team Setup
This assignment is the first of the team assignments for this subject. The rationale for using a
team approach is that most IT policy formulations are normally conducted by teams of
between 2-5 Architects, Information Security experts, Operations and Business leaders for
each problem. You are already assigned to a team and the team, as a whole, will be
responsible for the development of the policies.
Team Member Responsibilities
Each team member will be assessed on:
The final privacy and personal data protection strategies presented by the team;
The individual contributions that they have made to the policy formulation. This will be
shown by the entries that they have made in the Team forum;
Team members should note that:
A total of 20% of the total marks for this assignment are for individual contributions. These
include:
o Contributions to the development of privacy and data protection policies (10%), and
o Reasoning behind the development of privacy and data protection policies (10%)
A team member without any individual contributions in the Team Forum will be regarded as
having not contributed to the risk assessment. This will result in either reduced marks or no
marks being awarded to that team member for this assignment.
The task:
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Your team is to write a report that proposes appropriate policies for DAS in the following
areas:
1. Develop a Privacy strategy proposal for the charity. The strategy should include the following
items:
1. Management of personal information,
2. Collection and management of solicited personal information,
3. Use and disclosure of personal information,
4. Use and security of digital identities,
5. Security of personal information,
6. Access to personal information,
7. Quality and correction of personal information.
2. The controls that you recommend that would:
1. Mitigate the previously identified privacy risks,
2. Implement the privacy strategy.
3. Develop a personal data protection strategy proposal for the charity. This strategy should
include:
1. Protection of personal information,
2. Authorised access & disclosure of personal information,
3. De-identification of personal data,
4. Use of personal digital identities,
5. Security of personal data,
6. Archiving of personal data.
4. The controls that you recommend that would:
1. Mitigate the previously identified security risks,
2. Implement the personal data protection strategy.
The team is to provide a written report with the following headings:
Privacy strategy for personal data
Recommended Privacy controls
Personal data protection strategy
Recommended personal data protection strategy.
As a rough guide, the report should not be longer than about 8,000 words. The report is to be
written in Word format and posted in the Team File Exchange area in Interact.
The Privacy Strategy Group Wiki page in the Team area in Interact should be used to develop
the strategy document and gather comments and suggestions from each team member. This
Wiki should be exported as a single file and placed in the Team File Exchange area.
Any strategy discussions in the team forum should be exported into a single document and
loaded into the Team File Exchange area in Interact.
Each student is required to submit the following through EASTS when their
group assignment is complete. This submission should contain the
following:
Student name
Team name
Assignment number
Document Page
Assignment file name
Copy of the student's answer to the question allocated to them by the
team.
This will allow you to receive marks and feedback when your team
assignment is marked.
Rationale
This assessment task will assess the following learning outcome/s:
be able to examine the legal, business and privacy requirements for a cloud deployment
model.
be able to evaluate the risk management requirements for a cloud deployment model.
be able to critically analyse the legal, ethical and business concerns for the security and
privacy of data to be deployed to the cloud.
be able to develop and present a series of proposed security controls to manage the security
and privacy of data deployed to the cloud.
Marking criteria and standards
back to top
Questions HD DI
Q1. Privacy strategy for personal
data (20 marks)
Comprehensive development of policy
covering all aspects listed in the task,
with excellent discussion of threats and
risks to privacy of data
Thorough development of policy
covering most aspects listed in
task, with proficient discussion
threats and risks to privacy of da
Q2. Recommended privacy controls
(20 marks)
Comprehensive evaluation and
matching of privacy threats with
controls showing excellent logical
analysis
Thorough evaluation and match
privacy threats with controls sho
proficient logical analysis
Thorough development of policy
covering most aspects listed in
task, with proficient analysis of
protection of data
Comprehensive development of policy
covering all aspects listed in the task,
with excellent analysis of protection of
data
chevron_up_icon
1 out of 22
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]