Risk Assessment Report: AMP Limited Cloud Migration Project Analysis
VerifiedAdded on 2019/10/30
|16
|3576
|158
Report
AI Summary
This report presents a risk assessment for AMP Limited's planned migration of critical business applications and data to an external cloud. It begins with a literature review of four journal articles exploring cloud computing risks, including security vulnerabilities, legal issues, and compliance concerns. The report then formulates a formal risk evaluation, assessing potential risks like governance loss, vendor lock-in, isolation failures, and compliance challenges, using a 0-8 scale to gauge impact and likelihood. It also details how to communicate risks effectively. Finally, it recommends outsourcing IT services to multiple cloud providers to diversify risk and suggests implementing a federated identity management solution. The report emphasizes the importance of risk management in financial services and the need for a thorough evaluation of cloud migration projects to ensure data security and compliance with Australian regulations. This report aims to provide insights and recommendations for the implementation of the cloud migration project, which includes the identification of potential risks, the evaluation of their impact and probability, and the development of strategies to communicate and mitigate them. The recommendations include outsourcing IT services to various cloud providers, as well as a federated identity management solution.
Running head: RISK ASSESSMENT
Risk Assessment
Name of the Student:
Name of the University:
Author’s Note:
Course ID:
Risk Assessment
Name of the Student:
Name of the University:
Author’s Note:
Course ID:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1RISK ASSESSMENT
Table of Contents
1. Introduction:................................................................................................................................2
2. Research:......................................................................................................................................2
3. A formal risk evaluation:.............................................................................................................6
4. Communication of the risk:.......................................................................................................10
5. Recommendations:....................................................................................................................10
6. Conclusion:................................................................................................................................12
References and Bibliographies:.....................................................................................................14
Table of Contents
1. Introduction:................................................................................................................................2
2. Research:......................................................................................................................................2
3. A formal risk evaluation:.............................................................................................................6
4. Communication of the risk:.......................................................................................................10
5. Recommendations:....................................................................................................................10
6. Conclusion:................................................................................................................................12
References and Bibliographies:.....................................................................................................14
2RISK ASSESSMENT
1. Introduction:
For fitting the purpose of this report, AMP Limited is a popular financial services
organisation in Australia and it is planning to implement numerous IT projects to ensure smooth
and seamless operations (Amp.com.au, 2017). Moreover, cost saving is another major driver
behind conducting the various IT projects. Based on the project portfolio, a significant exercise
that the organisation is intending to conduct is migration of its critical business applications and
related data sources to an external cloud. Hence, the report aims to identify 4 journal articles
related to the topic and accordingly, a formal risk assessment has been formulated for AMP
Limited. Finally, the report sheds light on risk communication and potential recommendations to
depict the overall solution outcome.
2. Research:
Journal 1: Bowers, J., & Khorakian, A. (2014). Integrating risk management in the
innovation project. European Journal of innovation management, 17(1), 25-40.
According to the researchers, the cloud computing users need a secure and effective
security level from the providers of service such as DDOs attack, which is a threat for both the
service providers and the customers. Thus, it necessitates the need for the service providers, as it
enables in making effective decisions along with maintaining and obtaining a security
certification. The audit need has made the providers highly busy, which paved the path for
standardising the questions that develop as recommendations with the help of reports. This list
could be utilised for obtaining and providing assurance to the customers. The customer checklist
intends to assess the risk at the time of adopting the cloud system. In addition, it also includes
1. Introduction:
For fitting the purpose of this report, AMP Limited is a popular financial services
organisation in Australia and it is planning to implement numerous IT projects to ensure smooth
and seamless operations (Amp.com.au, 2017). Moreover, cost saving is another major driver
behind conducting the various IT projects. Based on the project portfolio, a significant exercise
that the organisation is intending to conduct is migration of its critical business applications and
related data sources to an external cloud. Hence, the report aims to identify 4 journal articles
related to the topic and accordingly, a formal risk assessment has been formulated for AMP
Limited. Finally, the report sheds light on risk communication and potential recommendations to
depict the overall solution outcome.
2. Research:
Journal 1: Bowers, J., & Khorakian, A. (2014). Integrating risk management in the
innovation project. European Journal of innovation management, 17(1), 25-40.
According to the researchers, the cloud computing users need a secure and effective
security level from the providers of service such as DDOs attack, which is a threat for both the
service providers and the customers. Thus, it necessitates the need for the service providers, as it
enables in making effective decisions along with maintaining and obtaining a security
certification. The audit need has made the providers highly busy, which paved the path for
standardising the questions that develop as recommendations with the help of reports. This list
could be utilised for obtaining and providing assurance to the customers. The customer checklist
intends to assess the risk at the time of adopting the cloud system. In addition, it also includes
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3RISK ASSESSMENT
contrast of offerings of the various service providers along with the assurance acquisition of the
chosen service providers. Furthermore, according to the researchers, there is minimisation of
burden on the providers related to assurance. Thus, the customer checklist is planning to cover
all issues about technical, legal, issues of policy and physical means security.
Journal 2: Bolton, P., Chen, H., & Wang, N. (2013). Market timing, investment, and risk
management. Journal of Financial Economics, 109(1), 40-62.
The researchers have stated that at the time of contract evaluation, when comparisons are
carried out between various service providers and in negotiations as well, the law-related issues
would be solved. The most inherent practice in relation to cloud computing is to choose the
service providers in the market based on the offers provided on their part. However, the authors
have stated that IT is completely different from the philosophy of negotiation. On the other hand,
the negotiation contract is open for the potential customers of the cloud computing system. The
nature of cloud computing paves the path for extensive review for standard contract and this
varies from the traditional system of internet service. In case, there is any type of breach in
service system, the contracted customers might provide special attention to their legal obligations
and rights. It could be applied for transfer of data, derivation of work performed, control change
and data access on the part of law enforcement authorities.
Cloud computing is a powerful media for outsourcing the critical internal infrastructure.
Any barrier to such infrastructure could result in broader influence, which is the reason that the
liability allocation needs to be taken into account in standard limitations for the responsible
parties. The service providers and customers need to pass through the contractual terms about the
contrast of offerings of the various service providers along with the assurance acquisition of the
chosen service providers. Furthermore, according to the researchers, there is minimisation of
burden on the providers related to assurance. Thus, the customer checklist is planning to cover
all issues about technical, legal, issues of policy and physical means security.
Journal 2: Bolton, P., Chen, H., & Wang, N. (2013). Market timing, investment, and risk
management. Journal of Financial Economics, 109(1), 40-62.
The researchers have stated that at the time of contract evaluation, when comparisons are
carried out between various service providers and in negotiations as well, the law-related issues
would be solved. The most inherent practice in relation to cloud computing is to choose the
service providers in the market based on the offers provided on their part. However, the authors
have stated that IT is completely different from the philosophy of negotiation. On the other hand,
the negotiation contract is open for the potential customers of the cloud computing system. The
nature of cloud computing paves the path for extensive review for standard contract and this
varies from the traditional system of internet service. In case, there is any type of breach in
service system, the contracted customers might provide special attention to their legal obligations
and rights. It could be applied for transfer of data, derivation of work performed, control change
and data access on the part of law enforcement authorities.
Cloud computing is a powerful media for outsourcing the critical internal infrastructure.
Any barrier to such infrastructure could result in broader influence, which is the reason that the
liability allocation needs to be taken into account in standard limitations for the responsible
parties. The service providers and customers need to pass through the contractual terms about the
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4RISK ASSESSMENT
risks of security until the occurrence of legal matters about the particular security concern of the
cloud system.
Journal 3: Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk
management: Review, critique, and research directions. Long range planning, 48(4), 265-
276.
AMP Limited is a popular institution of financial service that manages million dollar
deals daily and it is highly risky and unadventurous firms. The firm obtains full concern in
preventing integrity, availability information along with its confidentiality. The organisation
aims to shift the critical operations of IT and sources of data to a solution of exterior cloud
hosting. The cost savings could be viewed as significant motivating behind the possibility of the
organisation to move the IT operations into cloud computing; however, the migration
development is to be evaluated significantly for vulnerabilities along with risks related to cloud
computing with reference to reputational, legal and compliance frameworks of Australia. Since
AMP Limited is a financial service firm, the information that AMP Limited manages is
extremely sensitive and confidential. The thought process of the organisation is extensive
associated with each decision undertaken on the part of AMP Limited, particularly in case of
regarding decision and IT project. This might comprise of working with or exposure of sensitive
information.
These decisions might expose the company to greater vulnerabilities and risks. A single
lapse in data security could result the organisation heavy damages as reputation, money,
conformance and it could face penalties from government bodies. Even though Australian
risks of security until the occurrence of legal matters about the particular security concern of the
cloud system.
Journal 3: Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk
management: Review, critique, and research directions. Long range planning, 48(4), 265-
276.
AMP Limited is a popular institution of financial service that manages million dollar
deals daily and it is highly risky and unadventurous firms. The firm obtains full concern in
preventing integrity, availability information along with its confidentiality. The organisation
aims to shift the critical operations of IT and sources of data to a solution of exterior cloud
hosting. The cost savings could be viewed as significant motivating behind the possibility of the
organisation to move the IT operations into cloud computing; however, the migration
development is to be evaluated significantly for vulnerabilities along with risks related to cloud
computing with reference to reputational, legal and compliance frameworks of Australia. Since
AMP Limited is a financial service firm, the information that AMP Limited manages is
extremely sensitive and confidential. The thought process of the organisation is extensive
associated with each decision undertaken on the part of AMP Limited, particularly in case of
regarding decision and IT project. This might comprise of working with or exposure of sensitive
information.
These decisions might expose the company to greater vulnerabilities and risks. A single
lapse in data security could result the organisation heavy damages as reputation, money,
conformance and it could face penalties from government bodies. Even though Australian
5RISK ASSESSMENT
government facilitates transfer of assets of IT of corporate organisations to cloud particularly for
cost saving, AMP Limited is required for reviewing the project of cloud migration thoroughly.
Journal 4: Giannakis, M., & Papadopoulos, T. (2016). Supply chain sustainability: A risk
management approach. International Journal of Production Economics, 171, 455-470.
According to the researchers, the customers could provision the services depending with
demand. Such products are assessable online along with the fact that this could be attained from
any place with pertinent verification. The cloud-based objects could be shared along with they
are shared across the multiple consumers. These resources remain automatically scalable. The
service usage is measured, that remains dependent on model of pay per use and it remains
apparent to customers. The services of cloud computing are given three kinds of models of
service that include “software as a service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS)”. Within model of SaaS, consumers are offered with ability to
utilise software from providers that are carried out on an infrastructure that is cloud-based in the
form of web-based mail. The provider manages the infrastructure and the consumers are charged
depending on the service usage.
In PaaS model, customers attains tools, libraries, applications services or programming
language prepared on part of the cloud provider. Within the model, provider manages the
infrastructure with consumers controlling related configurations and deployed applications of
environment. Within IaaS model, providers offer capabilities of the consumers to prerequisite the
computing framework like networks, servers and storage. These are capabilities that the
consumers could handle and usage to execute along with deploying the software, when
necessary.
government facilitates transfer of assets of IT of corporate organisations to cloud particularly for
cost saving, AMP Limited is required for reviewing the project of cloud migration thoroughly.
Journal 4: Giannakis, M., & Papadopoulos, T. (2016). Supply chain sustainability: A risk
management approach. International Journal of Production Economics, 171, 455-470.
According to the researchers, the customers could provision the services depending with
demand. Such products are assessable online along with the fact that this could be attained from
any place with pertinent verification. The cloud-based objects could be shared along with they
are shared across the multiple consumers. These resources remain automatically scalable. The
service usage is measured, that remains dependent on model of pay per use and it remains
apparent to customers. The services of cloud computing are given three kinds of models of
service that include “software as a service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS)”. Within model of SaaS, consumers are offered with ability to
utilise software from providers that are carried out on an infrastructure that is cloud-based in the
form of web-based mail. The provider manages the infrastructure and the consumers are charged
depending on the service usage.
In PaaS model, customers attains tools, libraries, applications services or programming
language prepared on part of the cloud provider. Within the model, provider manages the
infrastructure with consumers controlling related configurations and deployed applications of
environment. Within IaaS model, providers offer capabilities of the consumers to prerequisite the
computing framework like networks, servers and storage. These are capabilities that the
consumers could handle and usage to execute along with deploying the software, when
necessary.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6RISK ASSESSMENT
3. A formal risk evaluation:
Process of risk evaluation:
The assessment of uncertainty is carried out by probability of a disaster situation, that is
gauged in contrast to the negative effects. Such negative effects are estimated as well. The effect
of each scenario and its business impact could be provided on the expert consultation, which is
helpful for an architect in designing a particular cloud model. 0 to 8 based scales are used to
gauge business effect along with probability of issues faced and they are developed in opposition
to the criteria of risk taking (Bodie, 2013). The scale is represented under:
Low risk (0-2)
Medium risk (3-5)
High risk (6-8)
The significant particular kinds of risks encountered in the cloud system are discussed
briefly as follows:
Governance loss:
The customers always intend to obtain control from the cloud provider in cloud
computing system about many problems that could have serious impact on the overall system
(Chance & Brooks, 2015). However, it is not possible for the SLAs to provide the same in place
3. A formal risk evaluation:
Process of risk evaluation:
The assessment of uncertainty is carried out by probability of a disaster situation, that is
gauged in contrast to the negative effects. Such negative effects are estimated as well. The effect
of each scenario and its business impact could be provided on the expert consultation, which is
helpful for an architect in designing a particular cloud model. 0 to 8 based scales are used to
gauge business effect along with probability of issues faced and they are developed in opposition
to the criteria of risk taking (Bodie, 2013). The scale is represented under:
Low risk (0-2)
Medium risk (3-5)
High risk (6-8)
The significant particular kinds of risks encountered in the cloud system are discussed
briefly as follows:
Governance loss:
The customers always intend to obtain control from the cloud provider in cloud
computing system about many problems that could have serious impact on the overall system
(Chance & Brooks, 2015). However, it is not possible for the SLAs to provide the same in place
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7RISK ASSESSMENT
of the cloud provider. This is the main reason behind change of breach of security in the system
of defence.
Likelihood Extremely high
Effect on security posture Extremely elevated in IaaS
Decreased in SaaS
Vulnerabilities Unresolved portions and responsibilities
Ineffective use of role demarcations
Adjusting accountabilities along with stated
responsibilities that are outside to cloud
computing system
SLA Sections with incoherent undertakings to
different stakeholders
Shortage pertaining to solutions and standard
technologies
Data Centres in various jurisdictions along
with transparency dearth
Unresolved asset ownership
Affected assets Brand image of AMP Limited
Consumer-related information
Individual data of employees
Service delivery
Trust of the customers
Risk Increased
of the cloud provider. This is the main reason behind change of breach of security in the system
of defence.
Likelihood Extremely high
Effect on security posture Extremely elevated in IaaS
Decreased in SaaS
Vulnerabilities Unresolved portions and responsibilities
Ineffective use of role demarcations
Adjusting accountabilities along with stated
responsibilities that are outside to cloud
computing system
SLA Sections with incoherent undertakings to
different stakeholders
Shortage pertaining to solutions and standard
technologies
Data Centres in various jurisdictions along
with transparency dearth
Unresolved asset ownership
Affected assets Brand image of AMP Limited
Consumer-related information
Individual data of employees
Service delivery
Trust of the customers
Risk Increased
8RISK ASSESSMENT
Lock-in:
In the current environment, there is little to be offered in the form of tools for formats of
standard data and procedures, tools from the viewpoint of data guarantee, serviceability and
portability. This could create complexities for the customers to data migration, change of
provider to an in-house environment of information technology (DeAngelo & Stulz, 2015). This
paves the path for dependency on a specific cloud provider, particularly in case, portability is
enabled.
Likelihood Extremely high
Impact on posture of security High
Vulnerabilities Deficiency in relation to solutions and standard
technologies
Ineffective selection of the cloud provider
Affected assets Brand image of AMP Limited
Customer-related data
Personal data of employees
Service delivery
Trust of the customers
Risk High
Isolation-related failure:
Lock-in:
In the current environment, there is little to be offered in the form of tools for formats of
standard data and procedures, tools from the viewpoint of data guarantee, serviceability and
portability. This could create complexities for the customers to data migration, change of
provider to an in-house environment of information technology (DeAngelo & Stulz, 2015). This
paves the path for dependency on a specific cloud provider, particularly in case, portability is
enabled.
Likelihood Extremely high
Impact on posture of security High
Vulnerabilities Deficiency in relation to solutions and standard
technologies
Ineffective selection of the cloud provider
Affected assets Brand image of AMP Limited
Customer-related data
Personal data of employees
Service delivery
Trust of the customers
Risk High
Isolation-related failure:
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9RISK ASSESSMENT
The sharing capability has increased the recognition of cloud computing system along
with for multi-tenancy (Grace et al., 2015). There is prevalent risk, in case; failures take place in
memory, separation system of storage, routing and reputation among tenants considered as the
consumer attack. However, this is extremely difficult for a hacker in isolating cloud resource,
which could be carried out easily in a traditional operating system (Hopkin, 2017).
Likelihood Low (Private cloud)
Medium (Public cloud)
Impact on posture of security Extremely High
Vulnerabilities Vulnerabilities because of hypervisor VMs
Absence of reputational or reverse isolation
Likelihood of attacks or cloud network probing
Likelihood of co-residence checks
Affected assets Brand image of AMP Limited
Customer-related data
Personal data of employees
Service delivery
Trust of the customers
Risk High
Compliance risk:
The sharing capability has increased the recognition of cloud computing system along
with for multi-tenancy (Grace et al., 2015). There is prevalent risk, in case; failures take place in
memory, separation system of storage, routing and reputation among tenants considered as the
consumer attack. However, this is extremely difficult for a hacker in isolating cloud resource,
which could be carried out easily in a traditional operating system (Hopkin, 2017).
Likelihood Low (Private cloud)
Medium (Public cloud)
Impact on posture of security Extremely High
Vulnerabilities Vulnerabilities because of hypervisor VMs
Absence of reputational or reverse isolation
Likelihood of attacks or cloud network probing
Likelihood of co-residence checks
Affected assets Brand image of AMP Limited
Customer-related data
Personal data of employees
Service delivery
Trust of the customers
Risk High
Compliance risk:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10RISK ASSESSMENT
In order to achieve the certification like need of government, investment carries an
uncertainty, if information are transferred to cloud in order to migrate (Hwang, Zhao & Toh,
2014).
Likelihood Extremely high relying on compliance
frameworks
Impact on posture of security High
Vulnerabilities Unavailability of audits to the customers
Absence of technological standardisation
Centres of data in various jurisdictions and
absence of transparency in information on
jurisdictions
Transparency defaulst in relation to use
Affected assets Accreditation and certification
Risk High
4. Communication of the risk:
In order to communicate the risk, firstly, it is necessary for AMP Limited to appoint a
special team of risk management consisting of a minimum of five members in the panel. They
need to take into account both internal and external factors affecting the implementation of cloud
computing system within the organisation. After the risks are identified, they need to be
evaluated properly and appropriate actions should be framed in order to mitigate such risks
(Marcelino-Sádaba et al., 2014). The solutions suggested should be passed to the top
In order to achieve the certification like need of government, investment carries an
uncertainty, if information are transferred to cloud in order to migrate (Hwang, Zhao & Toh,
2014).
Likelihood Extremely high relying on compliance
frameworks
Impact on posture of security High
Vulnerabilities Unavailability of audits to the customers
Absence of technological standardisation
Centres of data in various jurisdictions and
absence of transparency in information on
jurisdictions
Transparency defaulst in relation to use
Affected assets Accreditation and certification
Risk High
4. Communication of the risk:
In order to communicate the risk, firstly, it is necessary for AMP Limited to appoint a
special team of risk management consisting of a minimum of five members in the panel. They
need to take into account both internal and external factors affecting the implementation of cloud
computing system within the organisation. After the risks are identified, they need to be
evaluated properly and appropriate actions should be framed in order to mitigate such risks
(Marcelino-Sádaba et al., 2014). The solutions suggested should be passed to the top
11RISK ASSESSMENT
management for approval and if the higher-level management finds them effective, they would
be approved and message would be sent to the IT department about the implementation of such
system.
5. Recommendations:
Based on the risk assessment strategy and communication strategy of the organisation, it
could be recommended that the migration of IT services to cloud might be outsourced to three
various cloud service providers. Each of them needs to provide diverse service model along with
hosting different types of applications. This would help in minimising the information
centralisation at one provider, which, in turn, would help in minimising the overall risk
associated with data loss (Ibelings et al., 2014). Each service would be associated with the help
of a federated solution of identity management and this model of cloud hosting could be
adjudged as a merged cloud.
Within the model, the first cloud provider would offer cloud infrastructure like SaaS
model in the form of desktop applications, e-mail and messaging systems. The centres of data for
such applications might be located across the global locations (Lam, 2014). The second cloud
service provider needs to offer services in order to host SaaS model, which would comprise of
hosting development along with execution of custom applications. The third cloud service
provider would provide infrastructure on cloud top in order to host data sources and applications
like customer relationship management associated with human resources, finance and accounting
under the IaaS model (Li et al., 2015).
Initially, AMP limited would be accountable to manage the mechanisms pertaining to
disaster control along with of the applications migrated under PaaS and IaaS models with the
management for approval and if the higher-level management finds them effective, they would
be approved and message would be sent to the IT department about the implementation of such
system.
5. Recommendations:
Based on the risk assessment strategy and communication strategy of the organisation, it
could be recommended that the migration of IT services to cloud might be outsourced to three
various cloud service providers. Each of them needs to provide diverse service model along with
hosting different types of applications. This would help in minimising the information
centralisation at one provider, which, in turn, would help in minimising the overall risk
associated with data loss (Ibelings et al., 2014). Each service would be associated with the help
of a federated solution of identity management and this model of cloud hosting could be
adjudged as a merged cloud.
Within the model, the first cloud provider would offer cloud infrastructure like SaaS
model in the form of desktop applications, e-mail and messaging systems. The centres of data for
such applications might be located across the global locations (Lam, 2014). The second cloud
service provider needs to offer services in order to host SaaS model, which would comprise of
hosting development along with execution of custom applications. The third cloud service
provider would provide infrastructure on cloud top in order to host data sources and applications
like customer relationship management associated with human resources, finance and accounting
under the IaaS model (Li et al., 2015).
Initially, AMP limited would be accountable to manage the mechanisms pertaining to
disaster control along with of the applications migrated under PaaS and IaaS models with the
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 16
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.