Question

Scenario The Department of Administrative Services (DAS) provides a number of services to other departments in...

Scenario

The Department of Administrative Services (DAS) provides a number of services to other departments in an Australian State Government. These services include HR and personnel management, payroll, contract tendering management, contractor management, and procurement. These services have all been provided from the Department’s own data centres.As a result of a change in Government policy, DAS is moving to a “Shared Services” approach. This approach will mean that DAS will centralise a number of services for the whole of Government (WofG). The result of this move will be that each Department or Agency that runs one of these services for its own users, will be required to migrate its data to DAS so that it can be consolidated into one of the DAS centralised databases. DAS will then provide these consolidated services to all other Departments and Agencies within the Government.

Another Government policy mandates a “Cloud first” approach to the process of updating or acquiring software or services. Following these strategic policy changes from Government, DAS has decided to:

  • Purchase a HR and personnel management application from a US based company that provides a SaaS solution.
    • The application will provide DAS with a HR suite that will provide a complete HR suite which will also include performance management. The application provider has advised that the company’s main database is located in a Cloud datacentre based in California in the United States, with a replica database located in a cloud datacentre in Dublin, Ireland. However, all data processing, configuration, maintenance, updates and feature releases are provided from the application provider’s processing centre in Bangalore, India.
    • Employee data will be uploaded from DAS daily at 12:00 AEST. This will be initially transferred to Bangalore in India for processing before being loaded into the main provider database in California.
    • Employees will be able to access their HR and Performance Management information through a link placed on the DAS intranet. Each employee will use their internal agency digital ID to authenticate to the HR and Performance management system. The internal digital ID is generated by each agency’s Active Directory instance and is used for internal authentication and authorisation.
  • Move the DAS payroll to a COTS (Commercial Off The Shelf) application that it will manage in a public cloud;

Tasks

After your successful engagement to provide a security and privacy risk assessment for the DAS, you have again been engaged to consider some additional questions that DAS management has raised. Prepare a presentation for DAS Management using the TRA you recently completed on the security and privacy of employee data. Your presentation is to show:

  1. Discuss how the operational solution using an SaaS application, and the location(s) of the SaaS provider for HR management may affect the security posture of DAS.
  2. Explain if either the operational solution, or the operational location(s), or both, increase or mitigate the threats and risks identified for the security and privacy of employee data?
  3. Discuss the security and privacy implications for DAS of the data processing location?
  4. Discuss any issues of data sensitivity that you think should be considered with either the chosen solution or the storage/processing locations?
  5. Discuss any issues of data sovereignty that should be considered?

Search

Homework Answers

Answer #1

Cloud Systems:

  • Cloud system is a system which helps in eliminating the need for any kind of hardware or make use of any kind of software while the users can quickly add or remove the users as per the requirements.
  • Also, the users can access the virtual desktops from multiple devices or the web browsers which will help in maintaining the procedure for working with the workspace from anywhere, anytime.
  • The cloud systems have an ability to store data independent of the location and machines. They can also provide data whenever and wherever it is needed so as to make the data omnipresent.
  • The cloud-based system is based on to establish risk management processes and even procedures to provide a mission-critical service. The provision of the services is widespread.
  • During any kind of disaster or recovery, the systems are up and can run without any problem. The setup can be resumed in order to balance the use of business continuity.
  • The plan will also consider various events of procedures during the disaster and must be managed according to the requirements.
  • Virtualization has always been the key to business continuity and this is the thing that can be easily done with the help of the cloud systems. The most authentic and effective design will be acknowledged while the disaster has occurred and there would be a certain level of stable backup operational.
  • The cloud will provide us with the cost-efficient and most scalable methods of the computing for the type of industry you are been doing on a certain study. Cloud has recently become the most popular alternative for enterprise disaster recovery.
  • Also, the AWS workspace makes use of the two ENI (Elastic Network Interface) which are being used by both management and streaming(eth0) and primary (eth1). Both of these have unique tasks to perform.
  • The client applications also make use of HTTPS over port 443 for all the authentication-related information and also making use of the cloud services securely and privately in case of such needs.

Hence, this is how the AWS cloud systems work and provide us more coverage over the database and similar technologies.

Potential Risks in Cloud-based systems:

There are also some potential risks that must be focused on while making use of cloud services. They are listed below:

  • The potential risks in the cloud are been transferred into the cloud providers using the hardware-independent virtualization technologies that are nowadays a trend in disaster recovery.
  • The cloud personnel is known for designing the cloud for such a disaster recovery and making the cloud hinge of the most effective designs of the enterprises IT architectures.

Hence, this is how can one transfer the potential risks to the cloud providers.

Risk Assessment & Threat Vulnerability:

Nowadays, companies have moved on to the Agile or Rapid Application Development SDLC(Software Development Life Cycle) which has been resulting in reducing the development timeframe. Now, starting with the risk assessment for the cloud-based systems, here we go,

  1. Collecting Information:
    • The collection of information is one of the major parts that plays in the security of the organization. The URL of the target must be accessible to gain information.
    • Information caught in wrong hands can turn out to be chaos for any organization. Hence, information must always be safeguarded with levels of security.
  2. Risk Profiling:
    • Checking the website for each and every type of risks/threats is a very important task and must be carried on with each and every module of the organization's availability in the internet space.
    • There must be things carried out like:
      • Automated threat scanning
      • Penetration Testing
      • Black Box Testing of the source codes
      • Assigning Risk Ratings to the Security Flaws
      • Reporting to higher Authorities
  3. Updating Technology:
    • In the current world scenario, it has become very important to update the technologies that are been actively used and must be balanced accordingly.
    • The use of older versions will come with a bunch of vulnerabilities and threats along with the destruction of certain aspects of the organization.
  4. Application Fingerprinting:
    • In an organization, there are certain things that must be checked for the known vulnerabilities and exposures. If there, one must always keep it the priority to overcome certain threats in order to run the organization smoothly.
    • The application fingerprinting consists of different levels of assessment. Here are some of the different scopes:
      • Defining Objectives
      • Devising Strategy to overcome threats
      • Role-Based Access Control Matrix
      • Choosing Appropriate Security Tools

Hence, these are some of the risk and threat vulnerability for the cloud systems.

Actions For Effective Risk Management Capabilities in Cloud Systems:

The actions that one must take in order to make the risk management effectiveness and up to the mark in management capabilities for the cloud-based systems are as follows:

  • Preparing:
    • One must always prepare for the risks and also keep the systems checked for the vulnerabilities.
    • The best approach is to plan and make changes to the system as soon as the updates are launched to a particular system.
    • The planning must work accordingly so that the risks are being minified at the user's end.
  • Verifying & Eliciting:
    • Verifying each & every potential risk in the system and if found critical then eliciting the risk will ensure that the risks are eliminated properly.
    • The elimination of the risks is also being done on a certain level so that there are no further risks remaining in the system to check.
  • Analyzing gaps & Evaluating:
    • Analyzing for risks is the major activities that must be taken on the developing end because if a risk is analyzed in the earlier stage it is less destructive for the system.
    • Evaluating the level of the risks also become important for the users so as to make the risks less effective on the systems.

Hence, these are actions that could lead to the development of effective risk management capabilities.

Guidelines For Security Policies:

For the security policies, there are certain things to be always taken into consideration, we will discuss all of them as we dive in deep. So here we go,

  1. Knowing The Risks:
    • It is the most important part while creating security policies to know what risks are there in the system.
    • How the information is been manipulated at the client as well as the server end. Hence, making the process more secure as data is the part for which security is always compromised.
  2. Knowing The Wrongs Done By Others:
    • Knowing that the organizations who have been gone through the certain risks which reside in your system. Learning from the mistakes made by others is always the most effective way of setting guidelines.
    • The guidelines to the security policy consist of the most probable wrong things that each and every organization with similar risks are been doing.
  3. Keeping Legal requirements in mind:
    • Many times organizations completely forget about the legal requirements that are been required by the officials.
    • Hence, keeping the legal jurisdictions, data holdings and the location in which you reside is also most important.
    • Recently, this has been the case with Facebook's most controversial data theft.
  4. Setting the level of security:
    • The level of the security that is been planned must always be kept in mind with the level of risks that are been residing in the system.
    • Excessive security in the system can also cause hindrance to the smooth business operations and hence, overprotecting oneself can also be a cause to the problem.
  5. Training Employees Accordingly:
    • The training of the employees in a certain part of the security is also a major part of the security policy as the employees are the one who makes mistake.
    • So, if one trains their employee in such an order that they minimize the mistakes that are been made it will become great for the system.

Hence, these are the guidelines for creating an effective and functional security policy that every organization dealing with the cloud-based systems must develop in order to stay safe and secure.

Know the answer?
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Not the answer you're looking for?
Ask your own homework help question
Similar Questions
cenario The sudden increase in COVID-19 cases worldwide has caused considerable disruption in many countries. However,...
cenario The sudden increase in COVID-19 cases worldwide has caused considerable disruption in many countries. However, a number of countries have started to use an individual tracking approach to try and contain the spread of the virus. A number of countries have developed mobile phone apps that track people and their movements. Tasks After your successful engagement to develop privacy and personal data protection strategies for DAS, you have been engaged by the Department of Health (DoH) to advise on...
In today’s mobile, cloud-first world, organizations are allowing unprecedented levels of work to be completed from...
In today’s mobile, cloud-first world, organizations are allowing unprecedented levels of work to be completed from outside of the office. Employees and employers both benefit from the flexibility and efficiency that arises when workers can perform their duties from coffee shops, airports, their homes, and more. As such, providing employees with the ability to work remotely is an excellent way to attract and retain a talented, productive team. The devices and security measures used throughout an organization play a significant...
State whether each of the following are true or false. Write the number of the question...
State whether each of the following are true or false. Write the number of the question and the answer, e.g. 1.11. True 1.1 A TPS uses simple procedures to record and store day-to-day transactions. 1.2 Contemporary information systems are interfacing with customers and suppliers using electronic commerce technology, CRM, and SCM over the internet. 1.3 Processes represent the data acquired from an information system. 1.4 All stakeholders of an information system share the same perspective of the system. 1.5 An...
Problem 1 You are an internal audit manager in a central government department that pays subsidies...
Problem 1 You are an internal audit manager in a central government department that pays subsidies to agricultural businesses involved in the production of basic foodstuffs. You will soon be undertaking an internal audit of the claims processing unit in your department. In preparation for the assignment you are reviewing the audit file on the previous audit carried out three years earlier. You find the following extract from one of the previous internal audit’s planning schedules: • “The unit receives...
what is the issue in Emaar case study ? (10marks) Emaar Properties specializes in creating value-added,...
what is the issue in Emaar case study ? (10marks) Emaar Properties specializes in creating value-added, master-planned communities that meet the full spectrum of lifestyle needs. Highlights include Downtown Dubai, the 500-acre mega-project including Burj Khalifa – the world’s tallest building, and The Dubai Mall—the world’s largest shopping and entertainment destination. Emaar is extending its expertise in developing master-planned communities internationally, and has established operations in the United Arab Emirates, Saudi Arabia, Syria, Jordan, Lebanon, Egypt, Morocco, India, Pakistan, Turkey,...
Using the model proposed by Lafley and Charan, analyze how Apigee was able to drive innovation....
Using the model proposed by Lafley and Charan, analyze how Apigee was able to drive innovation. case:    W17400 APIGEE: PEOPLE MANAGEMENT PRACTICES AND THE CHALLENGE OF GROWTH Ranjeet Nambudiri, S. Ramnarayan, and Catherine Xavier wrote this case solely to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised certain names and other identifying information to protect confidentiality. This publication may not be...
Funding an IS project through a Chargeback method involves: Pricing the IS service out for the...
Funding an IS project through a Chargeback method involves: Pricing the IS service out for the customer buying the end product Direct billing by the firm for IS resources or services to the department that uses them Direct billing by the manager of a function for IS resources or services to an employee that uses them An accounting process that reduces tax liability for capital investments All of the following are attributes of considering IS costs as Overhead except the...
HASBRO DEVELOPS A GLOBAL SYSTEMS STRATEGY If you’ve ever played in a sandbox with a Tonka...
HASBRO DEVELOPS A GLOBAL SYSTEMS STRATEGY If you’ve ever played in a sandbox with a Tonka dump truck, accessorized a My Little Pony, manipulated a Transformer, or engaged in mock combat with a G.I. Joe, you have experienced a piece of the Hasbro Inc. juggernaut. Begun by brothers Henry, Hilal, and Herman Hassenfeld in 1923 as a pencil box and school supplies company, Hasbro transitioned to toys in the 1940s. Acquisitions, including Milton Bradley, Tonka, and Wizards of the Coast...
This case assignment draws from the Business Information Systems and the Systems Acquisition and Development modules...
This case assignment draws from the Business Information Systems and the Systems Acquisition and Development modules (Chapters 5 to 8). Its purpose is to provide you with experience in analyzing organizational information systems, making recommendations to improve these systems, and formulating a plan to execute on your recommendations. 1. Recommend one of your alternatives that is the best solution to the main issue and justify your recommendation. Your justification should be based on the key decision criteria and you must...
What tools could AA leaders have used to increase their awareness of internal and external issues?...
What tools could AA leaders have used to increase their awareness of internal and external issues? ???ALASKA AIRLINES: NAVIGATING CHANGE In the autumn of 2007, Alaska Airlines executives adjourned at the end of a long and stressful day in the midst of a multi-day strategic planning session. Most headed outside to relax, unwind and enjoy a bonfire on the shore of Semiahmoo Spit, outside the meeting venue in Blaine, a seaport town in northwest Washington state. Meanwhile, several members of...