Reference no: EM132847352

ITC568 Cloud Privacy and Security - Charles Sturt University

Learning outcome 1: be able to examine the legal, business and privacy requirements for a cloud deployment model.
Learning outcome 2: be able to evaluate the risk management requirements for a cloud deployment model.
Learning outcome 3: be able to critically analyse the legal, ethical and business concerns for the security and privacy of data to be deployed to the cloud.

Assessment item 3 - Privacy and Data Protection Assessment

Scenario

The Department of Administrative Services (DAS) provides a number of services to other departments in an Australian State Government. These services include HR and personnel management, payroll, contract tendering management, contractor management, and procurement. These services have all been provided from the Department's own data centres.

As a result of a change in Government policy, DAS is moving to a "Shared Services" approach. This approach will mean that DAS will centralise a number of services for the whole of Government (WofG). The result of this move will be that each Department or Agency that runs one of these services for its own users, will be required to migrate its data to DAS so that it can be consolidated into one of the DAS centralised databases. DAS will then provide these consolidated services to all other Departments and Agencies within the Government.

Another Government policy mandates a "Cloud first" approach to the process of updating or acquiring software or services. Following these strategic policy changes from Government, DAS has decided to:

• Purchase a HR and personnel management application from a US based company that provides a SaaS solution.

The application will provide DAS with a HR suite that will provide a complete HR suite which will also include performance management. The application provider has advised that the company's main database is located in a Cloud datacentre based in California in the United States, with a replica database located in a cloud datacentre in Dublin, Ireland. However, all data processing, configuration, maintenance, updates and feature releases are provided from the application provider's processing centre in Bangalore, India.

Employee data will be uploaded from DAS daily at 12:00 AEST. This will be initially transferred to Bangalore in India for processing before being loaded into the main provider database in California.

Employees will be able to access their HR and Performance Management information through a link placed on the DAS intranet. Each employee will use their internal agency digital ID to authenticate to the HR and Performance management system. The internal digital ID is generated by each agency's Active Directory instance and is used for internal authentication and authorisation.

Tasks
After your successful engagement to provide a security and privacy risk assessment for the DAS, you have again been engaged to consider some additional questions that DAS management has raised.

Prepare a presentation for DAS Management using the TRA you recently completed on the security and privacy of employee data. Your presentation is to show:

1. Discuss whether the operational solution using a SaaS application, and the location(s) of the SaaS provider for HR management, may affect the security posture of DAS.

2. Discuss whether the operational solution, the operational location(s), or both, act to increase or mitigate the threats and risks identified for the security and privacy of employee data?

3. Discuss the security and privacy implications for DAS of the data processing location?

4. Discuss any issues of data sensitivity that you think should be considered with either the chosen solution or the storage/processing locations?

5. Discuss any issues of data sovereignty that you think should be considered?

Attachment:- Cloud Privacy and Security.rar