Task
back to topEssential Reading:
Baron, H., Heide, S., Mahmud, S., & Yeoh, J. (2019).Cloud Security Complexity: Challenges in Managing Security in Hybrid and Multi-Cloud Environments. Retrieved fromhttps://cloudsecurityalliance.org/artifacts/cloud-security-complexity/
Scenario
The Department of Administrative Services (DAS) provides a number of services to other departments in an Australian State Government. These services include HR and personnel management, payroll, contract tendering management, contractor management, and procurement. These services have all been provided from the Department’s own data centres.
As a result of a change in Government policy, DAS is moving to a “Shared Services” approach. This approach will mean that DAS will centralise a number of services for the whole of Government (WofG). The result of this move will be that each Department or Agency that runs one of these services for its own users, will be required to migrate its data to DAS so that it can be consolidated into one of the DAS centralised databases. DAS will then provide these consolidated services to all other Departments and Agencies within the Government.
Another Government policy mandates a “Cloud first” approach to the process of updating or acquiring software or services. Following these strategic policy changes from Government, DAS has decided to:
- Purchase a HR and personnel management application from a US based company that provides a SaaS solution.
- The application will provide DAS with a HR suite that will provide a complete HR suite which will also include performance management. The application provider has advised that the company’s main database is located in a Cloud datacentre based in California in the United States, with a replica database located in a cloud datacentre in Dublin, Ireland. However, all data processing, configuration, maintenance, updates and feature releases are provided from the application provider’s processing centre in Bangalore, India.
- Employee data will be uploaded from DAS daily at 12:00 AEST. This will be initially transferred to Bangalore in India for processing before being loaded into the main provider database in California.
- Employees will be able to access their HR and Performance Management information through a link placed on the DAS intranet. Each employee will use their internal agency digital ID to authenticate to the HR and Performance management system. The internal digital ID is generated by each agency’s Active Directory instance and is used for internal authentication and authorisation.
- Move the DAS payroll to a COTS (Commercial Off The Shelf) application that it will manage in a public cloud;
You may wish to consider the Cloud Security Alliance 2019 Cloud Security Complexity report as part of your response.
Tasks
You have been engaged to provide a risk assessment for the planned move to s HR SaaS application offering.
You are to write a report that assesses the risk to DAS in the following areas:
- Consider the data and information that DAS holds on its employees in the current HR system.
- Establish the existing threats and risks to the security of that data and information contained in the in house HR database. (25 marks)
- Are there any other risks and threats to the employee data after migration to an SaaS application? (10 marks)
- Assess the resulting severity of risk and threat to employee data. (10 marks)
- Consider the privacy of the data for those employees who will move to an SaaS application.
- Establish the existing threats and risks to the privacy of that data and information contained in the in house HR database. (25 marks)
- Are there any other risks and threats to the privacy of the employee data after migration to an SaaS application? (10 marks)
- Assess the resulting severity of risk and threat to the privacy of employee data. (10 marks)
- What are the threats and risks to the digital identities of Government employees from the move to SaaS applications? (10 marks)
You are to provide a written report with the following headings:
- Security of Employee Data
- Privacy of Employee Data
- Digital Identity Issues
As a rough guide, the report should be approximately about 4,000 words.
Rationale
back to topThis assessment task will assess the following learning outcome/s:
- be able to examine the legal, business and privacy requirements for a cloud deployment model.
- be able to evaluate the risk management requirements for a cloud deployment model.
- be able to critically analyse the legal, ethical and business concerns for the security and privacy of data to be deployed to the cloud.
Marking criteria and standards
back to top
Question |
HD |
DI |
CR |
PS |
FL |
Q1.a. Existing threats to Security of employee data (25 marks) |
Comprehensive exploration of threats and risks to security of data that includes well thought out reasoning
|
|
Thorough exploration of threats and risks to security of data that includes good reasoning
|
|
Detailed exploration of threats and risks to security of data that includes some good reasoning
|
|
Adequate exploration of threats and risks to security of data that includes some reasoning
|
|
Incomplete or irrelevant exploration of threats and risks to security of data that has little or no reasoning
|
|
Q1.b. New threats to security of employee data (10 marks)
|
|
Comprehensive exploration of new threats and risks to security of data that includes well thought out reasoning
|
|
Thorough exploration of new threats and risks to security of data that includes good reasoning
|
|
Detailed exploration of new threats and risks to security of data that includes some good reasoning
|
|
Adequate exploration of new threats and risks to security of data that includes some reasoning
|
|
Incomplete or irrelevant exploration of new threats and risks to security of data that has little or no reasoning
|
|
Q1.c Severity of risk to security employee data (10 marks)
|
|
Comprehensive security risk assessment with excellent severity ratings
|
|
Thorough security risk assessment with very good severity ratings
|
|
Detailed security risk assessment with good severity ratings
|
|
Adequate security risk assessment with reasonable severity ratings
|
|
Incomplete or inadequate security risk assessment with poor or no severity ratings
|
|
Q2.a Existing threats to privacy of employee data (25 marks)
|
|
Comprehensive exploration of threats and risks to privacy of data that includes well thought out reasoning
|
|
Thorough exploration of threats and risks to privacy of data that includes good reasoning
|
|
Detailed exploration of threats and risks to privacy of data that includes some good reasoning
|
|
Adequate exploration of threats and risks to privacy of data that includes some reasoning
|
|
Incomplete or irrelevant exploration of threats and risks to security of data that has little or no reasoning
|
|
Q2.b New threats to privacy of employee data (10 marks)
|
|
Comprehensive exploration of new threats and risks to privacy of data that includes well thought out reasoning
|
|
Thorough exploration of new threats and risks to privacy of data that includes good reasoning
|
|
Detailed exploration of new threats and risks to privacy of data that includes some good reasoning
|
|
Adequate exploration of new threats and risks to privacy of data that includes some reasoning
|
|
Incomplete or irrelevant exploration of new threats and risks to security of data that has little or no reasoning
|
|
Q2.c Severity of risk to privacy employee data (10 marks)
|
|
Comprehensive privacy risk assessment with excellent severity ratings
|
|
Thorough privacy risk assessment with very good severity ratings
|
|
Detailed privacy risk assessment with good severity ratings
|
|
Adequate privacy risk assessment with reasonable severity ratings
|
|
Incomplete or inadequate privacy risk assessment with poor or no severity ratings
|
|
Q3. Digital Identity issues (10 marks)
|
|
Comprehensive exploration of digital identity threats and risks that includes well thought out reasoning
|
|
Thorough exploration of digital identity threats and risks that includes good reasoning
|
|
Detailed exploration of digital identity threats and risks that includes some good reasoning
|
|
Adequate exploration of digital identity threats and risks that includes some reasoning
|
|
Inadequate or incomplete exploration of digital identity threats and risks that includes poor or no reasoning
|
|
Presentation and Referencing |
Up to 5 marks may be deducted for poor presentation and grammer
Up to 5 marks may be deducted for incorrect or inadequate referencing |
Presentation
back to topYou are to provide a written report in Word format with the following headings:
- Security of Employee Data
- Privacy of Employee Data
- Digital Identity Issues
As a rough guide, the report should be approximately about 4,000 words.