Services that Charity is Implementing on the Cloud
The Community based charity is planning to move to cloud. The organization will be implementing a SaaS HR and Personnel management suite, a COTS payroll solution and the PaaS SharePoint services. The MySupport Portal that has been developed to make the charity’s client register on the MySupport portal is needed to undertake threat and risk assessment. This is needed since MyPortal will be considering the storage of personally identifiable information. Personally identifiable information can be defined as the information that helps in identifying an individual (Majeed, Ullah & Lee, 2017). This information directly defines the identity of an individual. The threat and risk assessment for the data stored in MySupport portal is necessary since it will be storing the digital data of the clients. This data is private and confidential and therefore the threat and risk assessment of the data is essential.
In general, all the information that is termed as personally identifiable information is sensitive. In this case PII data includes personally identifiable financial information, social security number and so on. There are certain threats and security challenges associated with the PII challenges. The PII data that is stored in MySupport portal is put at risk mainly due to the risks of cyber attacks and data breaches (Barocas & Nissenbaum, 2014). Data breach is a significant threat associated with PII data. Attackers mainly target the personally identifiable data as it can facilitates identity threat, fraud and attacks including social engineering attacks and phishing. Thus the need for protecting the personally identifiable information is immense. Thus a threat and risk assessment is documented for MySupport Portal that has the capability of identification and mitigation of the threats.
The major risks that have been identified for the MySupport portal include the privacy and the data protection aspects. Threat and risk assessment can be considered as a pillar of security risk management for protection of the PII data. The TRA for MySupport Portal is represented in the following table-
|
Threat |
Probability |
Severity |
Description |
Mitigation Approach |
|
Stolen Credentials (Li, 2013) |
High |
High |
This risk of stolen credential is considerably high since the Charity company is making use of a public cloud platform (Louw & von Solms, 2013). Since the probability and the severity of this risk is high, this risk is needed to be mitigated. |
Risk reduction is the mitigation approach that is recommended for this particular scenario |
|
Malware Infection by Phishing |
High |
High |
The use of public cloud platform gives rise to the possibility of MySupport portal in facing this risk. Since both the probability and severity of this risk is high, an appropriate risk mitigation approach is needed. |
Risk avoidance is the recommended risk mitigation strategy for this identified risk. |
|
Stolen Storage devices |
Low |
High |
Since the data will be stored in cloud, this risk the chances of facing this risk is considerably low |
Risk Avoidance |
|
Hacking or gaining Physical access to the network |
Medium |
Medium |
Hacking is a significant threat to which the PII data of MySupport portal is exposed to. |
Risk Reduction. It is a risk mitigation strategy that has been proposed and reduction in the risk can be achieved by ensuring proper security of the network. |
|
Operational Risk |
Low |
Low |
Operational risks mainly refers to the situation that can be faced by the charity company and therefore mitigation of this is essential |
Risk transfer is the proposed risk mitigation strategy for this identified threat. The operational risk can be transferred to a third party who is willing to take this risk. The public cloud vendor can act as the third party willing to take the risk. |
The table above represents the threats and the risks to which the MySupport Portal of the charity company is exposed to. The PII data of the client that will be stored in the MySupport Portal is exposed to the risks that are identified in the table above. The need for management and mitigation of these risks is immense mainly because protection of the clients’ data is essential since the data is confidential.
Risk Associated with Personally Identifiable Information Data
The risks associated with the privacy and data protection of the personally identifiable information stored in the MySupport portal is needed to be mitigated as the portal will be storing the details of the clients of the charity company. The TRA document has identified the risks associated with the protection of the privacy and confidentially of the data stored. The document further gives an overview of the mitigation approaches of each of the identified risk. The aim of this document is to identify the strategies and the approaches that can possibly mitigate the risks associated with the storage of data (Ward, Ibarra & Ruddle, 2013). The risks associated with the privacy and data protection aspects of the storage of PII data in portal include the risk of stolen credentials due to the cyber security attack, the risk of malware infection or phishing, the risk of stolen storage device, the risk of hacking and operational risk leading to certain issues with protection and preservation of data confidentiality (Jang-Jaccard & Nepal, 2014). The strategy proposal for the data stored in the MySupport portal is discussed in the following sections.
Cyber security awareness is necessary to avoid the risks of cyber security attack on the personally identifiable information that is stored in the MySupport portal. Cyber security of the personal identifiable information is needed mainly because this information can be used to locate or identify an individual (Ullah, Khan & Aboalsamh, 2013). This is a significant risk associated with PII and according to the TRA, the probability of occurrence of the risk and the severity of this risk is high.
The cyber security attack or data breach is a significant threat to the PII data mainly because the data is being stored in a public cloud which is prone to attacks. Therefore the strategy that has been identified or proposed to mitigate the risk is it reduction.
The strategy for reducing this risk includes enforcing data protection in public cloud. The process of enforcing the needed security involves the use of different data protection paradigms or choosing a trusted vendor (Mills & Goldsmith, 2014). The In-house system designing is another recommended approach for enforcing security in public cloud.
Another significant threat associated with the PII data that is being stored in the portal is malware infection. This malware infection can be implanted in the stored data by phishing. The data of the registered clients is stored in public cloud to make it easily accessible. However, the data stored is exposed to the threats of malware infection. Therefore proper risk management is necessary (Khonji, Iraqi & Jones, 2013). Malware infection is spread through phishing and therefore it is necessary to identify an approach that will help in mitigation of the risks associated with malware infection and phishing.
Strategy for Mitigating Risks Associated with Personally Identifiable Information
The severity of malware threat is high mainly because the data is being stored in public cloud environment that increases the chances of data breach. Phishing is considered one of the significant reasons that might result in malware attack as it is the easiest way to infuse malware into a system. It is a type of social engineering attack that can possibly steal the users’ data, login credentials of the clients and their credit card numbers thus risking their privacy (Kumar, Srikanth & Tejeswini, 2016). A malware attack can therefore possibly risk the data protection aspects of the portal and therefore this risk is needed to be mitigated with high priority. In the TRA, a risk mitigation strategy for the malware risk is proposed. This risk is needed to be avoided and the strategy for risk avoidance includes not responding to the spam mails. Furthermore, the clients should be kept aware of the different phishing techniques. The portal should be installed with an anti phishing toolbar that can possibly help in avoiding this risk. The use of firewalls is also recommended as the risk mitigation strategy for mitigation of the risks associated with malware and phishing.
Another risk associated with the portal that has been identified in the TRA is risk of stolen devices. The data of the client are being stored in public cloud. It is known that there are certain security risks associated with the use of public cloud. According to the TRA, it can be seen that the probability of occurrence of this risk is quite low. However, if this risk occurs, it might act as a significant issue since the severity of the risk is quite high. Therefore, it is necessary to mitigate this risk as well. As a risk mitigation strategy, it is recommended that this particular risk is needed to be avoided. This can be done by allowing only the registered individuals an access to the data that is stored in the public cloud linked to portal. This might help in considerably reducing this risk.
The TRA has identified the risk of hacking into the network. This risk is needed to be analysed and addressed as well. Risks reduction is the mitigation strategy recommended by the TRA. The probability of occurrence and severity of the risk is medium and therefore this risk may not be addressed with high priority. The mitigation strategy that has been identified by the TRA is risk reduction. This risk can be reduced by making use of firewalls in network protection to eliminate the illegal access into the system.
Another risk that can possibly affect the privacy and the security of the data stored into the portal include the operational risk (Hopkin, 2018). Any disruption in the normal operation of the portal will mainly be because of the issues arising due to risk in privacy and security. However, the TRA has identified that the probability of occurrence and the severity of this risk is quite low. The risk mitigation strategy of this particular risk includes the risk transfer (Cruz, Peters & Shevchenko, 2014). The cloud vendor should take the charge of mitigation of this risk and ensure smooth operation of the MySupport portal.
References
Barocas, S., & Nissenbaum, H. (2014). Big data’s end run around procedural privacy protections. Communications of the ACM, 57(11), 31-33.
Li, J. (2013). Privacy policies for health social networking sites. Journal of the American Medical Informatics Association, 20(4), 704-707.
Louw, C., & von Solms, S. (2013, October). Personally identifiable information leakage through online social networks. In Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference (pp. 68-71). ACM.
Majeed, A., Ullah, F., & Lee, S. (2017). Vulnerability-and diversity-aware anonymization of personally identifiable information for improving user privacy and utility of publishing data. Sensors, 17(5), 1059.
Cruz, M. G., Peters, G. W., & Shevchenko, P. V. (2014). Fundamental aspects of operational risk and insurance analytics: A handbook of operational risk. John Wiley & Sons.
Hopkin, P. (2018). Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers.
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973-993.
Khonji, M., Iraqi, Y., & Jones, A. (2013). Phishing detection: a literature survey. IEEE Communications Surveys & Tutorials, 15(4), 2091-2121.
Kumar, J. D., Srikanth, V., & Tejeswini, L. (2016). Email phishing attack mitigation using server side email addon. Indian Journal of Science and Technology, 9(19).
Mills, S., & Goldsmith, R. (2014). Cybersecurity challenges for program managers. DEFENSE ACQUISITION UNIV FT BELVOIR VA.
Ullah, I., Khan, N., & Aboalsamh, H. A. (2013, April). Survey on botnet: Its architecture, detection, prevention and mitigation. In Networking, Sensing and Control (ICNSC), 2013 10th IEEE International Conference on (pp. 660-665). IEEE.
Ward, D., Ibarra, I., & Ruddle, A. (2013). Threat analysis and risk assessment in automotive cyber security. SAE International Journal of Passenger Cars-Electronic and Electrical Systems, 6(2013-01-1415), 507-513.
The protection of data associated with the MySupport Portal extends to the protection of the informal digital identity that a client or user is creating in the portal. Considering the fact that public cloud will be used for data storage the risk becomes prominent. Thus a strategy is needed to be identified in order to ensure that the data stored or generated in the portal is secured. The strategy for protecting the privacy and the confidentiality of the data is discussed in the following section.
In order to ensure data protection, it is essential to enforce encryption as the primary data protection need. Encryption will help in data protection even if it gets stolen. Encryption ensures that the data can only be accessed by the register or authorised users (Noor & Hassan, 2013). Thus it is recommended to be a primary strategy for data protection. This will maintain the confidentiality of the data stored in the system.
Along with the enforcement of encryption, the charity company should ensure that the access to the portal should be given to the rightful and trusted individual (Munir & Palaniappan, 2013). Registration with valid ID proof is a must to get an access to the portal and this will ensure that no trespassers are given an access to the portal. This will maintain the data privacy.
Information security protection is another aspect for protection of digital identity that has a risk of hacking. The approach recommended for ensuring information security is that the users should make use of alphanumeric password that is difficult to guess (Ghosh, Gajar & Rai, 2013). This can reduce the risk of hacking and data theft thereby eliminating the information security risks.
A public key cryptography is recommended as an approach for protecting the digital data of the use. The use of cryptographic keys can possibly help in protecting the informal digital identity that a user might create by limiting the access to the data only to the trusted individuals (Choo, 2014).
These are certain basic strategies of data protection that the charity company can possibly make use of to protect the informal digital indent that its users or clients might create on the portal.
References
Choo, K. K. R. (2014). A cloud security risk-management strategy. IEEE Cloud Computing, 1(2), 52-56.
Ghosh, A., Gajar, P. K., & Rai, S. (2013). Bring your own device (BYOD): Security risks and mitigating strategies. Journal of Global Research in Computer Science, 4(4), 62-70.
Munir, K., & Palaniappan, S. (2013). Secure cloud architecture. Advanced Computing, 4(1), 9.
Noor, M. M., & Hassan, W. H. (2013). Wireless networks: developments, threats and countermeasures. International Journal of Digital Information and Wireless Communications (IJDIWC), 3(1), 125-140.
The risk mitigation approach for protection of the PII data and the digital identities of the users of MyLicence Portal is recommended in the strategy proposal. However, it is necessary to ensure that the said risks do not come back and for that a data governance plan is needed to be proposed. The data governance steps for protection of PII data and digital identity are as follows-
- Acceptable use policies are needed to be created so that the privacy risks to the stored data can be reduced (Bhansali, 2013). This would include clear definition of the confidentiality of the data and how to protect the same.
- An IT team should be present to manage and control the data that is being stored or generated in the portal. The team will help the users to understand the acceptable use policies defined by the organization that includes the handling and storing of the PII data.
Apart from these two strategies, the company should prioritize the PII data in terms of privacy protection to eliminate the chances of data theft (Kamioka, Luo & Tapanainen, 2016).
The governance plan for personal and PII data for the DAS users of the HR personnel management suite is needed to be identified as well. The governance plan for protection of data of the DAS users is as follows-
- Installation of the latest updates and the security patches is a recommended strategy for ensuring data governance (Tallon, 2013).
- Any anonymous proxy should be entirely blocked from accessing the network.
The above discussed strategies are proposed in order to ensure that the data stored in HR Personnel Management Suite are properly governed.
The COTS payroll suite will be storing the PII and the financial data of the clients. As an approach of ensuring security, the use of encryption and cryptographic keys are proposed. However, appropriate data governance is needed to be enforced. The strategy for governance of this data is discussed as follows-
- In order to prevent the accidental transmission of the confidential data, the applications linked with the payroll suite should be actively monitored by the IT management team.
- The users of the Payroll suite should be educated about the secure use of the same as a part of the data governance plan (Zuiderwijk & Janssen, 2014)
- The correct working of the layered data protection approach (which includes encryption, threat protection and policy compliance) should be monitored.
- The antivirus and the firewall protection should be regularly updated to prevent any sort of data breach.
References
Bhansali, N. (Ed.). (2013). Data Governance: Creating Value from Information Assets. CRC Press.
Kamioka, T., Luo, X., & Tapanainen, T. (2016, June). An Empirical Investigation of Data Governance: the Role of Accountabilities. In PACIS (p. 29).
Tallon, P. P. (2013). Corporate governance of big data: Perspectives on value, risk, and cost. Computer, 46(6), 32-38.
Zuiderwijk, A., & Janssen, M. (2014). Open data policies, their implementation and impact: A framework for comparison. Government Information Quarterly, 31(1), 17-29.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
