Project 2: Cloud Risk and Compliance Issues Analysis
Step 1: Research Risks Associated With Cloud Adoption
The first step in
assessing risk in cloud computing
will be to identify and describe
risk concepts
and
cloud computing risk factors
associated with cloud adoption. As a software as a service (SaaS) company considering an infrastructure as a service (IaaS) cloud service provider for your hosting needs, consider
third party outsourcing issues
and the generally accepted best practices for cloud adoption and review relevant
cloud risk case studies
. You should also consider
best practices for cloud adoption
.
As part of the
risk management process
, identify and describe other
types of risk
, such as risks associated with having a
service-level agreement (SLA)
. An example of a potential risk could be if your company is obligated to protect personal information, and then the cloud provider that you use suffers a security breach exposing that personal information.
Here, identify and describe other types of risks or potential liability issues that apply to BallotOnline and discuss them with your colleagues in the Discussion: Risk forum.
You will incorporate your research into your final report.
Project 2: Cloud Risk and Compliance Issues Analysis
Step 2: Identify the Most Appropriate Guidelines for Managing Risks
In order to identify guidelines applicable to your company’s industry, you must have an understanding of the different types of risk management guidelines that exist and are frequently applicable in cloud environments.
There are several cybersecurity standards applicable to cloud computing environments such as the
NIST Cybersecurity Framework,
ISO standards, and US federal government standards (DoD/FIPS), as well as several major sets of
risk guidelines for dealing with the risks involved. Also, there are organizations such as the
Cloud Security Alliance (CSA) that recommend best practices for managing risks.
Review the different guidelines and determine which are most appropriate for BallotOnline. For example, NIST has responsibility for developing a number of
elections industry guidelines within the United States.
Identify why those guidelines are most appropriate and compile these items into a brief (one page or less) recommendation and justification of your choice. Your recommendation will also be incorporated into your final report in the final step.
Submit your recommendation for review using the steps described below.
########################################################################################
Project 2: Cloud Risk and Compliance Issues Analysis
Step 3: Identify Potential Privacy Issues and Mitigation Measures
Now that you have identified the guidelines most applicable to your organization, it is time to discuss privacy protections that may apply.
BallotOnline is now a global organization and may need to contend with several sets of
privacy laws since these laws vary from country to country.
Sophia has recommended that you focus on European Union (EU) privacy requirements for now, including the
General Data Protection Regulation (GDPR), since those are considered to be the most challenging for compliance. Many companies opt to host data for their European customers entirely within facilities in the European Union, and the companies implement restrictions to prevent data for EU citizens from crossing borders into non-EU zones. This is the approach that you have been asked to take and where you should focus your efforts. Note that some cloud providers, such as Amazon, have received special approval from EU authorities to permit data transfer outside of the EU.
Research EU privacy requirements, identify the requirements that apply to your project and why they apply, and compile your recommendations for complying with these requirements. These will be incorporated into your final report.
Before moving on to the next step, discuss the material with your colleagues in the Discussion: Privacy Issues.