Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

This week you will prepare a cloud security policy. The first CIO of the US mand

ID: 670679 • Letter: T

Question

This week you will prepare a cloud security policy. The first CIO of the US mandated that cloud services be implemented in organizations whenever possible. Review the scenario below and prepare a cloud security policy for the organization. Complete the following section readings from “Challenging Security Requirements for US Government Cloud Computing Adoption,” NIST Cloud Computing Public Security Working Group, NIST Cloud Computing Program, Information Technology Laboratory, sections 1.1, 1.3, 1.6, 1.8, and 1.9; prior to starting your work on the policy: PROCESS-ORIENTED SECURITY REQUIREMENTS 1.1 NIST SP 800-53 SECURITY CONTROLS FOR CLOUD-BASED INFORMATION SYSTEMS: page 10 1.3 CLOUD CERTIFICATION AND ACCREDITATION: page 17 1.6 CLARITY ON CLOUD ACTORS SECURITY ROLES AND RESPONSIBILITIES: page 27 1.8 BUSINESS CONTINUITY AND DISASTER RECOVERY: page 31 1.9 TECHNICAL CONTINUOUS MONITORING CAPABILITIES: page 34 Background: A small non-profit organization (SNPO-MC) has received a grant which will pay 90% of its cloud computing costs for a five year period. But, before it can take advantage of the monies provided by this grant, it must present an acceptable cloud computing security policy to the grant overseers. Tasking: You are a cybersecurity professional who is “on loan” from your employer, a management consulting firm, to a small non-profit organization (SNPO-MC). You have been tasked with researching requirements for a Cloud Computing Security Policy and then developing a draft policy for the non-profit organization, SNPO-MC. The purpose of this policy is to provide guidance to managers, executives, and cloud computing service providers. This new policy will supersede (replace) the existing Enterprise IT Security Policy which focuses exclusively upon enterprise security requirements for organization owned equipment (including database servers, Web and email servers, file servers, remote access servers, desktop computers, workstations, and laptop computers) and licensed software applications. The enterprise IT security policy also addresses incident response and disaster recovery. As part of your policy development task you must take into consideration the issues list which was developed during brainstorming sessions by executives and managers in each of the three operating locations for the non-profit organization. Your deliverable for this project is a 5 to 8 page, single spaced, professionally formatted draft policy. See the following resources for suggested formats. https://it.tufts.edu/cloud-pol https://www.american.edu/policies/upload/IT-Security-Policy-2013.pdf Organization Profile: The organization is headquartered in Boston, MA and has two additional operating locations (offices) in New Orleans, LA and San Francisco, CA. Approximately 50 employees work in a formal office setting at one of these locations. These employees use organization owned IT equipment. The remaining 1,000 staff members are volunteers who work from their home offices using personally owned equipment. The organization provides a variety of management consulting services for its clients (charities and non-governmental organizations) on a fee for service basis. Fees are set on a sliding scale based upon the client’s ability to pay. The organization receives additional funding to support its administrative costs, including IT and IT security, through grants and donations from several Fortune 500 companies. The non-profit organization is in the process of hiring its first Chief Information Officer. The organization has a small (3 person) professional IT staff that includes one information security specialist. These staff members are located in the Boston headquarters office. Definitions: Employees of the organization are referred to as employees. Executives and other staff who are “on loan” from Fortune 500 companies are referred to as loaned staff members. Loaned staff members usually telework for the organization one to two days per week for a period of one year. Volunteers who perform work for the organization are referred to as volunteer staff members. Volunteer staff members usually telework from their homes one to two days per week. Cloud Computing includes but is not restricted to: • Platform as a Service • Infrastructure as a Service • Software as a Service Issues List: • Who speaks with authority for the firm? • Who monitors and manages compliance with laws and regulations? • Ownership of content • Privacy and confidentiality • Enforcement • Penalties for violations of policy • Use by sales and marketing • Use by customer service / outreach • Use by public relations and corporate communications (e.g. information for shareholders, customers, general public) • Use for advertising and e-commerce • Use by teleworkers • Review requirements (when, by whom) • Use of content and services monitoring tools • Content generation and management (documents, email, cloud storage) • Additional issues listed in http://www.cloud-council.org/Security_for_Cloud_Computing-Final_080912.pdf Resources (suggested by the organization’s IT Staff for your consideration): 1. http://www.nsa.gov/ia/_files/support/Cloud_Computing_Guidance.pdf 2. http://www.cloud-council.org/Security_for_Cloud_Computing-Final_080912.pdf 3. http://www.sans.org/reading-room/whitepapers/analyst/cloud-security-compliance-primer-34910 4. http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf The documents below are useful resources in planning your cloud security policy: Cloud Security: A Comprehensive Guide to Secure Cloud Computing by Ronald L. Krutz and Russell Dean Vines John Wiley & Sons © 2010(384 pages), ISBN: 9780470589878 Chapter 3: Cloud Computing Software Security Fundamentals http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=34770 NIST Guide to Information Technology Security Services at http://www.nist.gov/customcf/get_pdf.cfm?pub_id=906567 25 point implementation plan to reform information technology http://www.dhs.gov/sites/default/files/publications/digital-strategy/25-point-implementation-plan-to-reform-federal-it.pdf Understanding Cloud Computing (NIST SP 500-291) and (NIST SP 500-292) http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909024 500-291 - Standards: Chapter 3 and Chapter 5.5 White Paper: “Challenging Security Requirements for US Government Cloud Computing Adoption,” NIST Cloud Computing Public Security Working Group, NIST Cloud Computing Program, Information Technology Laboratory http://www.nist.gov/customcf/get_pdf.cfm?pub_id=912695

Explanation / Answer

PROCESS-ORIENTED SECURITY REQUIREMENTS
SECURITY CONTROLS FOR CLOUD-BASED INFORMATION SYSTEMS
CLOUD CERTIFICATION AND ACCREDITATION:
CLARITY ON CLOUD ACTORS SECURITY ROLES AND RESPONSIBILITIES
BUSINESS CONTINUITY AND DISASTER RECOVERY:
TECHNICAL CONTINUOUS MONITORING CAPABILITIES:

Cloud computing offers a number of advantages including low costs, high performance and quick delivery of services. However, without adequate controls, it also exposes individuals and organizations to online threats such as data loss or theft, unauthorized access to corporate networks, and so on.
It is imperative that employees NOT open cloud services accounts or enter into cloud service contracts for the storage, manipulation or exchange of company-related communications or company-owned data without the IT Manager/CIO’s input.


    • Use of Cloud Computing services must comply with all current laws, IT security, and risk management policies.

    • Use of Cloud Computing services must comply with all privacy laws and regulations, and appropriate language must be included in the vehicle defining the Cloud Computing source responsibilities for maintaining privacy requirements.
Many issues should be considered carefully before adopting a Cloud Computing solution. The list below features some of the more important issues to consider, and to address in contract language when appropriate:

    • Determine why the agency needs to use a Cloud Computing approach. What are the drivers? Several possible drivers are listed below.

        • More efficiency or effectiveness for the IT investment.

    • Need for a specific Cloud Computing characteristic (elasticity, scalability, usage-based model).

    • Need for rapid implementation (e.g., use of an existing infrastructure, leveraging of existing Government-wide FedRAMP authorization)

    • Be realistic in cost estimates. Consider the total lifecycle costs, not just the cost of implementation.

    • Acquisition strategy.
    IT security

        • Match IT security requirements (including FIPS 199 impact level) and the security capabilities of the Cloud Computing implementation to those of the mission/business needs being supported.

        • Weigh the security threats and opportunities that are present for public, private, and community Clouds

        • Consider how issues of logging, incident reporting, response, forensics, and other security-related functions should be addressed with respect to the Cloud Computing service provider.

        • Consider how disaster recovery and continuity of operations planning will be addressed.

    • Privacy impact

        • If Personally Identifiable Information (PII) or other sensitive information is involved, document how it will be protected and who is allowed access to it.

        • If the Cloud Computing source is keeping user usage statistics, consider the privacy implications involved and define appropriate safeguards to assure user privacy is maintained. This would include session logs and security access logs, among others.

    • Define how all relevant provisions of the Privacy Act will be enforced, and identify responsible parties.

    • Records Management

    • Identify all systems of records to be hosted in the cloud.

    • Identify the schedules for all records and include the information on retention as part of the agreement with the vendor.

    • Specify the retention time for all system backups.

    • Consider how records management and electronic discovery will be managed in the cloud environment.

    • Consider implications of using a service model that is different from the traditional use of Government-owned and -operated infrastructure.

    • Identify which issues should be explicitly documented in service level agreements.

    • Consider issues of interoperability with existing systems.

    • Consider issues of data ownership and portability. How would you migrate from a given Cloud Computing infrastructure to another one at some point in the future?

    • Examine the need for additional training for Departmental staff.

    • Focus on the requirement driving the need, not the technology used to implement it.

    • Determine how mature the industry offerings are for the implementation under consideration.

Related Questions

This week we will take a closer look at a somewhat new approach to helping drug
Question #3478385
This week we will take a closer look at how companies can better understand how
Question #456570
This week we\'ll further explore the following two important areas for analysis:
Question #2334094
This week we\'ll practice using ArrayList and the Comparable Interface. We will
Question #3594260
This week we’ll review the documentary Sicko and we’ll reflect on the central th
Question #3463201
This week will be our first official \"at home\" experiment. Create your own exp
Question #1654412
This week will discuss TRICARE and managed care workers compensation programs. B
Question #246783
This week will require a little research and a \"food additive treasure hunt\" i
Question #126584
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
This week you will have read Chapters 4 and 5 of the text. For the week\'s discu
Next
This week you will start on an Italian Restaurant Ordering Program. For starters

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.