Project 2 - Cloud Risk and Compliance Issues Analysis

Project 2: Cloud Risk and Compliance Issues Analysis

 Step 1: Research Risks Associated With Cloud Adoption

The first step in  assessing risk in cloud computing  will be to identify and describe  risk concepts  and  cloud computing risk factors  associated with cloud adoption. As a software as a service (SaaS) company considering an infrastructure as a service (IaaS) cloud service provider for your hosting needs, consider  third party outsourcing issues  and the generally accepted best practices for cloud adoption and review relevant  cloud risk case studies . You should also consider  best practices for cloud adoption .

As part of the  risk management process , identify and describe other  types of risk , such as risks associated with having a  service-level agreement (SLA) . An example of a potential risk could be if your company is obligated to protect personal information, and then the cloud provider that you use suffers a security breach exposing that personal information.

Here, identify and describe other types of risks or potential liability issues that apply to BallotOnline and discuss them with your colleagues in the Discussion: Risk forum.

You will incorporate your research into your final report.

Step 2: Identify the Most Appropriate Guidelines for Managing Risks

In order to identify guidelines applicable to your company's industry, you must have an understanding of the different types of risk management guidelines that exist and are frequently applicable in cloud environments.

There are several cybersecurity standards applicable to cloud computing environments such as the  NIST Cybersecurity Framework,   ISO standards, and US federal government standards (DoD/FIPS), as well as several major sets of  risk guidelines for dealing with the risks involved. Also, there are organizations such as the  Cloud Security Alliance (CSA) that recommend best practices for managing risks.

Review the different guidelines and determine which are most appropriate for BallotOnline. For example, NIST has responsibility for developing a number of  elections industry guidelines within the United States.

Identify why those guidelines are most appropriate and compile these items into a brief (one page or less) recommendation and justification of your choice. Your recommendation will also be incorporated into your final report in the final step.

Submit your recommendation for review using the steps described below.

Step 3: Identify Potential Privacy Issues and Mitigation Measures

Now that you have identified the guidelines most applicable to your organization, it is time to discuss privacy protections that may apply.

BallotOnline is now a global organization and may need to contend with several sets of  privacy laws since these laws vary from country to country.

Sophia has recommended that you focus on European Union (EU) privacy requirements for now, including the  General Data Protection Regulation (GDPR), since those are considered to be the most challenging for compliance. Many companies opt to host data for their European customers entirely within facilities in the European Union, and the companies implement restrictions to prevent data for EU citizens from crossing borders into non-EU zones. This is the approach that you have been asked to take and where you should focus your efforts. Note that some cloud providers, such as Amazon, have received special approval from EU authorities to permit data transfer outside of the EU.

Research EU privacy requirements, identify the requirements that apply to your project and why they apply, and compile your recommendations for complying with these requirements. These will be incorporated into your final report.

Before moving on to the next step, discuss the material with your colleagues in the Discussion: Privacy Issues.