Assignment
201760 ITC568 Additional Assignment Scenario
You are the Senior Systems Administrator for a community based Charity. The Charity is involved in
locating and providing accommodation, mental health services, training and support services to
disadvantaged people in the community.
The Charity currently runs a small data centre that has some 50 x86 64 bit servers running mainly
Windows Server 2008 R2 for desktop services, database and file services. It also has about 10 Red Hat
Enterprise Linux 5 servers for public facing Web pages, services and support.
The Charity is considering joining a community cloud provided by a public cloud vendor in order to
provide a number of applications to all 500 support staff and administrative users. A small number of
the Charity’s applications are mission critical and the data that those applications use is both
confidential and time sensitive.
The community cloud would also be used to store the Charity’s 200TB of data. The data would be held
in a SaaS database run by the public cloud vendor. The Charity’s data contains a considerable amount
of confidential information about the people to whom the Charity provides services.
The Charity collects PII data on the clients who use its services so that it can assist them to manage
their different service requirements. This PII data also includes holding some digital identity data for
some of the more disadvantaged clients, particularly if they also have mental health issues.
The cloud vendor has made a presentation to management that indicates that operational costs will
drop dramatically if the cloud model is adopted. However, the Board of the Charity is concerned with
the privacy and security of the data that it holds on the people that it provides services to in the
community. It is concerned that a data breach may cause considerable damage to substantially
disadvantaged people in the community.
The Board asks that you prepare a report that proposes appropriate privacy and security policies for
the Charity’s data.
The task:
Your team is to write a report that proposes appropriate policies for the Charity in the following
areas:
1. Conduct a risk assessment for the Charity’s data. Consider the data and information that
Charity holds on its clients in its current system.
a. Establish the existing threats and risks to the security of that data and information
contained in the in house database.
b. Are there any other risks and threats to the client data after migration to an SaaS
application?
c. Assess the resulting severity of risk and threat to client data.
2. What are the threats and risks to the digital identities of the Charity’s clients from the move
to a SaaS database? (10 marks)
3. Develop a Privacy strategy proposal for the Charity. The strategy should include the
following items:
a. Management of personal information,
b. Collection and management of solicited personal information,
c. Use and disclosure of personal information,
d. Use and security of digital identities,
e. Security of personal information,
f. Access to personal information,
g. Quality and correction of personal information.
4. Develop a personal data protection strategy proposal for the Charity. This strategy should
include:
a. Protection of personal information,
b. Authorised access & disclosure of personal information,
c. De-identification of personal data,
d. Use of personal digital identities,
e. Security of personal data,
f. Archiving of personal data.
You are to provide a written report with the following headings:
Data Risk assessment
Privacy strategy for personal data
Personal data protection strategy
As a rough guide, the report should not be longer than about 8,000 words. The report is to be
returned to your lecturer by 18 December 2017.
Submission method CSUMELRequest@studygroup.com
Subject line should be Additional Assignment ITC568 201760 followed by student ID and Student
name
Rationale This assignment aligns with the following learning outcomes of this subject:
be able to examine the legal, business and privacy requirements for a cloud deployment
model;
be able to evaluate the risk management requirements for a cloud deployment model;
be able to critically analyse the legal, ethical and business concerns for the security and
privacy of data to be deployed to the cloud;
be able to develop and present a series of proposed security controls to manage the security
and privacy of data deployed to the cloud;
Marking Rubric
Question HD DI CR PS FL
Q1a. Existing threats to Security of client data
Comprehensive exploration of threats and risks to security of data that includes well thought out reasoning
Thorough exploration of threats and risks to security of data that includes good reasoning
Detailed exploration of threats and risks to security of data that includes some good reasoning
Adequate exploration of threats and risks to security of data that includes some reasoning
Incomplete or irrelevant exploration of threats and risks to security of data that has little or no reasoning
Q1b. New threats to security of client data
Comprehensive exploration of new threats and risks to security of data that includes well thought out reasoning
Thorough exploration of new threats and risks to security of data that includes good reasoning
Detailed exploration of new threats and risks to security of data that includes some good reasoning
Adequate exploration of new threats and risks to security of data that includes some reasoning
Incomplete or irrelevant exploration of new threats and risks to security of data that has little or no reasoning
Q1c. Severity of risk to security client data
Comprehensive security risk assessment with excellent severity ratings
Thorough security risk assessment with very good severity ratings
Detailed security risk assessment with good severity ratings
Adequate security risk assessment with reasonable severity ratings
Incomplete or inadequate security risk assessment with poor or no severity ratings
Q2. Existing threats to digital identities from use of SaaS database
Comprehensive exploration of threats and risks to digital identities that includes well thought out reasoning
Thorough exploration of threats and risks to digital identities that includes good reasoning
Detailed exploration of threats and risks to digital identities that includes some good reasoning
Adequate exploration of threats and risks to digital identities that includes some reasoning
Incomplete or irrelevant exploration of threats and risks to digital identities that has little or no reasoning
Q3. Privacy strategy
for personal data (20
marks)
Comprehensive
development of
policy covering all
aspects, with
excellent discussion
of threats and risks
to privacy of data
Thorough
development of
policy covering
most aspects,
with proficient
discussion of
threats and risks
to privacy of
data
Detailed
development
of policy
covering most
aspects, with
good
discussion of
threats and
risks to privacy
of data
Adequate
development
of policy
covering some
aspects, with
some
discussion of
threats and
risks to privacy
of data
Incomplete or
inadequate
development
of policy
covering few
aspects, with
little or no
discussion of
threats and
risks to privacy
of data
Q4. Personal data
protection strategy
(20 marks)
Comprehensive
development of
policy covering all
aspects, with
excellent analysis of
protection of data
Thorough
development of
policy covering
most aspects,
with proficient
analysis of
protection of
data
Detailed
development
of policy
covering most
aspects, with
competent
analysis of
protection of
data
Adequate
development
of policy
covering some
aspects, with
some analysis
of protection of
data
Incomplete or
inadequate
development
of policy
covering few
aspects, with
little or no
analysis of
protection of
data
Presentation Up to 5 marks may be deducted for poor presentation, spelling and grammar