Risk and compliances2
Running Head: POTENTIAL RISKS AND COMPLIANCE ISSUES 1
POTENTIAL RISKS AND COMPLIANCE ISSUES 17
Potential Risks and Compliance Issues
Name
Institution
Course
Tutor
Date
Executive Summary
Ballot Online is making the right decision since the benefits of moving data to cloud computing outweigh the potential risks . Risks associated with moving data to the cloud are classified into internal and external risks. Ballot Online will abide by the General Data Protection Regulation (GDPR). ballot Online will likely face system security issues; phishing, data Breaches, Distributed Denial of Service, APT, insider threats, and ransomware. CSP is required to offer the following; Data Access Security, Data Security, Network Security, Application and Infrastructure Security, and Physical Security. A compliance program will enable BallotOnline to avoid time wastage, violations of rules, fraud, discrimination of voters, and other criminal practices that may expose the company to risks. Cyberspace law is a law that tends to offer legal protection to internet users. It applies to all forms of Internet-related technologies. Internet technology is increasing; thus, developing cyberspace law that overlooks technological advancements and related Internet criminal issues is necessary.
Introduction
Cloud computing is a resource management model that ensures convenience and on-demand access to a pool of shared computing resources. Cloud computing is growing at a higher rate while at the same time becoming more ubiquitous. The ubiquitous nature brings more opportunities while at the same time introducing new risks. Despite the economic and functional advantages of cloud computing, its increased external interactions have expanded the complexity of cloud architecture and reshaped infrastructure. Based on the ENISA report on cloud security, benefits associated with cloud computing, such as the economics of scale and security can be termed both friendly and foe. Cloud users such as BallotOnline keep their most sensitive asset, hence becoming prone to risks. Risk is the effect of uncertainty on objectives. Risk assessment in BallotOnline is identifying, evaluating, and prioritizing risks (Akinrolabu et al., 2019). The main focus of this paper is to
Risk Analysis
There are risks associated with the ballot Online decision to move data to the cloud has some risks. There is no distinction in the risks associated with moving data to the cloud or using an on-premise data center. ballot Online is making the right decision since the benefits of moving data to cloud computing outweigh the potential risks. For Ballot Online to mitigate the risks associated with moving data to the cloud, it has to work with Cloud Service Provider (CSP) and adhere to the regulations of the local country.
Risks associated with moving data to the cloud are classified into internal and external risks. Internal threats use existing privileges to gain access or support of third parties to carry out attacks against confidentiality, integrity, and data availability within cloud service. Internal risks
|
Risk |
Threat |
Result |
Risk Detail |
Probability |
Impact |
Risk Score |
Response Action Type |
Response Actions |
|
Power outage |
It can happen as a result of fault electrical sockets, cables or natural calamity |
Outage |
Unable to access voter database |
unlikely |
Serious impact |
High score |
mitigate |
Disaster recover response plan |
|
Complex custom software |
Staff training |
Slow or no navigation to the cloud by admin |
Inadequate knowledge by admins on how to move to the cloud |
likely |
major |
Cannot be tolerated and the risk is extremely high |
mitigate |
Adequate training to all employees |
|
Password leakage |
hacker |
Intruder gaining access and control of BallotOnline systems |
Hacker can steal voters data or BallotOnline’s software |
unlikely |
major |
Cannot be tolerated and the risk is extremely high |
Avoid |
Passwords are not allowed |
|
Data breach |
Hacker or unathorised person |
Stealing data being released to the public |
Data breach has to be reported to both public and GDPR |
likely |
major |
Cannot be toleratedaaand the risk is extremely high |
mitigate |
Data encryption |
|
Programming error |
Adequate training |
Software root may stop working |
Failure of voting software to work |
Likely |
major |
Extremely high |
mitigate |
Training and preparedness can mitigate the issue |
|
Internet outage at cloud provider |
Accident or environmental cause |
Outage |
Admin will not be able to access the systems and voters will not vote |
Unlikely |
Minor |
Low |
Transfer |
Disaster recovery |
|
Fire |
Accidental or environmental |
Faulty equipment or outage |
Systems are unable to stop the fire |
Unlikely |
Major |
Cannot be tolerated and risk is extremely high |
Mitigate |
Disaster recovery |
|
|
|
|
|
|
|
|
|
|
|
Data loss |
Failure of technology |
Loss of voter data |
No data backup |
unlikely |
moderate |
low |
avoid |
Ensure that all files are securely bucked up in three different files |
|
Denial of service |
hacker |
outage |
Admin will not be in a position to access the system and as a result voters will not vote |
unlikely |
moderate |
medium |
transfer |
failover |
Table 1: Risk matrix based on the significant threats to Ballot Online
Ballot Online is responsible for protecting voters' data from internal and external risks. To ensure that voter data is correct, it has to remain unaltered and encrypted. If, under any circumstance, voters' data get compromised or lost, then BallotOnline would have to pay huge fines, and voters will lose confidence in their systems.
Risk Management Guidelines
Cyber security protects internet-connected systems like software, hardware, and information from cyber adversaries. BallotOnline needs a cyber-security guideline to protect information technology together with its computer systems from attacks. BallotOnline is likely to suffer cyber-attacks such as phishing, denial-of-service, viruses, Trojan horses, worms, control system attacks, and illegal access, among others (Srinivas et al., 2019).
Information security standards list out steps that Ballot Online must perform. Ballot Online, as a well-managed IT organization, has to comply with these requirements as outlined by the standard frameworks. Ballot Online is expected to choose at least two cyber security standards as baselines for reducing voter risks. Ballot Online will abide by the General Data Protection Regulation (GDPR). Ballot Online will also adopt guidelines provided by the National Institute of Standards and Technology (NIST) cyber security framework.
The National Institute of Standards and Technology is one of the leading contributors to the cyber security industry guidelines in the United States. It has set rules to protect computer use for voting. It has an adaptive risk-based framework guiding each step of the election cycle, pre-election, day of the election, and post-election processes. Under NIST, it is referred to as Cyber Security Framework Election Infrastructure Profile (NISTIR) 8310. The NISTIR can be used in several ways; as a baseline, for self-assessment comparison of the current risk management practices, and to highlight and communicate high-priority security expectations (Brandy et al., 2021)
The General Data Protection Regulation includes security measures restricting unauthorized access to stored data and control measures such as multifactor authentication, role-based access, and least privilege (Paul, nd). GDPR has restricted online Privacy and security laws in the world. Adoption of the GDPR by BallotOnline implies that it will have to abide by the rules of the European Union. The GDPR follows six principles; data minimization, accuracy, transparency, purpose limitation, integrity, accuracy confidentiality, and storage limitation.
Potential Privacy Issues and Mitigation Measures
Stolen data is one of the most reported cyber security risks. BallotOnline CSP, due to stolen data, is likely to damage its reputation, leading to heavy fines and prosecution. If in any way hackers access Personally Identifiable Information (PII), they would be able to modify votes. BallotOnline is operating in European Union; hence it is mandatory to comply with the GDPR. Also, it has to abide by NIST regulations strictly. BallotOnline will abide by the GDPR through the following;
1. Understanding GDPR
2. Identifying and documenting all voter data stored by BallotOnline
3. Reviewing current data governance measures
4. Going through consent procedures
5. Establishing a robust procedure used to report the data breach
6. Assigning data protection leads
BallotOnline will abide by the GDPR through the following;
1. Conducting and overseeing voting processes
2. Preparation and maintenance of the election system
3. Maintenance of voter registration
4. Preparing for a given election
5. To administer and supervise an ongoing election
6. Carrying out a system audit
7. Manage strategic election communication
8. Overseeing office administration
9. Maintaining its workforce
Relevant Security Issues
All networks are vulnerable to either external or malicious insiders who have some privileges to access organizational systems. In cases whereby an organization has critical data targeted by Cyber Threat Actors, then CTA will try to exploit all means to get that information. Cyber threat actors have been targeting banks, retail companies, and any other avenue they think they can make much money. Hackers targeting BallotOnline are likely to influence the choice of leaders and create public doubts in the election system. BallotOnline is expected to face the following system security issues.
Phishing
Data Breaches
Distributed Denial of Service
APT
Insider threat
Ransomware
The move to the cloud by Ballot Online will present them with threats not experienced in on-premise data centers, such as;
Stolen Cloud Authentication Credentials
Physical Access
Internet-Accessible Management Application Programming Interface (API)
PII data in a shared Multi-Tenant Environment
CSP is required to offer the following.
Data Access Security
Data Security
Network Security
Application and Infrastructure Security
Physical Security
Applicable Laws, Regulations, and frameworks
There is positive growth in Ballot Online and, in particular, expanding to other countries; it also implies that its relevant laws for protecting voter data are becoming complex. Ballot Online must comply with certain laws, regulations, and frameworks. These laws and regulations can be unclear to a newly adopted system like cloud technology. It is also likely to face challenges since different countries follow different jurisdictions. To avoid breaking civil and criminal regulations, Ballot Online has to strictly abide by the laws and regulations of each country they will provide services to.
a) Laws and Regulations
The Ballot Online Headquarters are located in the United States and is responsible for protecting voters' digital PII. The collected voter information has to comply with the Stored Communication Act (SCA) and Federal Information Security and Management Act (ECPA). Since Ballot Online will operate in European Union, it will have to abide by GDPR to protect voters within and outside the region. GDPR outlines some of the strict data privacy rules in the world; this will safeguard voters not only within the EU and United States but in other countries. Ballot Online is not only limited to the United States Constitution and the GDPR but also other jurisdictions.
Frameworks
COBIT, an acronym for Control Objectives for Information and Related Technology, is an established framework recognized for data protection in most organizations. ISACA initially created the framework for information management and governance in business entities. Ballot Online can use this framework to provide safe and convenient online elections as a growing company. COBIT framework can be effective in mitigating the risks involved in online voting.
Cyberspace Law and Cloud Service Provider Agreement
Cyberspace law is a law that tends to offer legal protection to internet users. It applies to all forms of Internet-related technologies. Internet technology is proliferating, thus making it necessary to develop cyberspace law that overlooks technological advancements and related Internet criminal issues. BallotOnline will have to gain deep insights into how cyberspace laws are applied to real problems. BallotOnline will need to distribute its members among voter areas to ensure cyberspace laws are not violated and voter rights are protected. A Cloud Service Provider is required to build a Cloud Service Provider Agreement (CSPA). CSPA is an agreement of the terms and conditions laid by the customer and the company. The CSPA describes services and customer configuration, fees, support, access and license, data protection, confidentiality, and customer agreement. The CSPA, therefore, clearly outlines the functions of the BallotOnline and CPS before it is transmitted to the cloud. CSPA binds the Cloud Service Customer (BallotOnline) to the Cloud Service Provider and Cloud Service partner. The relationship between the CSP and the customer and the terms under which a contract can be breached. It evaluates performance fix times, penalties accorded to lawbreakers and strategies for solving disputes that may arise between voters and CSPs.
Compliance requirements
Compliance requirements are a series of legal directives an organization should meet to perform its functions. For instance, BallotOnline must conform to specified requirements to conduct online voting. Compliance requirements promote efficiency and protection of both the company and its customers. Cloud solution compliance complies with legal standards of cloud usage as international laws instruct.
Geographical compliance is one of the cloud solution compliance requirements. Each region has its rules and regulations; therefore, BallotOnline must comply with all the laws of the areas it serves.
Election Industry compliance is an additional cloud solution requirement that BallotOnline will have to comply with. Legal voters Acts such as The Voting Rights Act of 1965 and The National Voter Registration Act (NVRA) of 1993 outline the laws that BallotOnline should adhere to allow voters to vote.
Data Compliance
America operates under multiple legislations that protect the rights and values of electoral systems. Various laws, therefore, can apply, including the Federal Trade Act that empowers Federal Trade Commission to conform to privacy issues. Multiple federal laws also do the same, including California Privacy Rights Act, which guides consumer compliance with Privacy.
The BallotOnline must therefore have the EU's GDPR as a basic entitlement to offer pendants protection at all times. The data, in this case, must be distributed, stored, and accessed through different IT platforms within maximum protection and security. The data information must have limited and regulated access only for authorized individuals. The company must develop and implement a compliance program to reduce acceptable legal risks and those risks related to damage of company violations. The compliance program seeks to protect voters' data, comply with data law privacies and prevent fines.
Proposal for a Compliance Program
A compliance program will enable BallotOnline to avoid time wastage, violations of rules, fraud, discrimination of voters, and other criminal practices that may expose the company to risks. The compliance program will enable BallotOnline to avoid effective voter registration, ensure data integrity, and adhere to legal voting standards.
Components of the Compliance Program
· Monitor compliance with policy, standards, and security controls. These automate the technical control system and report geographic, election, and data requirements to the company. They also initiate various processes for monitoring and data control.
· Continuous self-assessment. This involves frequent check-in for the system to ensure conformity with data security, access, use, and protection alongside other security tests. This will enable BallotOnline to be safe from hacks and future security threats.
· Respond to events and risk changes. The CISO will be responsible for integrating security procedures and compliance programs for response management. The CISO has to create policies that guide the organization's local data storage and privacy laws.
· Communicate events and risk changes. This develops a reporting system for each security incident's thresholds, making appropriate regulations where authorized regulators get informed in due time. ITSM tools like BMC, alongside others, can provide dependable, collaborative systems for managerial issues.
Conclusion
For Ballot Online to ensure voters' information safety, it has to address internal and external risks. Adopting the GDPR and NIST by Ballot Online as baselines will ensure that voters' data will be safe and secure. Ballot Online commitment to ensuring that it abides by the GDPR and NIST will offer checks and balances to ensure the safety of voters' information. Ballot Online must comply with specific laws, regulations, and frameworks. These laws and regulations can be unclear to a newly adopted system like cloud technology. It is also likely to face challenges since different countries follow different jurisdictions. To avoid breaking civil and criminal regulations, Ballot Online has to strictly abide by the laws and regulations of each country they will provide services to. Cyberspace law is a law that tends to offer legal protection to internet users. It applies to all forms of Internet-related technologies. Internet technology is increasing; thus, developing cyberspace law that overlooks technological advancements and related Internet criminal issues is necessary.
References
Akinrolabu, O., Nurse, J. R., Martin, A., & New, S. (2019). Cyber risk assessment in cloud provider environments: Current models and future needs. Computers & Security, 87, 101600.
AL-Husaini, Y. S. (2022). We are enhancing cloud forensic investigation relationships between law enforcement and local cloud service providers: Oman as A case study. RMIT University.
Brady, M., Howell, G., Sames, C., Schneider, M., Snyder, J., Weitzel, D., & Franklin, J. (2021). Cybersecurity Framework Election Infrastructure Profile (No. NIST Internal or Interagency Report (NISTIR) 8310 (Draft)). National Institute of Standards and Technology.
ISACA. (2019). Cobit 2019 Framework Governance and Management Objectives.
Paul Kirvan (nd). Top 10 IT security frameworks and standards explained. Retrieved on 29th from: https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one
Raymond’s, K(2020). Cyberspace law: Cases and materials. WOLTERS KLUWER LEGAL REG.
Srinivas, J., Das, A. K., & Kumar, N. (2019). Government regulations in cyber security: Framework, standards, and recommendations. Future generation computer systems, 92, 178-188.
TagElsir, T., & Osman, A. (2015). Internal & External Attacks in cloud computing Environment from confidentiality integrity and availability points of view. IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278–0661, p-ISSN: 2278–8727, 17(2), 93-96.
Ziegler, W. (2019). A framework for managing quality of service in cloud computing through Service Level Agreements. FRAUNHOFER VERLAG.