Risk and compliances2

Risk Guidelines

To consider appropriate risk guidelines that will be implemented good cybersecurity policies, it is very vital to evaluate different establishment that introduce the risk. Currently all the components like software, hardware and data are under the tutelage of Ballot online and they are all within their territory. All these components will be managed by cloud service provider if ballot online migrate to the cloud. For Ballot online to efficiently mitigate and control the risk connected with transiting to public cloud in any measure, they needed to have a risk structure on ground.

. Ballot Online needs to create an efficient risk management system to have ballot online control over the risk and threats of moving to a public cloud service.

Ballot should understand the different risk management guidelines that is in existence and determine what will align with their organization goals and suitable for Ballot Online business.

There are various cybersecurity standard, frameworks, practices and risk management guidelines that Ballot online can apply or utilize to deal with the risk such as ISO: International organization of Standard, NIST Cybersecurity framework, COBIT: Control Objectives for

Information and Related Technology, CSA: Cloud Security Alliance and GDPR: General Data

Protection Regulation.

ISO: The International Organization for Standards (ISO) is an independent, non-governmental international organization with a membership of 167 national standard bodies that develops and enacts international standards for variation of products and services. One of such standards, ISO/IEC27001:2022: Information security, cybersecurity, and privacy protection — Information security management systems — Requirements which was published in October 2022.

Last revised in October 2022 not only details the requirements to establish, implement, maintain, and improve information security, cybersecurity, privacy protection and information security management systems, but also addresses the requirements for both assessing and mitigating information security risks. The goal of this standard is establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. All these features can support Ballot Online mission statement and goals as well as promote company growth.

NIST Cybersecurity framework. The framework was founded under the leadership of National institute of Standards and Technology. (NIST). NIST facilitate the association between government and private sector to grow a baseline that will address and control cybersecurity risk in a cost-efficient manner. This will assist Ballot Online to manage their cybersecurity risks and to forestall threat.

COBIT:  The COBIT framework is published through the Information Technology Governance Institute (ITGI), a branch of the Information Systems Audit and Control Association (ISACA).The framework is designed to facilitate the way information technology is developed, improved, implemented, and managed. This framework could assist Ballot Online with maintaining confidentiality and maintain acceptable risk levels.

GDPR: General Data Protection Regulation.  It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the European Union EU. Ballot Online is planning to expand their services because they operate internationally, they must abide by and comply with European (EU) privacy requirements known as GDPR if they want to operate successfully in any EU countries, they have their presence.

CSA: The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

CSA offers research on cloud security, as well as education, certification, events, and products, and enlists the help of industry, associations, government, and other members for subject-matter expertise, according to CSA's website (CSA, n.d.).

CSA assist organizations enhance their security strategies and to learn how to identify cybersecurity threat. This will assist Ballot Online to improve their cloud security system.

Based on the nature of Ballot Online businesses, l will suggest that Ballot online make use of NIST Cybersecurity framework. The framework was founded under the leadership of National institute of Standards and Technology. (NIST). NIST facilitate the association between government and private sector to grow a baseline that will address and control cybersecurity risk in a cost-efficient manner.

NIST will collaborate with EAC (Election Assistance Commission) to assist Ballot online on their risk management system and to forestall threat. NIST will give guidance in collaboration with EAC on the areas such: Helping people with disabilities to have access to voting technologies, help with fraud detection and protection, Voter’s privacy protection and issues with voting systems related with computer, network, and data storage security. (UMGC 2019)

Evaluation of Cloud provider is also a great factor for Ballot Online to identify and determine genuine cloud provider. Evaluation through Federal risk and authorization management program (Fedramp) will help Ballot Online to reduce risks when picking an authentic cloud provider. Fedramp is a government programs that provides standardized to security assessment, authorizations, and ongoing monitoring of cloud products and services. (UMGC 2019)

Proposal for Compliance Program

The following is a high-level proposal for a compliance program for Ballot Online that enables the organization and its employees to conduct themselves in a manner that follows legal and regulatory requirements

· Identification of company employees who have oversight over the program, their roles, and responsibilities:

The employees that have oversight of compliance are the Chief Information Security Officer (CISO), Compliance Officer, Security Manager (SM), Security Engineer (SE), and Security Analyst (SA), Board of Directors, and Chief Legal Officer.

Chief information Security Officer: The cloud security team leader. The CISO will ensure that Ballot online cloud data are protected.

SM: Establish and oversight the overall strategies for leveraging security technology,

SE: The SE will oversee threat intelligence, vulnerability assessment and all sectors of security engineering for ballot online.

SA: They are with responsibility of responding to security incidents.

Compliance Officer: CO is responsible for monitoring and auditing the compliance program and responding to compliance issues.

Board of Directors: Oversight the management’s perspectives on the impacts of cloud computing.

Chief Legal Officer: Ensures and maintains compliance of cloud computing activities with laws and regulations

· List of high-level policies and/or procedures that may be required

A policy on acceptable use of company resources, including computer systems and networks

A policy on confidential and proprietary information

A policy on compliance with legal and regulatory requirements

A policy on reporting compliance issues

A procedure for responding to compliance issues

A procedure for developing corrective action plans

A procedure for conducting risk assessments

· List of high-level training and education programs that may be required

Training and education programs that may be required as part of the compliance program include, but are not limited to:

An orientation program for new employees on the company's compliance policy

Periodic training for all employees on the company's compliance policy

Training for employees with specific compliance responsibilities, such as the compliance officer, on their roles and responsibilities

A procedure for ensuring that employees receive the required training

A procedure for documenting employee training.

Relationship between Components of the program, including (but not limited to): communication channels and dependencies.

The compliance program will need to establish communication channels between the compliance officer and other employees, to ensure that compliance issues are reported and that employees receive the required training. The compliance program will also need to establish relationships with other departments within the company, to ensure that compliance issues are identified and addressed in a timely manner

· Identification of enforcement mechanism

The compliance program will need to establish an enforcement mechanism in order to ensure that employees comply with the company's compliance policy. This may include, but is not limited to, disciplinary action for employees who violate company policy

· Identification of monitoring and auditing mechanisms

Ballot will need to establish monitoring and auditing mechanisms systems to ensure that the compliance program is effective and that compliance issues are identified and addressed in a timely manner.

· How will responses to compliance issues be handled, and how will corrective action plans be developed?

The compliance program will need to establish a procedure for responding to compliance issues, which may include investigating, developing a corrective action plan, and disciplining employees who have violated company policy.

Ballot Online must swiftly respond to any offence or incidents that occurred and unfold or develop corrective that will forestall future occurrence.

· How are risk assessments handled?

Ballot Online needs to establish a procedure for conducting risk assessments in order to identify and address potential compliance risks.

Note:Well written except for the fact that the instructions called for a high level outline and flowchart.  

References

Stöber, T., Kotzian, P., & Weißenberger, B. E. (2019). Design matters: on the impact of compliance program design on corporate ethics.  Business research,  12(2), 383-424.

Andreisová, L. (2016). Building and maintaining an effective compliance program.  International Journal of Organizational Leadership,  5(1), 24-39.

Abdullah, P. Y., Zeebaree, S. R., Shukur, H. M., & Jacksi, K. (2020). HRM system using cloud computing for Small and Medium Enterprises (SMEs).  Technology Reports of Kansai University,  62(04), 04.

UNIVERSITY OF MARYLAND University College. (2019). Cloud Deployment Models. Retrieved from: https://lti.umuc.edu/contentadaptor/page/topic?keyword=Cloud%20Deployment%20Models UNIVERSITY OF MARYLAND University College. (2019). Federal Risk and Authorization Management