Task
back to top
Scenario
The Department of Administrative Services (DAS) provides a number of services to other departments in an Australian State Government. These services include HR and personnel management, payroll, contract tendering management, contractor management, and procurement. These services have all been provided from the Department’s own data centres.
As a result of a change in Government policy, DAS is moving to a “Shared Services” approach. This approach will mean that DAS will centralise a number of services for the whole of Government (WofG). The result of this move will be that each Department or Agency that runs one of these services for its own users, will be required to migrate its data to DAS so that it can be consolidated into one of the DAS centralised databases. DAS will then provide these consolidated services to all other Departments and Agencies within the Government.
Another Government policy mandates a “Cloud first” approach to the process of updating or acquiring software or services. Following these strategic policy changes from Government, DAS has decided to:
· Purchase a HR and personnel management application from a US based company that provides a SaaS solution.
· The application will provide DAS with a HR suite that will provide a complete HR suite which will also include performance management. The application provider has advised that the company’s main database is located in a Cloud datacentre based in California in the United States, with a replica database located in a cloud datacentre in Dublin, Ireland. However, all data processing, configuration, maintenance, updates and feature releases are provided from the application provider’s processing centre in Bangalore, India.
· Employee data will be uploaded from DAS daily at 12:00 AEST. This will be initially transferred to Bangalore in India for processing before being loaded into the main provider database in California.
· Employees will be able to access their HR and Performance Management information through a link placed on the DAS intranet. Each employee will use their internal agency digital ID to authenticate to the HR and Performance management system. The internal digital ID is generated by each agency’s Active Directory instance and is used for internal authentication and authorisation.
· Move the DAS payroll to a COTS (Commercial Off The Shelf) application that it will manage in a public cloud;
Tasks
After your successful engagement to provide a security and privacy risk assessment for the DAS, you have again been engaged to consider some additional questions that DAS management has raised.
Prepare a presentation for DAS Management using the TRA you recently completed on the security and privacy of employee data. Your presentation is to show:
1. Discuss how the operational solution using an SaaS application, and the location(s) of the SaaS provider for HR management may affect the security posture of DAS. (20 marks)
2. Explain if eithe.
Taskback to topScenarioThe Department of Administrative Serv.docx
1. Task
back to top
Scenario
The Department of Administrative Services (DAS) provides a
number of services to other departments in an Australian State
Government. These services include HR and personnel
management, payroll, contract tendering management,
contractor management, and procurement. These services have
all been provided from the Department’s own data centres.
As a result of a change in Government policy, DAS is moving to
a “Shared Services” approach. This approach will mean that
DAS will centralise a number of services for the whole of
Government (WofG). The result of this move will be that each
Department or Agency that runs one of these services for its
own users, will be required to migrate its data to DAS so that it
can be consolidated into one of the DAS centralised databases.
DAS will then provide these consolidated services to all other
Departments and Agencies within the Government.
Another Government policy mandates a “Cloud first” approach
to the process of updating or acquiring software or services.
Following these strategic policy changes from Government,
DAS has decided to:
· Purchase a HR and personnel management application from a
US based company that provides a SaaS solution.
· The application will provide DAS with a HR suite that will
provide a complete HR suite which will also include
performance management. The application provider has advised
that the company’s main database is located in a Cloud
datacentre based in California in the United States, with a
replica database located in a cloud datacentre in Dublin,
Ireland. However, all data processing, configuration,
maintenance, updates and feature releases are provided from the
application provider’s processing centre in Bangalore, India.
· Employee data will be uploaded from DAS daily at 12:00
2. AEST. This will be initially transferred to Bangalore in India
for processing before being loaded into the main provider
database in California.
· Employees will be able to access their HR and Performance
Management information through a link placed on the DAS
intranet. Each employee will use their internal agency digital ID
to authenticate to the HR and Performance management system.
The internal digital ID is generated by each agency’s Active
Directory instance and is used for internal authentication and
authorisation.
· Move the DAS payroll to a COTS (Commercial Off The Shelf)
application that it will manage in a public cloud;
Tasks
After your successful engagement to provide a security and
privacy risk assessment for the DAS, you have again been
engaged to consider some additional questions that DAS
management has raised.
Prepare a presentation for DAS Management using the TRA you
recently completed on the security and privacy of employee
data. Your presentation is to show:
1. Discuss how the operational solution using an SaaS
application, and the location(s) of the SaaS provider for HR
management may affect the security posture of DAS. (20 marks)
2. Explain if either the operational solution, or the operational
location(s), or both, increase or mitigate the threats and risks
identified for the security and privacy of employee data? (20
marks)
3. Discuss the security and privacy implications for DAS of the
data processing location? (20 marks)
4. Discuss any issues of data sensitivity that you think should
be considered with either the chosen solution or the
storage/processing locations? (20 marks)
5. Discuss any issues of data sovereignty that should be
considered? (20 marks)
Your presentation is to be completed in either PowerPoint or
3. Google slides. Your presentation must not exceed 25 slides of
content.
· The presentation should be a maximum of 25 slides, including
introduction, conclusions and recommendations.
· Each slide should have speaking notes in the Notes section
which expand on the information in the slide.
· Images and quotations used in slides must be referenced on
that slide.
· The slide deck does require a reference list. References are to
be included on a Reference list slide(s), but these are not
counted as part of the slide deck limit.
Your presentation should highlight the significant points of
your argument, but you should include the detail in the speaking
notes section of your slides.
Rationale
back to top
This assessment task will assess the following learning
outcome/s:
· be able to examine the legal, business and privacy
requirements for a cloud deployment model.
· be able to evaluate the risk management requirements for a
cloud deployment model.
· be able to critically analyse the legal, ethical and business
concerns for the security and privacy of data to be deployed to
the cloud.
Marking criteria and standards
back to top
Questions
HD
DI
CR
PS
FL
Q1. Does the operational solution and locations affect DAS
security (20 marks)
4. Comprehensive exploration of the use of SaaS and given
locations affect the existing security of data that includes well
considered and argued reasoning
Thorough exploration of the use of SaaS and given locations
affect the existing security of data that includes good reasoning
Detailed exploration of the use of SaaS and given locations
affect the existing security of data that includes some good
reasoning
Adequate exploration of the use of SaaS and given locations
affect the existing security of data that includes some reasoning
Incomplete or irrelevant exploration of the use of SaaS and
given locations affect the existing security of data that includes
little or no reasoning
Q2. Does the operational solution and locations increase or
mitigate threats and risks to DAS security (20 marks)
Comprehensive discussion of how this solution and its locations
will increase or mitigate threats and risks to security of DAS
that includes well considered and argued reasoning
Thorough discussion of how this solution and its locations will
increase or mitigate threats and risks to security of DAS that
includes good reasoning
Detailed discussion of how this solution and its locations will
increase or mitigate threats and risks to security of DAS that
includes some good reasoning
Adequate discussion of how this solution and its locations
will increase or mitigate threats and risks to security of DAS
that includes some reasoning
Incomplete or irrelevant discussion of how this solution and
its locations will increase or mitigate threats and risks to
security of DAS that includes little or no reasoning
Q3. Implications for DAS of data processing location (20
5. marks)
Comprehensive discussion of the security and privacy
implications for DAS of the chosen data processing location
that includes well considered and argued reasoning
Thorough discussion of the security and privacy implications
for DAS of the chosen data processing location that includes
good reasoning
Detailed discussion of the security and privacy implications
for DAS of the chosen data processing location that some good
reasoning
Adequate discussion of the security and privacy implications
for DAS of the chosen data processing location that includes
some reasoning
Incomplete or inadequate discussion of the security and privacy
implications for DAS of the chosen data processing location
that includes little or no reasoning
Q4. Issues of data sensitivity (20 marks)
Comprehensive exploration of data sensitivity issues that
includes well thought out reasoning
Thorough exploration of data sensitivity issues that includes
good reasoning
Detailed exploration of data sensitivity issues that includes
some good reasoning
Adequate exploration of data sensitivity issues that includes
some reasoning
Inadequate or incomplete exploration of data sensitivity issues
that includes little or no reasoning
Q5. Issues of data sovereignty (20 marks)
Comprehensive exploration of data sovereignty issues that
includes well thought out reasoning
Thorough exploration of data sovereignty issues that includes
good reasoning
Detailed exploration of data sovereignty issues that includes
some good reasoning
Adequate exploration of data sovereignty issues that includes
some reasoning
6. Inadequate or incomplete exploration of data sovereignty issues
that includes little or no reasoning
Referencing & Presentation
Up to 5 marks can be deducted for incorrect or incomplete
referencing
Up to 5 marks may be deducted for poor presentation, spelling
and grammar
Presentation
back to top
Your presentation is to be completed in either PowerPoint or
Google slides. Your presentation must not exceed 30 slides of
content.
· The presentation should be a maximum of 30 slides, including
introduction, conclusions and recommendations.
· Each slide should have speaking notes in the Notes section
which expand on the information in the slide.
· Images and quotations used in slides must be referenced on
that slide.
· The slide deck does require a reference list. References are to
be included on a Reference list slide(s), but these are not
counted as part of the slide deck limit.
Your presentation should highlight the significant points of
your argument, but you should include the detail in the speaking
notes section of your slides.