47. by the public cloud vendor. The Charity's data contains a
considerable amount of confidential information about the
people to whom the Charity provides services.
The Charity collects PII data on the clients who use its services
so that it can assist them to manage their different service
requirements. This PII data also includes holding some digital
identity data for some of the more disadvantaged clients,
particularly if they also have mental health issues.
The cloud vendor has made a presentation to management that
indicates that operational costs will drop dramatically if the
cloud model is adopted. However, the Board of the Charity is
concerned with the privacy and security of the data that it holds
on the people that it provides services to in the community. It is
concerned that a data breach may cause considerable damage to
substantially disadvantaged people in the community.
The Board asks that you prepare a report that proposes
appropriate privacy and security policies for the Charity's data.
The charity has also decided to:
· Purchase a HR and personnel management application from a
US based company that provides a SaaS solution.
· The application will provide the charity with a complete HR
suite, which will also include performance management. The
application provider has advised that the company's main
database is in California, with a replica in Dublin, Ireland.
However, all data processing, configuration, maintenance,
updates and feature releases are provided from the application
provider's processing centre in Bangalore, India.
· Employee data will be uploaded from the charity daily at
12:00 AEST. This will be processed in Bangalore before being
loaded into the main provider database.
· Employees can access their HR and Performance Management
information through a link placed on the Charity intranet. Each
employee will use their internal charity digital ID to
authenticate to the HR and Performance management system.
The internal digital ID is generated by the charity's Active
48. Directory instance and is used for internal authentication and
authorisation.
· Move the charity payroll to a COTS (Commercial Off The
Shelf) application that it will manage in a public cloud;
· Move the charity Intranet into a Microsoft SharePoint PaaS
offering so that it can provide Intranet services to all agencies
in the WofG.
Tasks
You have been engaged to provide a risk assessment for the
planned moves to SaaS application offerings.
You are to write a report that assesses the risks to the charity
for just their planned moves in the HR area:
1. Consider the data and information that the charity holds on
its employees in the current HR system.
1. Establish the existing threats and risks to the security of that
data and information contained in the in-house HR database. (10
marks)
2. Are there any additional risks and threats to employee data
that may arise after migration to an SaaS application? (10
marks)
3. Assess the resulting severity of risk and threat to employee
data. (10 marks)
2. Consider the privacy of the data for those employees who
will move to an SaaS application.
1. Establish the existing threats and risks to the privacy of that
data and information contained in the in house HR database. (10
marks)
2. Are there any additional risks and threats to the privacy of
the employee data after migration to an SaaS application? (10
marks)
3. Assess the resulting severity of risk and threat to the privacy
of employee data. (10 marks)
3. What are the threats and risks to the digital identities of
charity employees from the move to SaaS applications? (10
marks)
49. 4. Consider the operational solution and location(s) of the SaaS
provider for HR management. Does either the operational
solution, or the operational location, or both, increase or
mitigate the threats and risks identified for the security and
privacy of employee data? (20 marks)
5. Are there any issues of ethics, data sensitivity or jurisdiction
that should be considered by the charity? (10 marks)
You are to provide a written report with the following headings:
· Security of Employee Data
· Privacy of Employee Data
· Digital Identity Issues
· Provider
Solution
Issues
· Data Sensitivity
As a rough guide, the report should not be longer than about
5,000 words.