Reference no: EM131669053

Assignment

Task

Scenario

The Department of Administrative Services (DAS) provides a number of services to other departments in an Australian State Government. These services include HR and personnel management, payroll, contract tendering management, contractor management, and procurement. These services have all been provided from the Department's own data centres.

As a result of a change in Government policy, DAS is moving to a "Shared Services" approach. This approach will mean that DAS will centralise a number of services for the whole of Government (WofG). This means that each Department or Agency that runs one of these services for its own users, will be required to migrate its data to DAS so that it can be consolidated into the DAS centralised database. DAS will then provide these consolidated services to all other Departments and Agencies within the Government.

DAS has now started its move to the Government's "Cloud first" policy and is in the process of implementing the following Shared Services:

• A SaaS HR and Personnel management suite,
• A SaaS Contractor management suite,
• A COTS Payroll solution that is implemented in the AWS Cloud,
• A PaaS SharePoint platform that forms the basis of the intended WofG Intranet platform.

Your team has workshopped and researched the Threat and Risk analysis for these projects and has developed the policy strategies and controls for Privacy and Data Protection which are required.

The Government has now decided that they want to centralise the application and renewal of licenses from a number of different agencies into one single web portal. The portal will be branded as MyLicence. The Government's strategy is that the process of licence application or renewal for virtually all licences follows an almost identical workflow, even though some of the data may differ for different types of licences. Their aim is to have a single workflow for all licences, with some additional steps in case of special requirements for a particular type of license.
The Government also sees the opportunity to gain a better view of what licences each citizen holds, and wants to link that data to other data that they hold about each citizen. In order to achieve this, the Government plans to encourage citizens to register on the MyLicence portal and create their own informal digital identity. This will allow all the licences, renewal dates, and other associated information for that digital identity to be available for viewing on a single page. This data, particularly when linked to a citizen's digital identity, can then be used for more effective planning and decision making by Government and other public agencies.

The plan also has the advantage of simplifying the process of acquiring and renewing licences for its citizens so that they only need to go to a single web portal to acquire the licenses that they require.

Tasks

After the successful engagement of your team to develop privacy and personal data protection strategies for DAS, the team has now been engaged to develop a Personally Identifiable Information (PII) privacy and personal data protection strategy for DAS.

Team Setup

This assignment is the last of the team assignments for this subject. The rationale for using a team approach is that most IT policy formulations are normally conducted by teams of between 2-5 Architects, Information Security experts, Operations and Business leaders for each problem. You are already assigned to a team and the team, as a whole, will be responsible for the development of the policies.

Team Member Responsibilities

Each team member will be assessed on:

• The final privacy and personal data protection strategies presented by the team;
• The individual contributions that they have made to the policy formulation. This will be shown by the entries that they have made in the

Team forum;

Team members should note that:

• A total of 20% of the total marks for this assignment are for individual contributions. These include:

o Contributions to the development of privacy and data protection policies (10%), and
o Reasoning behind the development of privacy and data protection policies (10%)

• A team member without any individual contributions in the Team Forum will be regarded as having not contributed to the risk assessment. This will result in either reduced marks or no marks being awarded to that team member for this assignment.

The task:

Your team is to:

1. Develop a Threat and Risk Assessment (TRA) for PII data for the MyLicence portal. This TRA should consider both the privacy and data protection aspects of PII data in the portal.

2. Develop a PII strategy proposal for the DAS MyLicence portal. The strategy should consider the threats and risks to both Privacy and data protection for the PII data collected in the MyLicence portal as well as possible controls to mitigate the identified risks.

3. Develop a strategy to protect the informal Digital Identity that a user may create in the MyLicence portal. You should consider both the privacy and data protection aspects for a digital identity as well as possible controls to mitigate the identified risks. (20 marks)

4. Develop an outline plan for the Governance of:

1. PII data and digital identities for users of the MyLicence portal.
2. Personal data and PII data for DAS users of the HR Personnel Management suite.
3. Personal data and PII data for contractors in the Contractor Management suite.
4. PII data and financial data for users and DAS staff in the COTS payroll suite.
5. Create a PowerPoint slide deck that gives a comprehensive overview of the above tasks. This slide deck is not to exceed 30 slides.

Presentation

The team is to submit the following documents to complete this assessment:

• A PowerPoint presentation that gives a comprehensive overview of the four tasks.

o The presentation should be a maximum of 30 slides, including introduction, conclusions and recommendations.
o Each slide should have speaking notes in the Notes section which expand on the information in the slide.
o The slides should give refer to the additional information contained in the appendices.
o Images and quotations used in slides must be referenced on that slide.
o The slide deck does not require a reference list.

• The TRA is to be attached in a separate Word document marked as Appendix A. The TRA can be presented in tabular format or similar.

• The PII strategy is to be attached in a separate Word document marked as Appendix B. This document should be fully referenced in APA 6th edition format, and should not exceed 5 pages.

• The Digital Identity is to be attached in a separate Word document marked as Appendix C. This document should be fully referenced in APA 6th edition format, and should not exceed 5 pages.

• The Governance plan is to be attached in a separate Word document marked as Appendix D. This document should be fully referenced in APA 6th edition format, and should not exceed 10 pages.

• A copy of the discussions in the team forum should be exported into a single Word document marked as Appendix E.

All parts of the submission are to be loaded into the team Resource Area in Interact.

Rationale

This assignment aligns with the following learning outcomes of this subject:

• be able to examine the legal, business and privacy requirements for a cloud deployment model;
• be able to evaluate the risk management requirements for a cloud deployment model;
• be able to critically analyse the legal, ethical and business concerns for the security and privacy of data to be deployed to the cloud;
• be able to develop and present a series of proposed security controls to manage the security and privacy of data deployed to the cloud;
• be able to develop and present a cloud governance framework to underpin the cloud operations for an enterprise.
Identifying, assessing and explaining threats, security and risk for computer applications in the real world requires that you interact with colleagues, peers and various stakeholders, therefore team work has been incorporated into these assessments to facilitate this.