Chat with us, powered by LiveChat As an IT analyst for Ballot Online, a company providing voting solutions to a global client base, you are working to convince the organization to move the current infrastructure to the cl - EssayAbode

As an IT analyst for Ballot Online, a company providing voting solutions to a global client base, you are working to convince the organization to move the current infrastructure to the cl

  

As an IT analyst for Ballot Online, a company providing voting solutions to a global client base, you are working to convince the organization to move the current infrastructure to the cloud.

Your supervisor and the director of IT, Sophia, has asked you to summarize for the company executives the potential risks and compliance issues that BallotOnline will have to contend with in the transition to the cloud.

The final report will be seven to 10 pages that convey your understanding and management of risks associated with cloud computing, as well as ensuring compliance with legal requirements involved in moving BallotOnline systems to the cloud.

Step 1: Research Risks Associated With Cloud Adoption

The first step in assessing risk in cloud computing will be to identify and describe risk concepts and cloud computing risk factors associated with cloud adoption. As a software as a service (SaaS) company considering an infrastructure as a service (IaaS) cloud service provider for your hosting needs, consider third party outsourcing issues and the generally accepted best practices for cloud adoption and review relevant cloud risk case studies. You should also consider best practices for cloud adoption.

As part of the risk management process, identify and describe other types of risk, such as risks associated with having a service-level agreement (SLA). An example of a potential risk could be if your company is obligated to protect personal information, and then the cloud provider that you use suffers a security breach exposing that personal information.

Here, identify and describe other types of risks or potential liability issues that apply to BallotOnline.

Step 2: Identify the Most Appropriate Guidelines for Managing Risks

In order to identify guidelines applicable to your company's industry, you must have an understanding of the different types of risk management guidelines that exist and are frequently applicable in cloud environments.

There are several cybersecurity standards applicable to cloud computing environments such as the NIST Cybersecurity Framework, ISO standards, and US federal government standards (DoD/FIPS), as well as several major sets of risk guidelines for dealing with the risks involved. Also, there are organizations such as the Cloud Security Alliance (CSA) that recommend best practices for managing risks.

Review the different guidelines and determine which are most appropriate for BallotOnline. For example, NIST has responsibility for developing a number of elections industry guidelines within the United States.

Identify why those guidelines are most appropriate and compile these items into a brief (one page or less) recommendation and justification of your choice. Your recommendation will also be incorporated into your final report in the final step.

Submit your recommendation to Sophia to review before you present your final work.

Step 3: Identify Potential Privacy Issues and Mitigation Measures

Now that you have identified the guidelines most applicable to your organization, it is time to discuss privacy protections that may apply.

BallotOnline is now a global organization and may need to contend with several sets of privacy laws since these laws vary from country to country.

Sophia has recommended that you focus on European Union (EU) privacy requirements for now, including the General Data Protection Regulation (GDPR), since those are considered to be the most challenging for compliance. Many companies opt to host data for their European customers entirely within facilities in the European Union, and the companies implement restrictions to prevent data for EU citizens from crossing borders into non-EU zones. This is the approach that you have been asked to take and where you should focus your efforts. Note that some cloud providers, such as Amazon, have received special approval from EU authorities to permit data transfer outside of the EU.

Research EU privacy requirements, identify the requirements that apply to your project, and why they apply and compile your recommendations for complying with these requirements. These will be incorporated into your final report.

Before moving on to the next step, discuss privacy issues in one page or less, and submit it separately before you submit your final work.

Step 4: Create Risk Management Matrix

Now that you have identified and described the types of risks that may apply to your organization, create a risk management matrix to assess/analyze that risk, and make recommendations for risk mitigation measures.

This Sample Risk Assessment for Cloud Computing will give you an example of a completed risk matrix.

Use the risk management matrix template to identify risks and write a brief summary explaining how to understand the data. Submit it to Sophia for feedback before you present your final work.

Step 5: Describe Cloud Security Issues

Now that you have completed the risk analysis, you can start to identify cloud and network security issues that may apply in BallotOnline's operating environment, including data in transit vulnerabilities and multifactor authentication.

Consider cloud computing risks, network security design, information security, data classifications, and identity management issues. Your findings will be incorporated into your final report.

Discuss these security issues in one page or less, and submit it separately before you submit your final work.

Step 6: Examine the US Legal System and Intellectual Property Laws

Now that you are familiar with security issues, examine and review the US legal and justice systems. Since BallotOnline is a software as a service (SaaS) company based in the United States and serving a customer base in the United States, you need to understand how the legal and justice systems work in the United States. Your basic understanding of these systems is crucial for understanding the complexities of the legal system in cyberspace, where cloud-based systems reside.

As a practitioner working in the cloud computing field, you should also have an understanding of the complexities of intellectual property law and cyberspace law, including how to identify different venues and methods for resolving disputes (such as the court system, arbitration, mediation), how to define and negotiate cloud hosting agreements to avoid potential cyberspace law issues, how to discuss the regulation of cyberspace, and how to handle electronic agreements and digital signatures.

To gain a better understanding of how cyberspace laws are applied to real issues, participate in the analysis of a relevant legal case with your colleagues in a forum titled Discussion: US Legal System and Cyberspace Law.

In addition to the discussion board, your findings will also be incorporated into your Final Risk and Compliance Report for the BallotOnline executives.

Step 7: Use Frameworks to Analyze Complex Legal and Compliance Issues

In the previous step, you examined the US legal and justice systems as a building block for understanding the complexities of the legal system in cyberspace, where cloud-based systems reside.

There are several frameworks for analyzing compliance issues used to analyze these complex issues. To provide a manageable set of recommendations to the executives, review the frameworks and select the one that is most helpful to use for analyzing these complex issues.

Step 8: Analyze General, Industry, Geographic, Data, and Cloud-Specific Compliance Issues

In the previous step, you examined the complexities of law in cyberspace. In this step, you will expand your understanding of legal and compliance issues related to the cloud by investigating industry-specific compliance issues, geographic-specific compliance issues such as privacy, and cloud-specific compliance issues to determine which are applicable to BallotOnline.

You will also need to analyze data compliance issues applicable to companies operating in the European Union, including the recent GDPR regulations, and determine how BallotOnline can be compliant. The organization is concerned about EU compliance issues because the laws there are the most restrictive that BallotOnline will encounter.

Prepare a two- to three-page summary of the data compliance issues that are applicable to BallotOnline and determine how BallotOnline can be compliant. This will be part of your final risk and compliance assessment report.

Step 9: Create a Proposal for a Compliance Program

In previous steps, you have identified potential legal and compliance requirements that BallotOnline may face in migrating to a cloud computing model. Now, you need to determine how BallotOnline can comply with those requirements.

Create a high-level proposal for a compliance program for BallotOnline that enables the organization and its employees to conduct itself in a manner that is in compliance with legal and regulatory requirements. Management has asked you to model the proposal on existing compliance programs for other companies that have migrated to the cloud.Note: Add a high level outline and flowchart for the instructions.  

.

Step 10: Write the Final Risk Assessment and Compliance Report

As you have learned, there are a number of legal and compliance requirements associated with shifting to a cloud computing model.

It's time to put everything together in a seven- to 10-page report for BallotOnline executives: summarizing the risk assessment and mitigation as well as legal and compliance requirements associated with moving to the cloud, outlining your recommended action plans for meeting those requirements, and developing a high-level proposal for a compliance program to avoid breaches of the requirements.

Use the final risk and compliance report template to complete your report.

Use the following criteria to respond to the questions.

1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.

1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.

2.1: Identify and clearly explain the issue, question, or problem under critical consideration.

7.1: Examine legal and regulatory requirements.

7.2: Examine industry best-practices and standards.

8.1: Assess liability issues associated with cloud adoption.

8.2: Assess network security and privacy risks associated with cloud infrastructure.

8.3: Assess management and operational risks associated with cloud.

Please add references. l also need plagiarism report

1

Risk Guidelines

To consider appropriate risk guidelines that will be implemented good cybersecurity policies, it is very vital to evaluate different establishment that introduce the risk. Currently all the components like software, hardware and data are under the tutelage of Ballot online and they are all within their territory. All these components will be managed by cloud service provider if ballot online migrate to the cloud. For Ballot online to efficiently mitigate and control the risk connected with transiting to public cloud in any measure, they needed to have a risk structure on ground.

. Ballot Online needs to create an efficient risk management system to have ballot online control over the risk and threats of moving to a public cloud service.

Ballot should understand the different risk management guidelines that is in existence and determine what will align with their organization goals and suitable for Ballot Online business.

There are various cybersecurity standard, frameworks, practices and risk management guidelines that Ballot online can apply or utilize to deal with the risk such as ISO: International organization of Standard, NIST Cybersecurity framework, COBIT: Control Objectives for

Information and Related Technology, CSA: Cloud Security Alliance and GDPR: General Data

Protection Regulation.

ISO: The International Organization for Standards (ISO) is an independent, non-governmental international organization with a membership of 167 national standard bodies that develops and enacts international standards for variation of products and services. One of such standards, ISO/IEC27001:2022: Information security, cybersecurity, and privacy protection — Information security management systems — Requirements which was published in October 2022.

Last revised in October 2022 not only details the requirements to establish, implement, maintain, and improve information security, cybersecurity, privacy protection and information security management systems, but also addresses the requirements for both assessing and mitigating information security risks. The goal of this standard is establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. All these features can support Ballot Online mission statement and goals as well as promote company growth.

NIST Cybersecurity framework. The framework was founded under the leadership of National institute of Standards and Technology. (NIST). NIST facilitate the association between government and private sector to grow a baseline that will address and control cybersecurity risk in a cost-efficient manner. This will assist Ballot Online to manage their cybersecurity risks and to forestall threat.

COBIT:  The COBIT framework is published through the Information Technology Governance Institute (ITGI), a branch of the Information Systems Audit and Control Association (ISACA).The framework is designed to facilitate the way information technology is developed, improved, implemented, and managed. This framework could assist Ballot Online with maintaining confidentiality and maintain acceptable risk levels.

GDPR: General Data Protection Regulation.  It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the European Union EU. Ballot Online is planning to expand their services because they operate internationally, they must abide by and comply with European (EU) privacy requirements known as GDPR if they want to operate successfully in any EU countries, they have their presence.

CSA: The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

CSA offers research on cloud security, as well as education, certification, events, and products, and enlists the help of industry, associations, government, and other members for subject-matter expertise, according to CSA's website (CSA, n.d.).

CSA assist organizations enhance their security strategies and to learn how to identify cybersecurity threat. This will assist Ballot Online to improve their cloud security system.

Based on the nature of Ballot Online businesses, l will suggest that Ballot online make use of NIST Cybersecurity framework. The framework was founded under the leadership of National institute of Standards and Technology. (NIST). NIST facilitate the association between government and private sector to grow a baseline that will address and control cybersecurity risk in a cost-efficient manner.

NIST will collaborate with EAC (Election Assistance Commission) to assist Ballot online on their risk management system and to forestall threat. NIST will give guidance in collaboration with EAC on the areas such: Helping people with disabilities to have access to voting technologies, help with fraud detection and protection, Voter’s privacy protection and issues with voting systems related with computer, network, and data storage security. (UMGC 2019)

Evaluation of Cloud provider is also a great factor for Ballot Online to identify and determine genuine cloud provider. Evaluation through Federal risk and authorization management program (Fedramp) will help Ballot Online to reduce risks when picking an authentic cloud provider. Fedramp is a government programs that provides standardized to security assessment, authorizations, and ongoing monitoring of cloud products and services. (UMGC 2019)

Proposal for Compliance Program

The following is a high-level proposal for a compliance program for Ballot Online that enables the organization and its employees to conduct themselves in a manner that follows legal and regulatory requirements

· Identification of company employees who have oversight over the program, their roles, and responsibilities:

The employees that have oversight of compliance are the Chief Information Security Officer (CISO), Compliance Officer, Security Manager (SM), Security Engineer (SE), and Security Analyst (SA), Board of Directors, and Chief Legal Officer.

Chief information Security Officer: The cloud security team leader. The CISO will ensure that Ballot online cloud data are protected.

SM: Establish and oversight the overall strategies for leveraging security technology,

SE: The SE will oversee threat intelligence, vulnerability assessment and all sectors of security engineering for ballot online.

SA: They are with responsibility of responding to security incidents.

Compliance Officer: CO is responsible for monitoring and auditing the compliance program and responding to compliance issues.

Board of Directors: Oversight the management’s perspectives on the impacts of cloud computing.

Chief Legal Officer: Ensures and maintains compliance of cloud computing activities with laws and regulations

· List of high-level policies and/or procedures that may be required

A policy on acceptable use of company resources, including computer systems and networks

A policy on confidential and proprietary information

A policy on compliance with legal and regulatory requirements

A policy on reporting compliance issues

A procedure for responding to compliance issues

A procedure for developing corrective action plans

A procedure for conducting risk assessments

· List of high-level training and education programs that may be required

Training and education programs that may be required as part of the compliance program include, but are not limited to:

An orientation program for new employees on the company's compliance policy

Periodic training for all employees on the company's compliance policy

Training for employees with specific compliance responsibilities, such as the compliance officer, on their roles and responsibilities

A procedure for ensuring that employees receive the required training

A procedure for documenting employee training.

Relationship between Components of the program, including (but not limited to): communication channels and dependencies.

The compliance program will need to establish communication channels between the compliance officer and other employees, to ensure that compliance issues are reported and that employees receive the required training. The compliance program will also need to establish relationships with other departments within the company, to ensure that compliance issues are identified and addressed in a timely manner

· Identification of enforcement mechanism

The compliance program will need to establish an enforcement mechanism in order to ensure that employees comply with the company's compliance policy. This may include, but is not limited to, disciplinary action for employees who violate company policy

· Identification of monitoring and auditing mechanisms

Ballot will need to establish monitoring and auditing mechanisms systems to ensure that the compliance program is effective and that compliance issues are identified and addressed in a timely manner.

· How will responses to compliance issues be handled, and how will corrective action plans be developed?

The compliance program will need to establish a procedure for responding to compliance issues, which may include investigating, developing a corrective action plan, and disciplining employees who have violated company policy.

Ballot Online must swiftly respond to any offence or incidents that occurred and unfold or develop corrective that will forestall future occurrence.

· How are risk assessments handled?

Ballot Online needs to establish a procedure for conducting risk assessments in order to identify and address potential compliance risks.

Note:Well written except for the fact that the instructions called for a high level outline and flowchart.  

References

Stöber, T., Kotzian, P., & Weißenberger, B. E. (2019). Design matters: on the impact of compliance program design on corporate ethics.  Business research12(2), 383-424.

 

Andreisová, L. (2016). Building and maintaining an effective compliance program.  International Journal of Organizational Leadership5(1), 24-39.

 

Abdullah, P. Y., Zeebaree, S. R., Shukur, H. M., & Jacksi, K. (2020). HRM system using cloud computing for Small and Medium Enterprises (SMEs).  Technology Reports of Kansai University62(04), 04.

UNIVERSITY OF MARYLAND University College. (2019). Cloud Deployment Models. Retrieved from: https://lti.umuc.edu/contentadaptor/page/topic?keyword=Cloud%20Deployment%20Models UNIVERSITY OF MARYLAND University College. (2019). Federal Risk and Authorization Management

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/nist-cybersecurity-framework.html?ou=683956

http://techtarget.com

https://www.iso.org/standard/82875.html

Cloud Compliance. (n.d.). Retrieved February 17, 2019, from Techopedia:

https://www.techopedia.com/definition/30551/cloud-compliance

Data Security (2019). Retrieved from techopedia:

https://www.techopedia.com/definition/26464/data-security

,

1

Final Risk Assessment and Compliance Report

Name

University of Maryland Global Campus

CCA 610: Cloud Services and Technologies

Professor Richard Utter

November 23, 2021

2

Executive Summary

Cloud computing is an alternative way for BallotOnline to save cost by moving the on-premises

data center to the cloud. However, there are some risks with moving to the cloud. The Final Risk

Assessment and Compliance Report explains the threats and how BallotOnline needs to comply with

geographic laws, election laws, data protection laws, and policies. This assessment is written for the

executives of BallotOnline. The Final Risk Assessment and Compliance Report is a careful evaluation

that details all the possible risks by analyzing and using a risk matrix to explain how the risk can be

avoided, mitigated, or accepted. Out of the top ten items listed as risks, most were unlikely to happen; and

the risk that was likely to occur had tangible ways to mitigate, avoid or transfer the risk. Most risks for the

cloud data center are the same as using an on-premises data center.

The risk management guidelines list standards that BallotOnline must comply with to ensure the

customers' data is safe. The standards or laws that will be used are the National Institute of Standards and

Technology, General Data Protection Regulation, and Cybersecurity Framework Election Infrastructure

Profile 8310. The General Data Protection Regulation is a European Union law, but it can be used to

protect all BallotOnline voters worldwide. This assessment covers the importance of protecting the voters’

data to prevent legal actions or fines due to potential privacy issues. There are relevant security issues that

apply to both on-premises and cloud-based datacenter. Both the security issues and the mitigation

methods are discussed in this assessment. Since BallotOnline will provide voting access to voters

worldwide, BallotOnline must comply with local laws and regulations to protect the company from fines

and penalties. The geographic, election industry, and data compliance requirements are discussed and

reviewed. This assessment lists action plans and proposes a compliance program proposal to prevent

violating any laws or regulations. After meticulously evaluating all the risks; a governance, risk, and

compliance roadmap is suggested as the official policy to mitigate all the risks with moving BallotOnline

to the cloud.

3

Risk Analysis

BallotOnline is taking some risks by moving to the cloud. The risks of moving data to the cloud

are similar to those of having an on-premises data center. However, the benefits outweigh the potential

risks. BallotOnline must work with the Cloud Service Provider (CSP) and within the regulations of the

local country to mitigate those risks.

Risks can be listed in two main areas: external risks and internal risks. An external risk could

come from a threat outside of the company. Examples of external risks are hackers trying to steal or

destroy voter data, an internet outage, a power outage, a fire, or a flood. An internal risk could come from

inside the company. Examples of internal risks are insider threat hackers, untrained programmers, or data

loss. These are the same threats that could affect BallotOnline while using an on-premise data center.

BallotOnline can face the same risks at a lesser cost and have greater reach using a CSP. Table 1 has the

risk matrix based on the significant threats to BallotOnline.

Risk Threat Result Risk Detail Odds Impact Risk Score Response Action Type

Response Actions

Fire Accidental or environmental

Equipment damaged and an outage

No fire suppression system or system cannot stop the fire

Unlikel y

Major Unacceptable Risk: Extremely High

Mitigate Disaster recovery/failover

Loss of power

Accidental or environmental

Outage Lack of access to voter information

Unlikel y

Major Unacceptable Risk: Extremely High

Mitigate Disaster recovery/failover

Programming error

Training Software or routing stop working

Voting software does not work or is not accessible

Likely Major Unacceptable Risk: Extremely High

Mitigate This will be mitigated with training and testing

Passwords released

Adversarial outsider (e.g., hacker)

An unauthorized person gains access to BallotOnline

An unauthorized person can steal data or BallotOnline voting software

Unlikel y

Major Unacceptable Risk: Extremely High

Avoid All logins will be with PKI certs. No passwords are allowed.

Denial of Service

Adversarial outsider (e.g., hacker)

Outage Voters will not be able to vote. Admin will not be able to access the system

Unlikel y

Moderate Acceptable Risk: Medium

Transfer Failover

Worldwide internet outage

Accidental or environmental

Outage Voters will not be able to vote. Admin will not be able to access the system

Unlikel y

Minor Acceptable Risk: Low

Accept Wait for the internet to recover

Internet outage at Cloud Provider

Accidental or environmental

Outage Voters will not be able to vote. Admin will not be able to access the system

Unlikel y

Minor Acceptable Risk: Low

Transfer Disaster recovery/failover. Also requiring the Cloud Provider to have different ISPs.

Data Breach Adversarial outsider (e.g., hacker)

Stolen data with PII released to the public

Report breach to GDPR and voters

Likely Major Unacceptable Risk: Extremely High

Mitigate Encrypt all data with strong encryption and PKI

Data Loss Technological failure

Voter data lost No backups of the data Unlikel y

Moderate Acceptable Risk: Low

Avoid Backup all files securely in three locations

Custom Software too complex

Training Admin slow to move to the cloud

The admins do not have a complete understanding of how to move to the cloud

Very Likely

Major Unacceptable Risk: Extremely High

Mitigate Training

Table 1

The most important thing for BallotOnline is to protect the voters’ data from internal and external

risks. The data must remain unaltered to ensure it is correct and must be encrypted. If BallotOnline lost

the voters’ data, they would have to pay fines, and voters would lose confidence in their system.

4

Risk Management Guidelines

For BallotOnline to abide by local laws and cybersecurity governance, it must use cybersecurity

standards to reduce the risks for the voters. BallotOnline should consider at least two cybersecurity

standards as the baseline. The first standard for BallotOnline is the National Institute of Standards and

Technology (NIST) Cybersecurity Framework. The second baseline for security is General Data

Protection Regulation (GDPR).

NIST was one of the original contributors to the United States cybersecurity industry standards

for the cloud and made guidelines for protecting the use of computers for voting. NIST has an adaptive,

risk-based framework that works in every step of an election cycle: the pre-election, election day, and

post-election activities. NIST calls this the Cybersecurity Framework Election Infrastructure Profile

(NISTIR) 8310. The NISTIR 8310 draws upon the experience of election participants and cybersecurity

professionals worldwide to offer a way to secure all elements of election technology.

The GDPR has some of the strictest online security and privacy law in the world. Since

BallotOnline is worldwide, using GDPR as a baseline for cloud election security would abide by the laws

in the European Union (EU). The GDPR is based on six principles: lawful basis and transparency,

purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. The

GDPR protects the collecting, processing, and storage of the voters’ data. Using both the NIST and GDPR

as a baseline, BallotOnline will ensure the voters' information will be safe and secure.

Potential Privacy Issue and Mitigation Measures

Stolen data has become a common privacy issue in the past few years. A data breach to

BallotOnline’s CSP resulting in stolen data could cause reputation damage, fines, and criminal

prosecution. If the voters’ information is released, hackers could access their Personally Identifiable

Information (PII), votes could be modified, etc. Since BallotOnline will operate in the EU, they will have

to comply with the GDPR. It is also suggested that BallotOnline also abides by the NIST. The best way to

comply with GDPR is to:

1. Understand the GDPR.

5

2. Identify and document the data BallotOnline has on the voters.

3. Review current data governance practices.

4. Check consent procedures.

5. Assign data protection leads.

6. Establish procedures for reporting breaches.

The best way to comply with the draft with NISTIR 8310 is to:

1. Conduct and oversee voting period activities.

2. Prepare and maintain election systems.

3. Process and maintain voter registration.

4. Prepare for a specific election.

5. Perform ongoing election administration functions.

6. Conduct audits.

7. Conduct elections “wrap-up” activities.

8. Manage crisis/strategic communications.

9. Oversee office administration.

10. Maintain workforce.

Abiding by the GDPR and the NIST will provide checks and balances to keep all the voters’

information safe. It will also prevent fines to BallotOnline because following the GDPR and NIST will

prevent voters' data from being released.

Relevant Security Issues

Every public-facing network with routers, servers, and computers is vulnerable to attacks. When a

company has information a Cyber Threat Actor (CTA) wants, the CTA spends more time focusing on that

target. Typical targets are banks, retail companies, and anywhere the CTA thinks they can make money,

get bragging rights, blackmail, or extort the targeted company. Hackers targeting BallotOnline can make a

political point, sow doubt in the election system, or be an Advanced Persistent Threat (APT) from a

6

foreign government agency. There are many different types of attacks the APT and CTA use. The relevant

security issues to BallotOnline are:

1. Ransomware – The CTA gains access to systems and locks the administrators out until a ransom

is paid to unlock them.

2. APT – A continuous computer hacking process in which a cybercriminal (or CTA) carries out a

prolonged attack against a specific target.

3. Distributed Denial of Service/Denial of Service (DDoS/DoS) – Cyberattack on a server, service,

website, or network which floods Internet traffic to deny legitimate traffic, which would deny

BallotOnline voters a chance to vote.

4. Phishing – A type of social engineering designed for an attacker to send a fraudulent message to

trick a human victim into revealing sensitive information or deploying malicious software like

ransomware on a victim's infrastructure.

5. Data Breaches – A security violation in which sensitive, protected, or confidential data is copied,

transmitted, viewed, stolen, or used by an unauthorized individual.

6. Insider Threat – A cyberattack originating from an individual who works for an organization or

has authorized access to its networks or systems.

BallotOnline’s move to the cloud presents threats not experienced with on-premise data centers. These

risks are:

1. Physical Access – BallotOnline does not have physical access to the servers used by the CSP. The

CSP poses an external insider threat.

2. PII data in a shared Multi-Tenant Environment – Using a public cloud solution puts voters' PII at

risk because a multi-tenant environment is susceptible to a data breach.

3. Stolen Cloud Authentication Credentials – The CSP has limited access to the tenants in the cloud.

Once the CSP is compromised, BallotOnline voter PII could also be compromised.

4. Internet-Accessible Management Application Programming Interface (API) – BallotOnline

administrators do not have physical access to the servers' building, so servers are managed

7

through internet-accessible APIs. API vulnerabilities pose a threat to BallotOnline’s data by

allowing CTA access.

The CSP must offer:

1. Data Security – Encrypt all data at rest, in use, and in transit. Digital certificates and signatures

must be used as much as possible while limiting the use of passwords.

2. Data Access Security – A cloud identity management tool must be used to authenticate each

user’s access to user-specific data. Just-in-time access for administrators to give them access only

for the time necessary to do the task, limiting anyone from having unlimited server rights all the

time.

3. Physical Security – Ensure the CSP has a memorandum of understanding to restrict access to the

servers that BallotOnline is using in the cloud.

4. Application and Infrastructure Security – All APIs, applications, virtual machines, and endpoint

devices must be security-hardened to prevent attacks. All systems must be checked often for

malware, ransomware, and viruses.

5. Network

Related Tags

Academic APA Assignment Business Capstone College Conclusion Course Day Discussion Double Spaced Essay English Finance General Graduate History Information Justify Literature Management Market Masters Math Minimum MLA Nursing Organizational Outline Pages Paper Presentation Questions Questionnaire Reference Response Response School Subject Slides Sources Student Support Times New Roman Title Topics Word Write Writing