The Department of Administrative Services (DAS) provides a number of services to other departments in an Australian State Government. These services include HR and personnel management, payroll, contract tendering management, contractor management, and procurement. These services have all been provided from the Department’s own data centres.
As a result of a change in Government policy, DAS is moving to a “Shared Services” approach. This approach will mean that DAS will centralise a number of services for the whole of Government (WofG). This means that each Department or Agency that runs one of these services for its own users, will be required to migrate its data to DAS so that it can be consolidated into the DAS centralised database. DAS will then provide these consolidated services to all other Departments and Agencies within the Government.
Another Government policy mandates a “Cloud first” approach to the process of updating or acquiring software or services. Following these strategic policy changes from Government, DAS has decided to:
• Purchase a HR and personnel management application from a US based company that provides a SaaS application.
o The application will provide DAS with a HR suite that will provide a complete HR suite which will also include performance management. The application provider has advised that the company’s main database is in California, with a replica in Dublin, Ireland. However, all data processing, configuration, maintenance, updates and feature releases are provided from the application provider’s processing centre in Bangalore, India.
o Employee data will be uploaded from DAS daily at 12:00 AEST. This will be processed in Bangalore before being loaded into the main provider database.
o Employees can access their HR and Performance Management information through a link placed on the DAS intranet. Each employee will use their internal agency digital ID to authenticate to the HR and Performance management system. The internal digital ID is generated by each agency’s Active Directory Instance and is used for internal authentication and authorisation.
• Purchase a Contractor management application from a German based company that provides a SaaS solution.
o This application will provide DAS with a suite of tools to on-board, manage, pay and off-board contractors who are contracted by DAS for specific work. The application provider has advised that the company’s main database is located in Heidelberg, Germany, with a replica in Dublin, Ireland. All configuration, maintenance, updates and feature releases are provided from the provider’s lab in Walldorf, Germany. The provider does not do any additional processing of data entered into the application.
o DAS employees enter the data directly into the application through a secure URL.
o Bulk contractor data can be uploaded daily through a secure data transfer application. DAS is responsible for ensuring that any data uploaded is correct and ready for use.
o Other Departments and Agencies can view and manage their own contractor data once it has been loaded by DAS staff.
• Move the DAS payroll to a COTS (Commercial Off The Shelf) application that it will manage in a public cloud;
o This application will provide DAS with the suite of tools necessary to process and manage payrolls for all agencies within DAS. The application provider has advised that their software is distributed throughout the AWS cloud with instances in US East, US West, Europe, Asia Pacific, China and South America.
o All configuration, maintenance, updates and feature releases are provided from the provider’s offices in San Francisco, Beijing, Singapore, Mumbai and Dublin.
o The provider does not do any additional processing of data entered into the application.
o DAS and Agency payroll staff may access the payroll application through a SSO (Single Sign On) link to a secure URL. Authentication is made using the user’s agency ID credentials. Each authorised user’s authentication credentials are uploaded to the application to allow them to logon and access their agency’s payroll.
o Data is uploaded to the application by each agency’s payroll staff for each agency staff member, but can also be uploaded in bulk using a CSV file. CSV files are uploaded using an upload link in the application.
o Completed payroll files are sent to the appropriate banking institutions through a secure link provided by each bank.
o Regular transaction and audit reports for each agency are available to both the agency and DAS payroll staff.
• Move the Departmental Intranet into a Microsoft SharePoint PaaS platform so that it can provide Intranet services to all agencies in WofG.
o This solution will provide DAS with the ability to provide Intranet services to WofG with each Department having its own site within the overall structure.
o The PaaS offering has been chosen as it gives the ability to configure it for all Departments within Government, and still allow users to access any of those individual sites.
o The application provider has advised that their software is distributed throughout the Azure cloud with instances in US East, US West, Europe, Asia Pacific, China and Australia.
o It is proposed that users with WofG will be able to access the platform through an SSO (Single Sign On) link to the platform portal. Authentication will be made using the user’s agency ID credentials . Each agency in WofG will need to use Active Directory Federated Services (ADFS) to federate to an Azure AD instance for authentication and authorisation. This auathentication process will be validated with a SAML 2.0 certificate.
o An individual agency’s web staff will be able to configure their own Agency site, within DAS guidelines, to reflect their own internal news, along with a range of WofG news provided by DAS.
After the successful engagement of your team to provide a security and privacy risk assessment for the DAS, the team has again been engaged to develop privacy and personal data protection strategies for DAS.
This assignment is the second of the team assignments for this subject. The rationale for using a team approach is that most IT policy formulations are normally conducted by teams of between 2-5 Architects, Information Security experts, Operations and Business leaders for each problem. You are already assigned to a team and the team, as a whole, will be responsible for the development of the policies.
Team Member Responsibilities
Each team member will be assessed on:
• The final privacy and personal data protection strategies presented by the team;
• The individual contributions that they have made to the policy formulation. This will be shown by the entries that they have made in the Team forum;
Team members should note that:
• A total of 20% of the total marks for this assignment are for individual contributions. These include:
o Contributions to the development of privacy and data protection policies (10%), and
o Reasoning behind the development of privacy and data protection policies (10%)
• A team member without any individual contributions in the Team Forum will be regarded as having not contributed to the risk assessment. This will result in either reduced marks or no marks being awarded to that team member for this assignment.
Your team is to write a report that proposes appropriate policies for DAS in the following areas:
1. Develop a Privacy strategy proposal for DAS. The strategy should include the following items:
1. Management of personal information,
2. Collection and management of solicited personal information,
3. Use and disclosure of personal information,
4. Use and security of digital identities,
5. Security of personal information,
6. Access to personal information,
7. Quality and correction of personal information.
2. The controls that you recommend that would:
1. Mitigate the previously identified privacy risks,
2. Implement the privacy strategy.
3. Develop a personal data protection strategy proposal for DAS. This strategy should include:
1. Protection of personal information,
2. Authorised access & disclosure of personal information,
3. De-identification of personal data,
4. Use of personal digital identities,
5. Security of personal data,
6. Archiving of personal data.
4. The controls that you recommend that would:
1. Mitigate the previously identified security risks,
2. Implement the personal data protection strategy.
The team is to provide a written report with the following headings:
• Privacy strategy for personal data
• Recommended Privacy controls
• Personal data protection strategy
• Recommended personal data protection strategy.
As a rough guide, the report should not be longer than about 8,000 words. The report is to be loaded into the Team Resource area in Interact.
All risk assessment discussions in the team forum should be exported into a single document and loaded into the Team Resource area in Interact.
It is suggested that the report should be written using Google Docs. Google Docs allows multiple authors to contribute to a single document, and their individual contributions can be assessed.
This assignment aligns with the following learning outcomes of this subject:
• be able to examine the legal, business and privacy requirements for a cloud deployment model;
• be able to evaluate the risk management requirements for a cloud deployment model;
• be able to critically analyse the legal, ethical and business concerns for the security and privacy of data to be deployed to the cloud;
• be able to develop and present a series of proposed security controls to manage the security and privacy of data deployed to the cloud;
Identifying, assessing and explaining threats, security and risk for computer applications in the real world requires that you interact with colleagues, peers and various stakeholders, therefore team work has been incorporated into these assessments to facilitate this.