Developing A PII Strategy Proposal For MySupport Portal

Note : whole the Assessment report must be written in the technical term given in above scenario.

Develop a PII strategy proposal for the MySupport portal. The strategy should consider the threats and risks to both Privacy and data protection for the PII data collected in the MySupport portal as well as possible controls to mitigate the identified risks. (20 marks)

·The threats and risks to both Privacy and data protection for the PII data collected -make subpoints with explanation
·Controls to mitigate the identified risks -make subpoint with explanation Brief summary

1.Develop an outline plan for the Governance of: ( development of governance plan showing excellent logical analysis)

2.What is outline plan for the governance ?

PII data and digital identities for users of the MyLicence portal

Threats and Risks to Privacy and Data Protection in MySupport Portal

This part of the report aims to discuss the threats and risks of privacy and data protection of the PII data collected in the MySupport portal of the government. Sub-points with explanations are provided for the threats and risks to the MySupport portal.  Some methods to mitigate the risks of the MySupport portal are discussed. Some sub-points along with explanation of the mitigation techniques are provided in this section of the report.

The charity joined a cloud community for providing the access of several applications to the support staff and the administrative users. The primary function of the cloud community is to store an amount of 200 TB of data of the charity. PII data on the clients who utilises the services provided by the charity is collected and stored in the cloud.

As there is a rise in the demand of cloud storage to securely store the data of the companies, there is a rise in the privacy threats to the data stored in cloud (Arora, Parashar & Transforming, 2013). The data of a company stored in the cloud storage faces privacy threats of the data. Some of the common threats to the privacy of data and data protection are as follows:

Loss of control over data: The main threat of sharing the data of an organisation using services of third party file sharing is the threat of loss of control over the data. The data of the company is taken outside the IT environment and it specifies that the privacy settings of the data be outside the controlling mechanism of that enterprise. The cloud storage provide the back up of real-time data and it brings the issue of unaware sharing of data that was not meant to be shared in the cloud storage and these data can be accessed by any unauthorised users. The best possible way of mitigating this threat is to provide encryption to the data that is being uploaded in the cloud storage (Dinh et al., 2013).

Threat of data leak: The fear of data leak from the servers of the cloud storage is the main concern for the organisations who are adopting cloud services. The environment of the cloud is a multi-user environment and the resources are shared in this multi-user environment (). Due to the fact that the cloud is a third party service, it creates fear of data being mishandled or viewed by the cloud service provider. Some of the external threats that can lead to data leakage are the possibility of malicious hacks of the cloud providers or the accounts of the cloud user can be compromised (Hashem et al., 2013).

Controls to Mitigate Identified Risks

Threat of privacy due to use of individual devices by the employees: The services of cloud provide the employees an opportunity to work on their own devices. With the introduction of this technique, there is an increase in the threat of privacy of the data (Fernando, Loke & Rahayu, 2013). When the data on the device of an employee is not properly managed then it can raise significant security issues. There is a chance of data being leaked in the possession of the unauthorised users when the devices of the employees are stolen or misused (Li et al., 2013).

Threat of snooping: The files that are stored in the cloud storage are majorly susceptible to hacking and mishandling. Another risk factor to the data of the cloud is that the data is transmitted through the internet. The data can be intercepted while transmitting even though the data is transferred with encryption (Rittinghouse & Ransome, 2016).

Improper management of keys: The venture of an organisation to manage the cryptographic keys is a major problem for an organisation. with the introduction of cloud computing the threat of managing the keys increases at a significant level. This is main reason to maintain the keys properly and effectively. Some of the methods of securing key management processes are automated, inconspicuous and active approach towards key management.

Theft of cloud credentials: The major advantage of cloud is that it provides unlimited storage to the users. The process of securing data of the organisation along with the data of the customers can lead to privacy threats. To mitigate this threat, the method of credentials for the cloud user is practiced. The main security issue with the credentials is that the data of the credentials is stored in the cloud storage, and the security of these credentials depends on the habit of creating passwords by the users. In the case of credential compromise, the attackers might not get the access to the original data but they can obtain the ability of making copies of the files or delete them. The best method of overcoming this threat is by data encryption of the sensitive data and secure the unique credentials (Garg, Versteeg & Buyya, 2013).

Malicious insiders: The threat that arises from within the organisation when there is an individual with a malicious intent. If the individual has the access to cloud storage, they can cause extensive damage to the data stored in the cloud storage. The companies often face the situation of data breach from within the organisation. The most common method of mitigating this risk is by third party audits that are very useful to identify the anomalies that signals a problem within the organisation (Xiao, Song & Chen, 2013).

Outline Plan for the Governance of PII Data and Digital Identities for MyLicence Portal

With the increase of internet and the need of cloud storage of an organisation, it is necessary to properly govern the network for identifying and preventing various kinds of threats of data breach. The seriousness of data breach can be mitigated with the implementation of policies on the physical and virtual systems of the cloud. In a case of danger, the exposed data can be protected with the help of encryption of data. Some of the proactive protective measure to prevent data breach are:

Intrusion detection: This is the first step in preventing data breaches is identifying the anomalies in the system. Actively monitoring and blocking of these intrusions is the first layer of defence for the firewall. SIEM (Security Information Event Monitoring) offers a forensic analysis that can be used to verify the access attempts in a particular network is legal or illegal. The intrusion detection system in cloud computing is segregated in four divisions:

Network based intrusion detection system: This variety of IDS captures the traffic of the entire network and performs an analysis on the network for detecting any kind of intrusions such as port scanning, denial of service (DoS) attacks. This IDS performs the detection by processing the headers of transport layer of the captured network packets and the IP of the network (Hashizume et al., 2013).

Host based intrusion detection system: IDs that are host based uses the collected information from any particular host and then performs an analysis on the collected data to detect anomalies. The information can be audit trails or system logs of the operating systems. HIDS performs an analysis on the information and if some kind of anomaly is detected then the change or anomaly is reported to the network manager.

VMM based intrusion detection system: This method is also called as hypervisor based IDS. A platform is provided for effective communication between the VMs by hypervisor. This variety of IDS is implemented in the hypervisor layer. It is useful for the analysis of accessible information to detect any kind of anomaly in the system.

Distributed IDS: This type of Intrusion Detection System contains several IDSs. This IDS is implemented across a broad network for monitoring the system traffic for anomalies.  

Traffic monitoring: The monitoring of a network to keep track of the individuals accessing the files and services on the network is known as traffic monitoring. Log management is commonly used for identifying the reliable IP addresses, users, and locations. If an organisation is capable of forestalling traffic, the organisation can create specific rules for blocking particular sources, prevent the access to any suspicious files and then create a actionable audit trail of the activities (Jain & Paul, 2013).

Identity management: This method is also known as provisioning. With the help of this method, an organisation can control the access of data of the organisation. This method ensures that only authorised users can gain the access to data. The control of user rights is applied with effective provisioning and automatic de-provisioning protects the company from unauthorised individuals (Krishna, 2013).

Credentialing and authentication: Also known as access management. This protection layer is past password administration and it can deflect any potential breach of data by ensuring the access of the information is controlled by minimum of two credentials.

It can be concluded that the threats to privacy and data protection in the cloud storage can be loss of control over data, Threat of data leak, Threat of privacy due to use of individual devices by the employees, threat of snooping, improper management of keys, improper management of credentials of cloud, and malicious insiders. Some of the mitigation techniques that can be used to eliminate the threats of privacy and data protection are intrusion detection, traffic monitoring, and traffic monitoring identity management, and credentialing and authentication.

Governance plan denotes to the processes and roles of an enterprise that has the potential of serving as a guideline for fulfilling, sustaining, and extending IT planning. A plan of governance crosses all the layers of organisation, which includes stakeholders, management, preservation, approach, support, and policy (Botta et al., 2016). Usually, an organisation recruits a governing body for overlooking the governance plan and the procedures and processes by making sure of all the structures of organisation are synced for data security and accuracy. IT planning is streamlined with the help of a governance plan (Wei et al., 2014). The common approach towards governance are:

1. Planning tools
2. Capability maps
3. Tools for gap analysis
4. Analysis and modelling tools
5. Reporting tools

Rules

Limit data access: The organization provides information to a huge numbers of users who access the portal. The executives of the company are unaware of any details about individual users of the portal who have liberal access of the data on the portal. This is a severe risk of data loss, hacking, and theft. This is the reason why it is important for the company to limit the access of data. The company should determine the limit of data that a user desires access to and make sure that the user has access only the information that they need. These limitations will help the company to handle the data effectively and efficiently and make sure that it has been fortified from loss or theft (Gao et al., 2013).

Identification of sensitive data: It is essential for the companies to realize where the most essential data of the company resides. This will help in ensuring the validity of the information is possession of the company and more resources can be allocated for protecting the crucial and sensitive assets (Harron et al., 2014). The compromise of the PII data of the company can result in leak of sensitive information of the users of the portal and the reputation of the company will be damaged as well as severe loss of revenue of the company.

Pre-Planned data security policy: Proper data security policies need to be implemented in the ensure data security. The policies can help in handling of any critical situation and in the times of response for any incident, the security policies can help extensively (Kuiler, 2014). With the help of policies, the company can react quickly to prevent any kind of impact due to any cyber attack. As in the case of rights and access management, the access of the users can be identified easily and the company can be aware of any potential breach of the users in the company.

Secure and strong passwords for every user: The sensitive data of the users can be secured using strong passwords (Ackerman, 2013). The major benefit of the use of strong password is that it can fight several password hacking tools that can crack any password and hack the data. The users must be provided with secure passwords to make sure the sensitive data is safe and secure (Mivule, 2013).

Efficient data backup and update: the most crucial act of securing data in the company and maintain the rules is update and data backup. The credentials of the users should be updated regularly with secure protection measures so that there are no outdated protection measures handling the sensitive data of the users (Crawford & Schultz, 2014). Regular data backup can help in restoring updated data in case of any damage to the physical components of the system or in the case of data theft (Crawford & Schultz, 2014). The company can retrieve the data easily without sustaining huge loss.

Use of share-level and file-level security: another procedure to secure the data on the portal is by setting permission on every level of the data. The data that is stored in the network shares can be secured by setting share permissions for controlling what accounts of user has the access of the files over the network (Weiss & Miller, 2015).

Password-protection of documents: It is a common method of protecting data on the network. All the documents are set with a unique password to make sure that the integrity of the data is maintained while transferring over the network and the users with proper authentication can only access the data, which mitigates the probability of theft of documents (Pardos & Kao, 2015). Use of EFS encryption: Encryption is implemented in the files of the storage and a suitable key is provided to the users to makes sure that only the authorized user can access the data. EFS is the combination of symmetric and asymmetric encryption, for ensuring security and performance (Raghunathan, 2013).

Account eligibility: The users of the MyLicense portal has an account validity of 3 years. If an account is not accessed for three years, then the account gets blocked or dumped. All the queries and suggestions are to be posted in the MyLicense portal with proper identification. This will help in contacting the user regarding the grievances easily (Jung et al., 2013).

Account request forms: When a new user want to access the portal then they have to authenticate themselves as a genuine user by visiting the links that they are provided when the apply for access of data in the portal (Do, Martini & Choo, 2015).

Confidentiality agreements: The agreements are signed when the user creates their ID in the portal to make sure that both the user and supplier are agreed on the terms of use. This will help in creating transparency among the supplier and the user as both of them know their duty and penalties are implemented when there is a violation of agreement (Arockiam & Monikandan, 2013).

Password expiration: The password of the users need to be updated at a regular interval of time to make sure the security of data is maintained properly. The supplier can provide the user with passwords or the user can create their own password for their convenience (Terzi, Terzi & Sagiroglu, 2015).

Therefore, it can be concluded that the data that is stored in the MyLicense portal can be secured with several methods. These methods can be applied for the users to follow and the procedures and guidelines can ensure data integrity in the MyLicense portal.

Rules

Use of public key infrastructure: PKI is the system for managing digital certificated and private/public key pairs (Jam et al., 2014). As the keys and certificates are always issued by some confidential third party, the security is stronger.

Protection of data in transit with IP security:  This is the method of encrypting data to achieve confidentiality. Some policies are created and filters are implemented in the data to add some extra layer of security in the data (Arasu et al., 2015).

Use of cryptographic keys in the data: The data can be secured using secure cryptographic keys that can maintain the security of the data while transferring and produce secure communication (Kum & Ahalt, 2013). The data in the MyLicense portal can be secured using cryptographic keys while transmitting information to the users.

Addition of firewall web application: The firewall in the data of the portal can add an extra security of the data. These firewall prevent the access of unauthorized users in the portal. The mechanism of firewall is to provide access to the authorized users and prevent the use of confidential data by the unauthorized users (Lafuente, 2015).

Procedures

Clean up credentials: The credentials of the users should be maintained properly. The users who do not need regular access to the data should be removed. The HR personnel should be allowed access to all the data as it will help in reviewing the real time data.

Set strict boundaries for internal security: The boundaries on the data can help in managing the access of data by the users and create steps of access for the data (Beiter et al., 2014). The confidentiality of the data can be maintained and the users who do not need access to any data, can be exempted.

Ensuring movement of data using encryption: Movement of data is commonly carried out using encryption or without encryption (Sedayao, Bhardwaj & Gorade, 2014). The data that is being transmitted to the people who need access to it, can pose a threat to be hacked or stolen. With the help of encryption, the data can be secured easily and properly transmitted to the users as well as stored in the database for the use of any management level employee.

 Guidelines

Access to data centers: The access to all the data that is stored in the hardware or software should have limited access. The responsible members for the maintenance of the data should have access to the data. These access records should be monitored and overlooked by the management regularly.

Access to system: The systems that are no longer in use should be removed as these systems contain sensitive information that can cause harm to the users of the portal if in any case it is accessed by any malicious users. The data from the HR department contains all the information of the users who are registered in the portal and strict security measure should be implemented on this data to maintain the integrity of the data.

Procedures of departments: The departments should have procedures that are properly implemented to ensure evaluation of requests from the users who are requesting the access of some data. These departments should ensure the disclose of data is provided to the authorized users only.

Rules

Two step verification for the staffs: Two step verification methods should be implemented in the security measures of the systems to ensure proper access is provided to the authorized users. This method provides an addition of extra layer of security to the data stored in the system and creates barriers to the sensitive data in the system

Code of conduct for staff: The code of conduct is applied to all the ICT resources and IT infrastructure. This code ensures the proper access of data by the staffs and secure the confidential data from the employees who do not need access.

Identification of sensitive data: It is essential for the companies to realize where the most essential data of the company resides. This will help in ensuring the validity of the information is possession of the company and more resources can be allocated for protecting the crucial and sensitive assets.  

Procedures

Use of access authorization: The staffs should be provided with proper access authorization to the data. This will help in proper functioning of the company as each staff will have enough data to function properly in the organization. Proper authorized access is necessary to ensure access is provided to authorized staffs of the company.

Guidelines

Security measures for the staffs: The staffs that are hired by the company should be subjected to severe procedures regarding the access of personal data by the method of formal contract that is in the line with several provisions of the Data Protection Acts. Contract terms and undertakings should be subjected to audit and review for ensuring compliance.

Acceptable Usage Policy for the staffs: This policy ensures that the usage of data is executed in a manner that is acceptable by the organization. The staffs who require access to the data should be properly authenticated and access should be provided with strict security measures.

Training of staffs: When the company hires new staffs, they should be properly trained with the methods for maintaining and securing the data that is stored in the systems. With the help of training, the staffs will gain knowledge about the methods and procedures to work under the strict policies and security measures. Accurate information should be given to the staffs to achieve effective working in the organization.

Duty of staffs: When the systems in the company are not in use, the staffs should ensure proper shutdown of the systems to ensure the security of data stored in the systems. An idle system can be subjected to serious security threats such as data loss or data theft.

Conclusion

Therefore it can be concluded that the MyLicence portal created by the government can be helpful to the users as they can have easy access to huge data. The intent of the charity to move to cloud computing can be helpful to store the data of the users in a secured storage place for further use. Some of the common threats to cloud computing are loss of control over data, threat of snooping, malicious insiders, theft of cloud credentials, and improper management of keys. These threats pose a severe security measure in the management of cloud data. Some of the mitigation techniques used to eliminate these threats are intrusion detection, traffic monitoring, identity management, and credentialing and authentication.

References

Ackerman, L. (2013). Mobile health and fitness applications and information privacy. Privacy Rights Clearinghouse, San Diego, CA.

Arasu, A., Eguro, K., Joglekar, M., Kaushik, R., Kossmann, D., & Ramamurthy, R. (2015, April). Transaction processing on confidential data using cipherbase. In Data Engineering (ICDE), 2015 IEEE 31st International Conference on (pp. 435-446). IEEE.

Arockiam, L., & Monikandan, S. (2013). Data security and privacy in cloud storage using hybrid symmetric encryption algorithm. International Journal of Advanced Research in Computer and Communication Engineering, 2(8), 3064-3070.

Arora, R., Parashar, A., & Transforming, C. C. I. (2013). Secure user data in cloud computing using encryption algorithms. International journal of engineering research and applications, 3(4), 1922-1926.

Beiter, M., Mont, M. C., Chen, L., & Pearson, S. (2014). End-to-end policy based encryption techniques for multi-party data management. Computer Standards & Interfaces, 36(4), 689-703.

Botta, A., De Donato, W., Persico, V., & Pescapé, A. (2016). Integration of cloud computing and internet of things: a survey. Future Generation Computer Systems, 56, 684-700.

Crawford, K., & Schultz, J. (2014). Big data and due process: Toward a framework to redress predictive privacy harms. BCL Rev., 55, 93.

Dinh, H. T., Lee, C., Niyato, D., & Wang, P. (2013). A survey of mobile cloud computing: architecture, applications, and approaches. Wireless communications and mobile computing, 13(18), 1587-1611.

Do, Q., Martini, B., & Choo, K. K. R. (2015). A forensically sound adversary model for mobile devices. PloS one, 10(9), e0138449.

Fernando, N., Loke, S. W., & Rahayu, W. (2013). Mobile cloud computing: A survey. Future generation computer systems, 29(1), 84-106.

Gao, Y., Guan, H., Qi, Z., Hou, Y., & Liu, L. (2013). A multi-objective ant colony system algorithm for virtual machine placement in cloud computing. Journal of Computer and System Sciences, 79(8), 1230-1242.

Garg, S. K., Versteeg, S., & Buyya, R. (2013). A framework for ranking of cloud computing services. Future Generation Computer Systems, 29(4), 1012-1023.

Harron, K., Wade, A., Gilbert, R., Muller-Pebody, B., & Goldstein, H. (2014). Evaluating bias due to data linkage error in electronic healthcare records. BMC medical research methodology, 14(1), 36.

Hashem, I. A. T., Yaqoob, I., Anuar, N. B., Mokhtar, S., Gani, A., & Khan, S. U. (2015). The rise of “big data” on cloud computing: Review and open research issues. Information Systems, 47, 98-115.

Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (2013). An analysis of security issues for cloud computing. Journal of internet services and applications, 4(1), 5.

Jain, R., & Paul, S. (2013). Network virtualization and software defined networking for cloud computing: a survey. IEEE Communications Magazine, 51(11), 24-31.

Jam, M. R., Khanli, L. M., Javan, M. S., & Akbari, M. K. (2014, October). A survey on security of Hadoop. In Computer and Knowledge Engineering (ICCKE), 2014 4th International eConference on (pp. 716-721). IEEE.

Jung, T., Li, X. Y., Wan, Z., & Wan, M. (2013, April). Privacy preserving cloud data access with multi-authorities. In INFOCOM, 2013 Proceedings IEEE (pp. 2625-2633). IEEE.

Krishna, P. V. (2013). Honey bee behavior inspired load balancing of tasks in cloud computing environments. Applied Soft Computing, 13(5), 2292-2303.

Kuiler, E. W. (2014). From B ig D ata to Knowledge: An Ontological Approach to B ig Data Analytics. Review of Policy Research, 31(4), 311-318.

Kum, H. C., & Ahalt, S. (2013). Privacy-by-design: Understanding data access models for secondary data. AMIA Summits on Translational Science Proceedings, 2013, 126.

Lafuente, G. (2015). The big data security challenge. Network security, 2015(1), 12-14.

Li, M., Yu, S., Zheng, Y., Ren, K., & Lou, W. (2013). Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE transactions on parallel and distributed systems, 24(1), 131-143.

Mivule, K. (2013). Utilizing noise addition for data privacy, an overview. arXiv preprint arXiv:1309.3958.

Pardos, Z. A., & Kao, K. (2015, March). moocRP: An open-source analytics platform. In Proceedings of the Second (2015) ACM conference on learning@ scale (pp. 103-110). ACM.

Raghunathan, B. (2013). The complete book of data anonymization: from planning to implementation. Auerbach Publications.

Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.

Sedayao, J., Bhardwaj, R., & Gorade, N. (2014, June). Making big data, privacy, and anonymization work together in the enterprise: experiences and issues. In Big Data (BigData Congress), 2014 IEEE International Congress on (pp. 601-607). IEEE.

Terzi, D. S., Terzi, R., & Sagiroglu, S. (2015, December). A survey on security and privacy issues in big data. In Internet Technology and Secured Transactions (ICITST), 2015 10th International Conference for (pp. 202-207). IEEE.

Wei, L., Zhu, H., Cao, Z., Dong, X., Jia, W., Chen, Y., & Vasilakos, A. V. (2014). Security and privacy for storage and computation in cloud computing. Information Sciences, 258, 371-386.

Weiss, N. E., & Miller, R. S. (2015, February). The target and other financial data breaches: Frequently asked questions. In Congressional Research Service, Prepared for Members and Committees of Congress February (Vol. 4, p. 2015).

Xiao, Z., Song, W., & Chen, Q. (2013). Dynamic resource allocation using virtual machines for cloud computing environment. IEEE Trans. Parallel Distrib. Syst., 24(6), 1107-1117.

Threats and risks to privacy of data in cloud