Assignment
Scenario
You are the Senior Systems Administrator for a community based Charity. The Charity is involved in locating and providing accommodation, mental health services, training and support services to disadvantaged people in the community.
The Charity currently runs a small data centre that has some 50 x86 64 bit servers running mainly Windows Server 2008 R2 for desktop services, database and file services. It also has about 10 Red Hat Enterprise Linux 5 servers for public facing Web pages, services and support.
The Charity is considering joining a community cloud provided by a public cloud vendor in order to provide a number of applications to all 500 support staff and administrative users. A small number of the Charity's applications are mission critical and the data that those applications use is both confidential and time sensitive.
The community cloud would also be used to store the Charity's 200TB of data. The data would be held in a SaaS database run by the public cloud vendor. The Charity's data contains a considerable amount of confidential information about the people to whom the Charity provides services.
The Charity collects PII data on the clients who use its services so that it can assist them to manage their different service requirements. This PII data also includes holding some digital identity data for some of the more disadvantaged clients, particularly if they also have mental health issues.
The cloud vendor has made a presentation to management that indicates that operational costs will drop dramatically if the cloud model is adopted. However, the Board of the Charity is concerned with the privacy and security of the data that it holds on the people that it provides services to in the community. It is concerned that a data breach may cause considerable damage to substantially disadvantaged people in the community.
The Board asks that you prepare a report that proposes appropriate privacy and security policies for the Charity's data.
The task:
Your team is to write a report that proposes appropriate policies for the Charity in the following areas:
1. Conduct a risk assessment for the Charity's data. Consider the data and information that Charity holds on its clients in its current system.
a. Establish the existing threats and risks to the security of that data and information contained in the in house database.
b. Are there any other risks and threats to the client data after migration to an SaaS application?
c. Assess the resulting severity of risk and threat to client data.
2. What are the threats and risks to the digital identities of the Charity's clients from the move to a SaaS database?
3. Develop a Privacy strategy proposal for the Charity. The strategy should include the following items:
a. Management of personal information,
b. Collection and management of solicited personal information,
c. Use and disclosure of personal information,
d. Use and security of digital identities,
e. Security of personal information,
f. Access to personal information,
g. Quality and correction of personal information.
4. Develop a personal data protection strategy proposal for the Charity. This strategy should include:
a. Protection of personal information,
b. Authorised access & disclosure of personal information,
c. De-identification of personal data,
d. Use of personal digital identities,
e. Security of personal data,
f. Archiving of personal data.
You are to provide a written report with the following headings:
• Data Risk assessment
• Privacy strategy for personal data
• Personal data protection strategy.