Project #66591 - Cloud Security Policy

 

Project 6: Cloud Security Policy – PLEASE GO OFF THE GRADING RUBRIC AT THE END OF DIRECTIONS, THANKS.

 

This week you will prepare a cloud security policy. The first CIO of the US mandated that cloud services be implemented in organizations whenever possible. Review the scenario below and prepare a cloud security policy for the organization. Complete the following section readings from Challenging Security Requirements for US Government Cloud Computing Adoption,”

 

NIST Cloud Computing Public Security Working Group, NIST Cloud Computing Program,

 

Information Technology Laboratory, sections 1.1, 1.3, 1.6, 1.8, and 1.9; prior to starting your work on the policy:

 

PROCESS-ORIENTED SECURITY REQUIREMENTS

 

 

 

1.1 NIST SP 800-53 SECURITY CONTROLS FOR CLOUD-BASED INFORMATION SYSTEMS: page 10

 

 

 

    1. CLOUD CERTIFICATION AND ACCREDITATION: page 17

 

1.6 CLARITY ON CLOUD ACTORS SECURITY ROLES AND RESPONSIBILITIES: page 27

 

 

 

1.8 BUSINESS CONTINUITY AND DISASTER RECOVERY: page 31

 

1.9 TECHNICAL CONTINUOUS MONITORING CAPABILITIES: page 34

 

Background
A small non-profit organization (SNPO-MC) has received a grant which will pay 90% of its cloud computing costs for a five year period. But, before it can take advantage of the monies provided by this grant, it must present an acceptable cloud computing security policy to the grant overseers. 

 

Tasking
You are a cybersecurity professional who is “on loan” from your employer, a management consulting firm, to a small non-profit organization (SNPO-MC). You have been tasked with researching requirements for a Cloud Computing Security Policy and then developing a draft policy for the non-profit organization, SNPO-MC. The purpose of this policy is to provide guidance to managers, executives, and cloud computing service providers. This new policy will supersede (replace) the existing Enterprise IT Security Policy which focuses exclusively upon enterprise security requirements for organization owned equipment (including database servers, Web and email servers, file servers, remote access servers, desktop computers, workstations, and laptop computers) and licensed software applications. The enterprise IT security policy also addresses incident response and disaster recovery.

 

As part of your policy development task you must take into consideration the issues list which was developed during brainstorming sessions by executives and managers in each of the three operating locations for the non-profit organization.

 

 

 

Your deliverable for this project is a 5 to 8 page, single spaced, professionally formatted draft policy. See the following resources for suggested formats.

 

https://it.tufts.edu/cloud-pol

 

https://www.american.edu/policies/upload/IT-Security-Policy-2013.pdf 

 

Organization Profile: 
The organization is headquartered in Boston, MA and has two additional operating locations (offices) in New Orleans, LA and San Francisco, CA. Approximately 50 employees work in a formal office setting at one of these locations. These employees use organization owned IT equipment. The remaining 1,000 staff members are volunteers who work from their home offices using personally owned equipment.

 

The organization provides a variety of management consulting services for its clients (charities and non-governmental organizations) on a fee for service basis. Fees are set on a sliding scale based upon the client’s ability to pay. The organization receives additional funding to support its administrative costs, including IT and IT security, through grants and donations from several Fortune 500 companies.

 

The non-profit organization is in the process of hiring its first Chief Information Officer. The organization has a small (3 person) professional IT staff that includes one information security specialist. These staff members are located in the Boston headquarters office.

 

 

 

Definitions
Employees of the organization are referred to as employees.

 

Executives and other staff who are “on loan” from Fortune 500 companies are referred to as loaned staff members. Loaned staff members usually telework for the organization one to two days per week for a period of one year.

 

Volunteers who perform work for the organization are referred to as volunteer staff members. Volunteer staff members usually telework from their homes one to two days per week.

 

Cloud Computing includes but is not restricted to:

 

    • Platform as a Service

 

    • Infrastructure as a Service

 

    • Software as a Service

 

Issues List:

 

    • Who speaks with authority for the firm?

 

    • Who monitors and manages compliance with laws and regulations?

 

    • Ownership of content

 

    • Privacy and confidentiality

 

    • Enforcement

 

    • Penalties for violations of policy

 

    • Use by sales and marketing

 

    • Use by customer service / outreach

 

    • Use by public relations and corporate communications (e.g. information for shareholders, customers, general public)

 

    • Use for advertising and e-commerce

 

    • Use by teleworkers

 

    • Review requirements (when, by whom)

 

    • Use of content and services monitoring tools

 

    • Content generation and management (documents, email, cloud storage)

 

    • Additional issues listed in http://www.cloud-council.org/Security_for_Cloud_Computing-Final_080912.pdf

 

Resources (suggested by the organization’s IT Staff for your consideration):

 

  1. http://www.nsa.gov/ia/_files/support/Cloud_Computing_Guidance.pdf
  2. http://www.cloud-council.org/Security_for_Cloud_Computing-Final_080912.pdf
  3. http://www.sans.org/reading-room/whitepapers/analyst/cloud-security-compliance-primer-34910
  4. http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

 

The documents below are useful resources in planning your cloud security policy:

 

Cloud Security: A Comprehensive Guide to Secure Cloud Computing

 

by Ronald L. Krutz and Russell Dean Vines

 

John Wiley & Sons © 2010 (384 pages), ISBN: 9780470589878

 

Chapter 3: Cloud Computing Software Security Fundamentals

 

http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=34770

 

 

 

NIST Guide to Information Technology Security Services at http://www.nist.gov/customcf/get_pdf.cfm?pub_id=906567

 

25 point implementation plan to reform information technology

 

http://www.dhs.gov/sites/default/files/publications/digital-strategy/25-point-implementation-plan-to-reform-federal-it.pdf

 

 

 

Understanding Cloud Computing (NIST SP 500-291) and (NIST SP 500-292)

 

http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909024

 

500-291 - Standards: Chapter 3 and Chapter 5.5

 

 

 

White Paper: “Challenging Security Requirements for US Government Cloud Computing Adoption,” NIST Cloud Computing Public Security Working Group, NIST Cloud Computing Program, Information Technology Laboratory

 

 

 

 

 

 

 

Rubric Name: Project 6 Rubric

 

 
             

Criteria

Outstanding

Above Average

Average

Below Average

Poor

No Submission

Understanding of Cloud Services

17 points

Provided clarity and understanding of cloud services according to 25 point implementation plan.

13 points

Demonstrate excellent knowledge of cloud services and describe purpose of 25 point implementation plan.

10 points

Good overview of cloud services and description of the 25 point implementation plan.

6 points

Fair evaluation of cloud services and some knowledge of 25 point implementation plan.

3 points

Poor description of cloud services and limited analysis of 25 point implementation plan.

0 points

Not included or no submission

Explanation of IaaS, PaaS, and SaaS

17 points

Thorough explanation and identification of IaaS, PaaS, and SaaS cloud services.

13 points

Good explanation and identification of IaaS, PaaS, and SaaS cloud services.

10 points

Fair explanation and identification of IaaS, PaaS, and SaaS cloud services.

6 points

Poor explanation and identification of IaaS, PaaS, and SaaS cloud services.

3 points

Unsatisfactory explanation and identification of IaaS, PaaS, and SaaS cloud services.

0 points

Not included or no submission

Explanation of Criteria for different cloud deployments

17 points

Superior explanation of the criteria for private, hybrid, community, and public cloud deployments.

13 points

Excellent explanation of the criteria for private, hybrid, community, and public cloud deployments.

10 points

Good explanation of the criteria for private, hybrid, community, and public cloud deployments.

6 points

Fair explanation of the criteria for private, hybrid, community, and public cloud deployments.

3 points

Poor explanation of the criteria for private, hybrid, community, and public cloud deployments.

0 points

Not included or no submission

Creation of policy

17 points

Created a policy based on the 25 point implementation plan for cloud services by addressing at least 20 key points in the plan.

13 points

Created a policy based on the 25 point implementation plan for cloud services by addressing at least 15 key points in the plan.

10 points

Created a policy based on the 25 point implementation plan for cloud services by addressing at least 10 key points in the plan.

6 points

Created a policy based on the 25 point implementation plan for cloud services by addressing at least 5 key points in the plan.

3 points

Created a policy based on the 25 point implementation plan for cloud services and addressed less than 5 key points in the plan.

0 points

Not included or no submission

Cloud First mandate

17 points

Included an introduction and explanation of the “Cloud First” mandate according to the Federal CIO requirement. 

13 points

Explained the “Cloud First” mandate and referenced the Federal CIO requirement. Created a good introduction. 

10 points

Discussed the “Cloud First” mandate and referenced the Federal CIO requirement. Created a fair introduction.

6 points

Fair discussion of the “Cloud First” mandate and referenced the Federal CIO requirement. Created a poor introduction.

3 points

Poor discussion of the “Cloud First” mandate and referenced the Federal CIO requirement. Created an inadequate introduction.

0 points

Not included or no submission

Grammar, Spelling, Punctuation

15 points

Fully complied with formatting requirements.

Successfully completed all procedures in the assignment.

Exceptional quality of the assignment with clear, concise, and meaningful content.

Appropriate research conducted when necessary and resolution of the task.

Content contained relevant citations to an accuracy of 90%.

Reference citations were in the reference/bibliography list.

12 points

Complied with formatting requirements.

Completed all procedures in the assignment. Good quality of the assignment with clear, concise, and meaningful content.

Research conducted when necessary and attempts at resolution included for the task.

Content contained relevant citations to an accuracy of 80%

Reference citations were in the reference/bibliography list.

9 points

Partially complied with formatting requirements.

Partially completed the assignment.

Average quality of the assignment with clear, concise, and meaningful content.

Research attempted and resolution is incomplete.

Content contained relevant citations to an accuracy of 70%

Reference citations were in the reference/bibliography list.

6 points

Did not meet criteria for formatting requirements.

Assignment is incomplete.

Poor quality of the assignment and inadequate content.

No research attempted and problem not fully resolved.

Content contained relevant citations to an accuracy of 60%

Reference citations were in the reference/bibliography list.

3 points

Did not adhere to formatting requirements.

Criteria for assignment not met.

Poor quality of the assignment and incomplete content.

No research attempted and problem not addressed.

Content contained relevant citations to an accuracy of below 60%

Reference citations were in the reference/bibliography list

0 points

Not included or no submission

Overall Score

Level 5
29 or more

Level 4
23 or more

Level 3
17

     

 

 

 

Subject Computer
Due By (Pacific Time) 04/29/2015 12:00 am
Report DMCA
TutorRating
pallavi

Chat Now!

out of 1971 reviews
More..
amosmm

Chat Now!

out of 766 reviews
More..
PhyzKyd

Chat Now!

out of 1164 reviews
More..
rajdeep77

Chat Now!

out of 721 reviews
More..
sctys

Chat Now!

out of 1600 reviews
More..
sharadgreen

Chat Now!

out of 770 reviews
More..
topnotcher

Chat Now!

out of 766 reviews
More..
XXXIAO

Chat Now!

out of 680 reviews
More..
All Rights Reserved. Copyright by AceMyHW.com - Copyright Policy