Assessment item 4 Privacy and Data Strategy

Assessment item 4
Privacy & Data Strategy
Value: 25%
Return Date: 28-Oct-2019
Submission method options: Alternative submission method
Task
Scenario
The Department of Administrative Services (DAS) provides a number of services to other departments in an Australian State Government. These services include HR and personnel management, payroll, contract tendering management, contractor management, and procurement. These services have all been provided from the Department’s own data centres.
As a result of a change in Government policy, DAS is moving to a “Shared Services” approach. This approach will mean that DAS will centralise a number of services for the whole of Government (WofG). This means that each Department or Agency that runs one of these services for its own users, will be required to migrate its data to DAS so that it can be consolidated into the DAS centralised database. DAS will then provide these consolidated services to all other Departments and Agencies within the Government.
Another Government policy mandates a “Cloud first” approach to the process of updating or acquiring software or services. Following these strategic policy changes from Government, DAS has decided to:
• Purchase a HR and personnel management application from a US based company that provides a SaaS application.
o The application will provide DAS with a HR suite that will provide a complete HR suite which will also include performance management. The application provider has advised that the company’s main database is in California, with a replica in Dublin, Ireland. However, all data processing, configuration, maintenance, updates and feature releases are provided from the application provider’s processing centre in Bangalore, India.
o Employee data will be uploaded from DAS daily at 12:00 AEST. This will be processed in Bangalore before being loaded into the main provider database.
o Employees will be able access their HR and Performance Management information through a link placed on the DAS intranet to the HR platform portal. Each employee will use their DAS digital ID to authenticate to the HR and Performance management system. The internal digital ID is generated by the DAS Active Directory instance and is used for internal authentication and authorisation.
o It is proposed that the link to the HR platform on the DAS Intranet will be an SSO (Single Sign On) link to the HR platform portal. Authentication will be made using the user’s agency ID credentials. DAS will need to use Active Directory Federated Services (ADFS) to federate to an Azure AD instance for authentication and authorisation. This authentication process will be validated with a SAML 2.0 certificate.
Tasks
After your successful engagement to provide a security and privacy risk assessment for the DAS, you have again been engaged to develop privacy and personal data protection strategies for DAS.
You are to write a report that proposes appropriate policies for DAS in the following areas:
1. Develop a Privacy strategy proposal for DAS. The strategy should include the following items:
a. Management of personal information,
b. Collection and management of solicited personal information,
c. Use and disclosure of personal information,
d. Use and security of digital identities,
e. Security of personal information,
f. Access to personal information,
g. Quality and correction of personal information.
2. The controls that you recommend that would:
a. Mitigate the previously identified privacy risks,
b. Implement the privacy strategy.
3. Develop a personal data protection strategy proposal for DAS. This strategy should include:
a. Protection of personal information,
b. Authorised access & disclosure of personal information,
c. Use of personal digital identities,
4. The controls that you recommend that would:
a. Mitigate the previously identified data security risks,
b. Implement the personal data protection strategy.

You are to provide a written report with the following headings:
• Privacy strategy for personal data
• Recommended privacy controls
• Personal data protection strategy
• Recommended personal data protection controls.

As a rough guide, the report should not be longer than about 5,000 words.

Rationale
This assessment task will assess the following learning outcome/s:
• be able to examine the legal, business and privacy requirements for a cloud deployment model.
• be able to evaluate the risk management requirements for a cloud deployment model.
• be able to critically analyse the legal, ethical and business concerns for the security and privacy of data to be deployed to the cloud.
• be able to develop and present a series of proposed security controls to manage the security and privacy of data deployed to the cloud.
• be able to develop and present a cloud governance framework to underpin the cloud operations for an enterprise.

Marking criteria and standards

Question HD DI CR PS FL
Q1. Privacy strategy for personal data (25 marks) Comprehensive development of policy covering all aspects, with excellent discussion of threats and risks to privacy of data Thorough development of policy covering most aspects, with proficient discussion of threats and risks to privacy of data Detailed development of policy covering most aspects, with good discussion of threats and risks to privacy of data Adequate development of policy covering some aspects, with some discussion of threats and risks to privacy of data Incomplete or inadequate development of policy covering few aspects, with little or no discussion of threats and risks to privacy of data
Q2. Recommended privacy controls (25 marks) Comprehensive evaluation and matching of privacy threats with controls showing excellent logical analysis Thorough evaluation and matching of privacy threats with controls showing proficient logical analysis Detailed evaluation and matching of privacy threats with controls showing good logical analysis Adequate evaluation and matching of privacy threats with controls showing satisfactory logical analysis Incomplete or inadequate evaluation and matching of privacy threats with few controls and little or no logical analysis
Q3. Personal data protection strategy (25 marks) Comprehensive evaluation and matching of data protection threats with controls showing excellent logical analysis Thorough evaluation and matching of data protection threats with controls showing proficient logical analysis Detailed evaluation and matching of data protection threats with controls showing good logical analysis Adequate evaluation and matching of data protection threats with controls showing satisfactory logical analysis Incomplete or inadequate evaluation and matching of data protection threats with few controls and little or no logical analysis
Q4. Recommended data protection controls (25 marks) Comprehensive evaluation and matching of data protection threats with controls showing excellent logical analysis Thorough evaluation and matching of data protection threats with controls showing proficient logical analysis Detailed evaluation and matching of data protection threats with controls showing good logical analysis Adequate evaluation and matching of data protection threats with controls showing satisfactory logical analysis Incomplete or inadequate evaluation and matching of data protection threats with few controls and little or no logical analysis
Referencing & Presentation Up to 5 marks may be deducted for incorrect or incomplete referencing
Up to 5 marks may be deducted for poor presentation, spelling and grammar

Presentation
You are to provide a written report with the following headings:
• Privacy strategy for personal data
• Recommended privacy controls
• Personal data protection strategy
• Recommended personal data protection controls.
As a rough guide, the report should not be longer than about 5,000 words.