See the attached documents. Questions and instructions are in the file titled “Questions and Instructions”.
2/2/22, 5:26 PM Service Level Agreement (SLA)
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/service-level-agreement–sla-.html?ou=622270 1/1
Learning Topic
Service Level Agreement (SLA)
A service-level agreement (SLA) is an official commitment between an internal or external
service provider and the end user.
SLAs define the level of service expected from the service provider regarding issues such
as quality, availability, and responsibilities.
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:33 PM Risk Guidelines
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-guidelines.html?ou=622270 1/2
Learning Topic
Risk Guidelines
Entities such as the National Institute of Standards and Technology (NIST), International
Organization of Standards (ISO), the US Department of Defense, and the US Government
Accountability Office produce guidelines for managing risk in cloud environments. These
guidelines may contain analysis of risk vectors and recommended mitigation measures.
The ISO 31000 Standard Risk Management: Principles and
Guidelines
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/TheISO3100StandardRiskManagement_Principlesa
ndGuidelines_checked ?ou=622270)
NIST Security and Privacy Controls: Fundamentals and Procedures
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/NISTSecurityandPrivacyControls_Fundamentalsand
Procedures_checked ?ou=622270)
Federal Risk and Authorization Management Program (FedRAMP)
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/federal-risk-and-authorization-
management-program–fedramp-.html?ou=622270)
Risk Management with ISO 31000
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/risk-management-with-iso-
31000.html?ou=622270)
© 2022 University of Maryland Global Campus
Resources
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/TheISO3100StandardRiskManagement_PrinciplesandGuidelines_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/NISTSecurityandPrivacyControls_FundamentalsandProcedures_checked ?ou=622270
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/federal-risk-and-authorization-management-program–fedramp-.html?ou=622270
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/risk-management-with-iso-31000.html?ou=622270
2/2/22, 5:33 PM Risk Guidelines
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-guidelines.html?ou=622270 2/2
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:30 PM
NIST Cybersecurity Framework
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/nist-cybersecurity-framework.html?ou=622270 1/3
Learning Topic
NIST Cybersecurity Framework
Executive Order 13636, issued in February 2013, established a requirement for the
development of a voluntary risk-based cybersecurity framework. The resultant framework
includes industry standards and best practices to help organizations manage cybersecurity
risks.
The framework was created under the leadership of the National Institute of Standards
and Technology (NIST), which facilitated collaboration between government and the
private sector to develop a baseline to address and manage cybersecurity risk in a cost-
effective way based on business needs without placing additional regulatory requirements
on businesses. The framework is in use today, providing a starting point for entities to
implement cybersecurity measures for their organizations.
There are several different types of combinations of authentication. Higher levels of
security are generally associated with more levels of authentication (multifactor). For
example, two-factor authentication might include a token and a password. Kerberos is a
protocol for authentication that is made up of two components: a ticket (distributed by a
service) for user authentication and a key that is developed from the user’s password.
Another authentication scheme is the Challenge-Handshake Authentication Protocol
(CHAP), which uses a representation (hash) of the user’s password to authenticate.
Focus your study on the first 17 pages of the following resource.
NIST Cybersecurity Framework
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/PolicyCreationNISTFramework ?ou=622270)
Resources
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/PolicyCreationNISTFramework ?ou=622270
2/2/22, 5:30 PM NIST Cybersecurity Framework
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/nist-cybersecurity-framework.html?ou=622270 2/3
Choose the best answer to each question:
Question 1
The NIST framework was established under which of the following
orders?
FISMA
PDD-23
EO 13636
NIST 800-53
Question 2
Which of the following best describes the NIST framework?
It is a mandatory risk-based framework—a set of industry standards
and best practices meant to help manage cybersecurity risks.
It is a voluntary risk-based framework—a set of industry standards
and best practices to meant to help manage cybersecurity risks.
It is a voluntary asset-based framework—a set of industry standards
and best practices meant to help identify cybersecurity assets at
risk.
It is a mandatory risk-based framework—a set of government-wide
standards and best practices meant to help manage cybersecurity
risks.
Question 3
Which of the following is true of the NIST framework?
Check Your Knowledge
2/2/22, 5:30 PM NIST Cybersecurity Framework
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/nist-cybersecurity-framework.html?ou=622270 3/3
The framework is not a one-size-fits-all approach to managing
cybersecurity risk for critical infrastructure.
The framework does not address critical infrastructure.
The framework is required only for organizations that do business
with the US government.
The framework is required only for organizations that do business
abroad.
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:20 PM Assessing Risk in Cloud Computing
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/assessing-risk-in-cloud-computing.html?ou=622270 1/1
Learning Topic
Assessing Risk in Cloud Computing
Risk assessment is the process by which variables are evaluated to determine the amount
and type of risk present. Such assessments are used for decision making as well as for
resource management. Critical components of cloud computing risk assessments include
cataloging and analyzing IT assets, identifying and understanding threats, and determining
any vulnerabilities that might exist.
Risk assessments identify, quantify, and prioritize risks measured against the
organization’s tolerance for risk. One mechanism to identify weaknesses is a vulnerability
assessment, which systematically evaluates an environment (hardware or software) to
determine its susceptibility to vulnerabilities that might expose the network or data to
unauthorized access.
Evaluating risks for cloud computing purposes should not be limited to the computer
network environment; the process should also include the people and the physical
environment, both of which can introduce risks. Operational security (OPSEC) focuses on
identifying and protecting critical information that might disclose details that could be
used for the purposes of exploitation, while physical security identifies and protects the
physical environment against unauthorized entry.
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:25 PM Risk Management
Process
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 1/4
Learning Topic
Risk Management Process
Risk management is an integral part of an organization’s governance structure.
The figure below illustrates a generic risk management process that can be used to
manage risk at the organization level. This process is described in general terms in ISO
Standard 31000 and is used in the National Institute of Standards and Technology’s (NIST)
Special Publication 800-39 to describe the process of managing security risks associated
with information and information systems (NIST, 2011). This risk management process is
focused upon identifying and managing risks to the organization as a whole. The four
elements of this risk management process (frame, assess, respond, monitor) are discussed
in the sections that follow.
Organizational-Level Risk Management
Process
Frame
2/2/22, 5:25 PM Risk Management Process
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 2/4
Risk framing is a business process that uses organizational context (problem frame) to
guide the identification and categorization of risks to assets. Risk framing categorizes risks
according to the type of asset, source of the risk to that asset (threat), and the
vulnerability of the asset to the threat. It is usually the first step in the risk management
process.
Risk sources are divided into two categories: opportunities and threats. The opportunity
category is primarily used to frame risks in project management risk analyses and financial
analyses (investment planning). Security risks are usually expressed in terms of threats to
assets and further categorized by the type of threat.
Risks may also be identified using information from published lists and databases of
known threats and vulnerabilities for specific products (hardware and software).
Authoritative vulnerability identification and description information can be obtained
from NIST, the Department of Defense (Defense Information Systems Agency), the
Department of Homeland Security (US-CERT), and the Mitre Corporation (a government
contractor).
Assess
Risk assessment is a business process used to evaluate and rank the risks identified in the
framing process. The output of the risk assessment process is a risk register containing
entries for individual risks and their associated risk impact metrics. Risk assessment may
be quantitative or qualitative. Quantitative risk assessments use statistical techniques to
analyze data from simulations, experiments, and threat models. Qualitative risk
assessments use expert opinion and judgment. Both types of assessment may use
historical information obtained from documents and reports.
Respond
Organizations use four types of risk response strategies:
acceptance
avoidance
transfer
mitigation
When a strategy is applied to a specific risk, it is referred to as a risk treatment.
2/2/22, 5:25 PM Risk Management Process
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 3/4
We will discuss each of the four types of risk response strategies below.
Acceptance has two forms. For opportunity-based risks, an organization accepts the risk
in the expectation of a beneficial or profitable outcome. This form of acceptance usually
involves a deliberate action (e.g., signature on a memorandum) that authorizes the
acceptance of the risk. For threat-based risks, an organization accepts a risk when the
costs of taking action to prevent harm exceed the expected costs of doing nothing. This
form of acceptance may be either de facto (through no action) or de jure (formally
approved or agreed to by an oversight group).
Avoidance occurs when an organization makes a deliberate decision to avoid the
circumstances or situations in which a risk could arise. For example, after reviewing an
opportunity to invest in a new security technology, a venture capitalist could determine
that the potential payoff is too low when compared to other uses of the money and so
decides to not invest in the security technology. Not making the investment is an
avoidance strategy.
Transfer is accomplished by transferring responsibility for the outcome of the risk to
another organization. Two common types of transfer strategies are insurance and
outsourcing. Cyber insurance is purchased to protect an organization from financial losses
resulting from cyber attacks. Outsourcing transfers financial responsibility for specific
risks as part of a service-level agreement or other form of contract-for-services. Under US
law, ultimate responsibility for harm or loss to information and information systems
remains with the owners of those assets and cannot be transferred to an outside
organization.
Mitigation is the most complex of the four risk management strategies. This strategy
requires that organizations identify specific actions, processes, and technologies that can
be used to lessen the impact of a risk. Some mitigation measures focus upon reducing
vulnerabilities in assets (e.g., patching software) while others are used to lower the
probability of occurrence (e.g., deploying antivirus software to detect and block malware
before an infection occurs). Most security controls are intended as risk mitigation
measures.
References
National Institute of Standards and Technology (NIST). (2011, March). Special publication
800-39. Managing information security risk: Organization, mission, and
information system view. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final
2/2/22, 5:25 PM Risk Management Process
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 4/4
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:20 PM Risk Concepts
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 1/4
Learning Topic
Risk Concepts
The term risk has many different uses and meanings in society. On Wall Street or in the
financial markets, investors talk about calculating or taking risks to make a profit. In
everyday speech, we use the adjective risky to describe behaviors such as not wearing a
seat belt or eating junk food. At work, we talk about managing risk to reduce on-the-job
injuries or to avoid cost overruns or schedule delays. We can increase risk, decrease risk,
manage risk, or avoid it. But, what exactly is risk?
The answer is: it depends. How we define and use the term risk is dependent on context
and perspective. In this section and throughout this course module, we will examine the
concept of risk as it is used within the fields of cybersecurity and information security in
business, government, and other types of organizations. Organizations are our context.
Cybersecurity and information security are our perspective.
Risk
Risk is the uncertain outcome of an event that has not yet occurred. Or, said another way,
a risk is the possibility that an event may occur that carries with it the potential for an
organization to either benefit or suffer a loss or harm.
For example, the loss of a thumb drive is a possible future event that could be a source of
risk to an organization. The thumb drive could be lost forever, or it could be found and
returned. Each of these outcomes is uncertain since it is not possible to determine in
advance whether or not a lost thumb drive will be found and returned to its owner.
A consequence is a potential outcome of a specific risk. Loss of confidentiality due to
theft of data is an example of a consequence.
Every risk has a likelihood or probability of occurrence.
Each risk also has a payoff value. This payoff may be positive or negative and is associated
with the consequence. Some consequences are good or beneficial, while other
consequences are bad or harmful. Payoff values are usually expressed in monetary terms
2/2/22, 5:20 PM Risk Concepts
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 2/4
and can require complex calculations involving multiple consequences for a single risk.
The term impact is used to refer to the change in the value of an asset that results from
the occurrence of a specific risk. Impact can be positive or negative and is usually
expressed in monetary terms. Impact can also be expressed in relative terms (low,
medium, high).
A simple risk-impact metric can be calculated using the likelihood of the event and the
payoff if the event occurs, such that risk = likelihood × payoff.
Internal Risks
Internal risks arise from inside of the company, and can be classified under the categories
technology, physical, and people. Examples of each are below:
Type Example
Technology The company’s software cannot function in a cloud environment due
to a programming error.
Physical The company suffers a fire at its headquarters and loses all physical
prototypes of its voting devices.
People A dishonest employee steals the company’s plan for migration and
publishes it. This erodes public trust and results in contract
cancellation.
External Risks
External risks arise from outside of the company and include natural factors, such as
natural disasters, and political factors, such as new political leadership.
Vendor-Related Risks
Vendor-related risks are substantial for the cloud computing model, and can include
vendor insolvency, service outages, and a vendor arbitrarily choosing to discontinue cloud
services without notice.
2/2/22, 5:20 PM Risk Concepts
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 3/4
Service-Level-Related Risks
In a cloud computing model, your internal information technology organization is not
responsible for all aspects of your company’s platform. If your cloud computing vendor
suffers an outage, then your customers suffer as well, and you may not have any re
course.
This situation could lead to a significant impact on revenue, and be detrimental to
customer perception of your organization.
Opportunities and Threats
Opportunities are situations or events where the anticipated payoff of a risk is positive or
beneficial. For example, a textbook buyer has the opportunity to save money by
purchasing lower-cost, time-limited access for an electronic version of the textbook for a
course.
Threats, in contrast, are situations or events that could result in negative payoffs or
undesirable outcomes. Undesirable outcomes may be financial losses or, for information
and information systems, the outcome may be a loss of confidentiality, integrity,
availability, nonrepudiation, and so on.
Vulnerabilities
A vulnerability is a weakness in an asset that can be exploited by a threat to cause harm
or loss. For risks arising out of threats, the risk metric is expanded to incorporate a
measure of the vulnerability of the asset to each specific threat. The risk metric becomes
risk (threat, asset) = probability × vulnerability × impact
where
risk (threat, asset) means the risk metric associated with a specific threat to a
specific asset,
and where
probability is the likelihood of occurrence,
vulnerability is a measure of the asset’s susceptibility to the threat, and
impact is a measure of loss or damage to the asset (based upon the asset’s value).
2/2/22, 5:20 PM Risk Concepts
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 4/4
References
National Institute of Standards and Technology. (2011, March). Managing information
security risk: Organization, mission, and information system view (NIST Special
Publication 800-39). Gaithersburg, MD: Author. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final
Organization for Economic Cooperation and Development. (2005). Corporate governance.
Retrieved from http://stats.oecd.org/glossary/detail.asp?ID=6778
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:21 PM Third Party Outsourcing Issues
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/third-party-outsourcing-issues.html?ou=622270 1/3
Learning Topic
Third Party Outsourcing Issues
A third party is a resource provider between the organization and its customers. Cloud
services make up today’s third-party outsourcing solutions, and there is a strong business
case for their use. Organizations benefit by reduced equipment and personnel costs, more
flexibility in customizable services offered, predictable cash flows, and increased security.
Virtualized redundant services are scalable on demand and resilient to hardware
component outages.
Some problematic issues for government customers are unpredictable data location,
shared services, and cloud provider certification. More generally, since processing, storage
and administration are not location-specific, jurisdictional legal issues are common.
The Federal Risk and Authorization Management Program (FedRAMP) significantly
mitigates risk while containing costs for federal agencies by arranging for commercial
cloud providers who compete in the federal marketplace. Authorized cloud providers must
offer a strictly standardized set of security controls and binding memoranda of agreement
(MOA). Secure private, public and hybrid cloud options are available through tailoring.
Third-party outsourcing, using FedRAMP or non-FedRAMP providers, reduces security
requirements, but the organization is still responsible for any residual risk. Just as with in-
sourced IT, organizations should contain risk in their dynamic environments by
implementing continuous monitoring auditing controls and user training.
Software as a Service (SaaS) and Infrastructure as a Service (IaaS)
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/SoftwareasaServiceSaaSandInfrastructureasaServic
eIaaS_checked ?ou=622270)
Resources
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/SoftwareasaServiceSaaSandInfrastructureasaServiceIaaS_checked ?ou=622270
2/2/22, 5:21 PM Third Party Outsourcing Issues
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/third-party-outsourcing-issues.html?ou=622270 2/3
Choose the best answer to each question:
Question 1
Which of the following is a disadvantage of third-party (cloud)
outsourcing to organizations?
Cloud costs cannot be controlled.
Data storage location is too unpredictable.
Data storage location is too predictable.
By definition, data cloud storage is shared among cloud users.
Question 2
Risks in third-party outsourcing (cloud use) include _______.
potential data integrity loss in public clouds
third-party administrators may not be adequately cleared
cloud providers keep their security policies private
all of these choices
Question 3
The Federal Risk and Authorization Management Program (FedRAMP)
significantly mitigates risk for federal agencies using cloud services, while
containing costs, by producing authorized commercial cloud providers
who compete in the federal marketplace.
True
Check Your Knowledge
2/2/22, 5:21 PM Third Party Outsourcing Issues
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/third-party-outsourcing-issues.html?ou=622270 3/3
False
Question 4
Authorized cloud providers must offer a strictly standardized set of
security controls but do not have to be binding to a memorandum of
agreement (MOA).
True
False
Question 5
A third party is a resource provider between the organization and its
customers.
True
False
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:33 PM Cloud Security Alliance (CSA)
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-security-alliance–csa-.html?ou=622270 1/1
Learning Topic
Cloud Security Alliance (CSA)
The Cloud Security Alliance (CSA) works to define best practices for all cloud computing
practitioners and customers. CSA offers research on cloud security, as well as education,
certification, events, and products, and enlists the help of industry, associations,
government, and other members for subject-matter expertise, according to CSA’s website
(CSA, n.d.).
References
Cloud Security Alliance. (n.d.). About. Retrieved from
https://cloudsecurityalliance.org/about/
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:24 PM Best Practices for Cloud Adoption
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/best-practices-for-cloud-adoption.html?ou=622270 1/1
Learning Topic
Best Practices for Cloud Adoption
As you consider the cloud computing model, you will need to evaluate best practices for
cloud adoption. There are a number of best practices that can be applied to the cloud
computing model:
Define and set goals and success criteria early.
Fail quickly and learn from mistakes.
Design your solution around performance and availability.
Take advantage of the flexibility of the cloud, and don’t lock yourself in.
Focus on self-service for your end users, whether they are internal or external to the
organization.
Build security into the DNA of your cloud solution.
Understand how regulation and legal systems affect your business.
An Essential Guide to Possibilities and Risks of Cloud Computing
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/an-essential-guide-to-possibilities-
and-risks-of-cloud-computing.html?ou=622270)
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
Resources
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/an-essential-guide-to-possibilities-and-risks-of-cloud-computing.html?ou=622270
2/2/22, 5:26 PM
Types of Risk
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/types-of-risk.html?ou=622270 1/2
Types of Risk
There are two categories of risk: internal and external.
Internal Risks
Internal risks arise from inside of the company, and the types can include technology,
physical, and people. Examples of each are below:
Type Examples
Technology The company’s software cannot function in a cloud environment
because of a programming error.
Physical The company suffers a fire at its headquarters and loses all physical
prototypes of its voting devices.
People A dishonest employee steals the company’s plan for migration and
publishes it. This erodes public trust and results in contract
cancellation.
External Risks
External risks arise from outside of the company. There are natural factors such as natural
disasters and political factors such as new political leadership.
Vendor-Related Risks
Vendor-related risks are a substantial risk for the cloud computing model, and can include
vendor insolvency and service outages. In addition, a vendor may choose to arbitrarily
discontinue cloud services without notice.
Service-Level Related Risks
2/2/22, 5:26 PM Types of Risk
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/types-of-risk.html?ou=622270 2/2
In a cloud computing model, your internal information technology organization is not
responsible for all aspects of the company’s platform. If your cloud computing vendor
suffers an outage, your customers suffer as well and you may not have any recourse. This
could lead to reduced revenue and leave an unfavorable perception of your organization
for customers.
Data Security, Privacy, Availability and Integrity in Cloud
Computing: Issues and Current Solutions
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/data-security–privacy–availability–
and-integrity-in-cloud-com.html?ou=622270)
Managing the Risk Inherent in Cloud Services
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/managing-the-risk-inherent-in-cloud-
services.html?ou=622270)
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
Resources
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/data-security–privacy–availability–and-integrity-in-cloud-com.html?ou=622270
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/managing-the-risk-inherent-in-cloud-services.html?ou=622270
2/2/22, 5:21 PM Cloud Computing Risk Factors
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-computing-risk-factors.html?ou=622270 1/3
Learning Topic
Cloud Computing Risk Factors
Risk factors are internal or external threats to the security posture of an organization that
can pose a risk to the organization if not monitored or handled properly.
Risk
Factor Description
1. Vul
nerabi
lities
Vulnerabilities can be exploited by attackers and result in lack of data
integrity and/or loss, theft, destruction.
Minimize risk by: Patching to mitigate vulnerabilities, vulnerability and
virus scanning, monitoring aging infrastructure.
2. Thr
eats
Properly identifying the threat landscape is critical to determining risk.
This accounts for cyber threats, insider threats, brand reputation threats,
domain-based threats, and third-party threats.
Minimize risk: For insider threats, invoke separation of duties so that one
employee does not have privileges over too many business processes;
keep employees happy with good benefits, decent pay, reasonable working
hours, and training for the position and organizational security.
Brand threats: If an incident were to occur, customers could be vulnerable,
business could be lost, profits could decrease. Therefore, there should be a
plan in place for incidents or disasters.
2/2/22, 5:21 PM Cloud Computing Risk Factors
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-computing-risk-factors.html?ou=622270 2/3
Risk
Factor Description
3. Poli
cy and
Plans
Proper policies must be in place to account for these threats and hold
personnel accountable for taking the necessary steps and precautions.
Disaster recovery plans should be in place for a disaster, as well as other
plans for incidents such as an incident response plan.
Minimize risk by: Getting managerial and executive buy-in, routinely
testing plans, and updating policies.
4.
Endpo
ints
Endpoints that store the data pose a great risk to the company if the
device is stolen or lost.
Minimize risk by: Encrypting hard drives and having software to remotely
wipe devices, tracking the devices, managing and accounting for hardware,
and properly destroying hardware at end of life.
5.
Data
Having too much data and not analyzing it properly for risk can be a
danger to the business. Also, if anything happens to the data, specifically
personally identifiable information or protected health information, there
can be legal, state, local, or federal ramifications.
Minimize risk by: Following proper protocols for the data stored on the
network, managing endpoints and inventory appropriately, minimizing
vulnerabilities.
6.
Regul
atory
Not being in compliance with regulations pertinent to the industry that
you operate in.
Minimize risk by: Having a regulatory compliance program defined, with
appropriate policies, procedures, and well-defined roles and
responsibilities for staff.
2/2/22, 5:21 PM Cloud Computing Risk Factors
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-computing-risk-factors.html?ou=622270 3/3
An organization can perform a cloud computing risk assessment to determine the cloud
computing risks. Once these risks have been identified, an organization must determine
how to handle the risks (risk avoidance, acceptance, mitigation, control, monitoring, and
transfer).
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:31 PM
ISO Standards
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/iso-standards.html?ou=622270 1/2
ISO Standards
The International Organization for Standards (ISO) is a global, independent,
nongovernmental organization that develops and promulgates international standards for
a variety of products and services. One such standard, ISO 27001, identifies best
practices for an information security management system.
Last revised in 2013, ISO 27001 not only details the requirements to establish,
implement, maintain and improve information security management systems, but also
addresses the requirements for both assessing and mitigating information security risks.
The goal of this standard is to preserve confidentiality, integrity and availability by
implementing a risk management process.
ISO 27001 addresses (2013):
understanding an organization’s needs, scope, and information management system;
clear articulation of leadership commitment, roles, and organizational policies;
planning for information security risks and the treatment of the risks;
support in the areas of communications, competence, resources, and awareness;
operations and associated operational planning;
performance evaluation that includes audit and performance review; and,
improvement and corrective actions.
References
ISO/IEC 27001:2013. (2013). Information technology – security techniques – information
security management systems – requirements.
https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
© 2022 University of Maryland Global Campus
Learning Resource
2/2/22, 5:31 PM ISO Standards
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/iso-standards.html?ou=622270 2/2
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/2/22, 5:34 PM Elections Industry Guidelines
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/elections-industry-guidelines.html?ou=622270 1/1
Learning Topic
Elections Industry Guidelines
The Help America Vote Act of 2002 authorized the National Institute of Standards and
Technology (NIST) to assist the Election Assistance Commission (EAC) by providing
technical guidelines and advisement on issues such as:
voting systems-related computer, network, and data storage security
fraud detection and prevention
voter privacy protection
accessible voting technologies for individuals with disabilities and varying levels of
literacy
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
– Please cite your work in your responses
– Please use APA (7th edition) formatting
– All questions and each part of the question should be answered in detail (Go into depth)
– Response to questions must demonstrate understanding and application of concepts covered in class,
– Use in-text citations and at LEAST 2 resources per discussion from the school materials that I provided to support all answers.
– No grammatical errors; Complete sentences are used. Proper formatting is used. Citations are used according to APA
Lastly, Responses MUST be organized (Should be logical and easy to follow)
QUESTIONS:
As an IT analyst for BallotOnline, a company providing voting solutions to a global client base, you are working to convince the organization to move the current infrastructure to the cloud. Your supervisor and the director of IT, Sophia, has asked you to summarize for the company executives the potential risks and compliance issues that BallotOnline will have to contend with in the transition to the cloud.
Question 1-Step 1: Research Risks Associated with Cloud Adoption
The first step in
assessing risk in cloud computing
will be to identify and describe
risk concepts
and
cloud computing risk factors
associated with cloud adoption. As a software as a service (SaaS) company considering an infrastructure as a service (IaaS) cloud service provider for your hosting needs, consider
third party outsourcing issues
and the generally accepted
best practices for cloud adoption
and review relevant
cloud risk case studies
. You should also consider best practices for cloud adoption.
As part of the
risk management process
, identify and describe other
types of risk
, such as risks associated with having a
service-level agreement (SLA)
. An example of a potential risk could be if your company is obligated to protect personal information, and then the cloud provider that you use suffers a security breach exposing that personal information.
Here, identify and describe other types of risks or potential liability issues that apply to BallotOnline and discuss them with your colleagues in the Discussion: Risk forum.
Question 2-Step 2: Identify the Most Appropriate Guidelines for Managing Risks
In order to identify guidelines applicable to your company’s industry, you must have an understanding of the different types of risk management guidelines that exist and are frequently applicable in cloud environments.
There are several cybersecurity standards applicable to cloud computing environments such as the
NIST Cybersecurity Framework
,
ISO standards
, and US federal government standards (DoD/FIPS), as well as several major sets of
risk guidelines
for dealing with the risks involved. Also, there are organizations such as the
Cloud Security Alliance (CSA)
that recommend best practices for managing risks.
Review the different guidelines and determine which are most appropriate for BallotOnline. For example, NIST has responsibility for developing a number of
elections industry guidelines
within the United States.
Identify why those guidelines are most appropriate and compile these items into a brief (one page or less) recommendation and justification of your choice. Your recommendation will also be incorporated into your final report in the final step.
Submit your recommendation for review using the steps described below.
