Cloud Risks & Risks Management

See the attached documents. Questions and instructions are in the file titled “Questions and Instructions”.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

2/2/22, 5:26 PM Service Level Agreement (SLA)

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/service-level-agreement–sla-.html?ou=622270 1/1

Learning Topic

Service Level Agreement (SLA)
A service-level agreement (SLA) is an official commitment between an internal or external

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

service provider and the end user.

SLAs define the level of service expected from the service provider regarding issues such

as quality, availability, and responsibilities.

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:33 PM Risk Guidelines

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-guidelines.html?ou=622270 1/2

Learning Topic

Risk Guidelines
Entities such as the National Institute of Standards and Technology (NIST), International

Organization of Standards (ISO), the US Department of Defense, and the US Government

Accountability Office produce guidelines for managing risk in cloud environments. These

guidelines may contain analysis of risk vectors and recommended mitigation measures.

The ISO 31000 Standard Risk Management: Principles and

Guidelines

(https://leocontent.umgc.edu/content/dam/course-

content/tgs/cca/cca-

610/document/TheISO3100StandardRiskManagement_Principlesa

ndGuidelines_checked ?ou=622270)

NIST Security and Privacy Controls: Fundamentals and Procedures

(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-

610/document/NISTSecurityandPrivacyControls_Fundamentalsand

Procedures_checked ?ou=622270)

Federal Risk and Authorization Management Program (FedRAMP)

(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-

cca610/learning-resource-list/federal-risk-and-authorization-

management-program–fedramp-.html?ou=622270)

Risk Management with ISO 31000

(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-

cca610/learning-resource-list/risk-management-with-iso-

31000.html?ou=622270)

© 2022 University of Maryland Global Campus

Resources

https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/TheISO3100StandardRiskManagement_PrinciplesandGuidelines_checked ?ou=622270

https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/NISTSecurityandPrivacyControls_FundamentalsandProcedures_checked ?ou=622270

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/federal-risk-and-authorization-management-program–fedramp-.html?ou=622270

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/risk-management-with-iso-31000.html?ou=622270

2/2/22, 5:33 PM Risk Guidelines

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-guidelines.html?ou=622270 2/2

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:30 PM

NIST Cybersecurity Framework

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/nist-cybersecurity-framework.html?ou=622270 1/3

Learning Topic

NIST Cybersecurity Framework
Executive Order 13636, issued in February 2013, established a requirement for the

development of a voluntary risk-based cybersecurity framework. The resultant framework

includes industry standards and best practices to help organizations manage cybersecurity

risks.

The framework was created under the leadership of the National Institute of Standards

and Technology (NIST), which facilitated collaboration between government and the

private sector to develop a baseline to address and manage cybersecurity risk in a cost-

effective way based on business needs without placing additional regulatory requirements

on businesses. The framework is in use today, providing a starting point for entities to

implement cybersecurity measures for their organizations.

There are several different types of combinations of authentication. Higher levels of

security are generally associated with more levels of authentication (multifactor). For

example, two-factor authentication might include a token and a password. Kerberos is a

protocol for authentication that is made up of two components: a ticket (distributed by a

service) for user authentication and a key that is developed from the user’s password.

Another authentication scheme is the Challenge-Handshake Authentication Protocol

(CHAP), which uses a representation (hash) of the user’s password to authenticate.

Focus your study on the first 17 pages of the following resource.

NIST Cybersecurity Framework

(https://leocontent.umgc.edu/content/dam/course-

content/tgs/cca/cca-

610/document/PolicyCreationNISTFramework ?ou=622270)

Resources

https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/PolicyCreationNISTFramework ?ou=622270

2/2/22, 5:30 PM NIST Cybersecurity Framework

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/nist-cybersecurity-framework.html?ou=622270 2/3

Choose the best answer to each question:

Question 1

The NIST framework was established under which of the following

orders?

FISMA

PDD-23

EO 13636

NIST 800-53

Question 2

Which of the following best describes the NIST framework?

It is a mandatory risk-based framework—a set of industry standards

and best practices meant to help manage cybersecurity risks.

It is a voluntary risk-based framework—a set of industry standards

and best practices to meant to help manage cybersecurity risks.

It is a voluntary asset-based framework—a set of industry standards

and best practices meant to help identify cybersecurity assets at

risk.

It is a mandatory risk-based framework—a set of government-wide

standards and best practices meant to help manage cybersecurity

risks.

Question 3

Which of the following is true of the NIST framework?

Check Your Knowledge

2/2/22, 5:30 PM NIST Cybersecurity Framework

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/nist-cybersecurity-framework.html?ou=622270 3/3

The framework is not a one-size-fits-all approach to managing

cybersecurity risk for critical infrastructure.

The framework does not address critical infrastructure.

The framework is required only for organizations that do business

with the US government.

The framework is required only for organizations that do business

abroad.

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:20 PM Assessing Risk in Cloud Computing

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/assessing-risk-in-cloud-computing.html?ou=622270 1/1

Learning Topic

Assessing Risk in Cloud Computing
Risk assessment is the process by which variables are evaluated to determine the amount

and type of risk present. Such assessments are used for decision making as well as for

resource management. Critical components of cloud computing risk assessments include

cataloging and analyzing IT assets, identifying and understanding threats, and determining

any vulnerabilities that might exist.

Risk assessments identify, quantify, and prioritize risks measured against the

organization’s tolerance for risk. One mechanism to identify weaknesses is a vulnerability

assessment, which systematically evaluates an environment (hardware or software) to

determine its susceptibility to vulnerabilities that might expose the network or data to

unauthorized access.

Evaluating risks for cloud computing purposes should not be limited to the computer

network environment; the process should also include the people and the physical

environment, both of which can introduce risks. Operational security (OPSEC) focuses on

identifying and protecting critical information that might disclose details that could be

used for the purposes of exploitation, while physical security identifies and protects the

physical environment against unauthorized entry.

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:25 PM Risk Management

Process

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 1/4

Learning Topic

Risk Management Process
Risk management is an integral part of an organization’s governance structure.

The figure below illustrates a generic risk management process that can be used to

manage risk at the organization level. This process is described in general terms in ISO

Standard 31000 and is used in the National Institute of Standards and Technology’s (NIST)

Special Publication 800-39 to describe the process of managing security risks associated

with information and information systems (NIST, 2011). This risk management process is

focused upon identifying and managing risks to the organization as a whole. The four

elements of this risk management process (frame, assess, respond, monitor) are discussed

in the sections that follow.

Organizational-Level Risk Management

Process

Frame

2/2/22, 5:25 PM Risk Management Process

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 2/4

Risk framing is a business process that uses organizational context (problem frame) to

guide the identification and categorization of risks to assets. Risk framing categorizes risks

according to the type of asset, source of the risk to that asset (threat), and the

vulnerability of the asset to the threat. It is usually the first step in the risk management

process.

Risk sources are divided into two categories: opportunities and threats. The opportunity

category is primarily used to frame risks in project management risk analyses and financial

analyses (investment planning). Security risks are usually expressed in terms of threats to

assets and further categorized by the type of threat.

Risks may also be identified using information from published lists and databases of

known threats and vulnerabilities for specific products (hardware and software).

Authoritative vulnerability identification and description information can be obtained

from NIST, the Department of Defense (Defense Information Systems Agency), the

Department of Homeland Security (US-CERT), and the Mitre Corporation (a government

contractor).

Assess

Risk assessment is a business process used to evaluate and rank the risks identified in the

framing process. The output of the risk assessment process is a risk register containing

entries for individual risks and their associated risk impact metrics. Risk assessment may

be quantitative or qualitative. Quantitative risk assessments use statistical techniques to

analyze data from simulations, experiments, and threat models. Qualitative risk

assessments use expert opinion and judgment. Both types of assessment may use

historical information obtained from documents and reports.

Respond

Organizations use four types of risk response strategies:

acceptance

avoidance

transfer

mitigation

When a strategy is applied to a specific risk, it is referred to as a risk treatment.

2/2/22, 5:25 PM Risk Management Process

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 3/4

We will discuss each of the four types of risk response strategies below.

Acceptance has two forms. For opportunity-based risks, an organization accepts the risk

in the expectation of a beneficial or profitable outcome. This form of acceptance usually

involves a deliberate action (e.g., signature on a memorandum) that authorizes the

acceptance of the risk. For threat-based risks, an organization accepts a risk when the

costs of taking action to prevent harm exceed the expected costs of doing nothing. This

form of acceptance may be either de facto (through no action) or de jure (formally

approved or agreed to by an oversight group).

Avoidance occurs when an organization makes a deliberate decision to avoid the

circumstances or situations in which a risk could arise. For example, after reviewing an

opportunity to invest in a new security technology, a venture capitalist could determine

that the potential payoff is too low when compared to other uses of the money and so

decides to not invest in the security technology. Not making the investment is an

avoidance strategy.

Transfer is accomplished by transferring responsibility for the outcome of the risk to

another organization. Two common types of transfer strategies are insurance and

outsourcing. Cyber insurance is purchased to protect an organization from financial losses

resulting from cyber attacks. Outsourcing transfers financial responsibility for specific

risks as part of a service-level agreement or other form of contract-for-services. Under US

law, ultimate responsibility for harm or loss to information and information systems

remains with the owners of those assets and cannot be transferred to an outside

organization.

Mitigation is the most complex of the four risk management strategies. This strategy

requires that organizations identify specific actions, processes, and technologies that can

be used to lessen the impact of a risk. Some mitigation measures focus upon reducing

vulnerabilities in assets (e.g., patching software) while others are used to lower the

probability of occurrence (e.g., deploying antivirus software to detect and block malware

before an infection occurs). Most security controls are intended as risk mitigation

measures.

References

National Institute of Standards and Technology (NIST). (2011, March). Special publication

800-39. Managing information security risk: Organization, mission, and

information system view. Retrieved from

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final

2/2/22, 5:25 PM Risk Management Process

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 4/4

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:20 PM Risk Concepts

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 1/4

Learning Topic

Risk Concepts
The term risk has many different uses and meanings in society. On Wall Street or in the

financial markets, investors talk about calculating or taking risks to make a profit. In

everyday speech, we use the adjective risky to describe behaviors such as not wearing a

seat belt or eating junk food. At work, we talk about managing risk to reduce on-the-job

injuries or to avoid cost overruns or schedule delays. We can increase risk, decrease risk,

manage risk, or avoid it. But, what exactly is risk?

The answer is: it depends. How we define and use the term risk is dependent on context

and perspective. In this section and throughout this course module, we will examine the

concept of risk as it is used within the fields of cybersecurity and information security in

business, government, and other types of organizations. Organizations are our context.

Cybersecurity and information security are our perspective.

Risk

Risk is the uncertain outcome of an event that has not yet occurred. Or, said another way,

a risk is the possibility that an event may occur that carries with it the potential for an

organization to either benefit or suffer a loss or harm.

For example, the loss of a thumb drive is a possible future event that could be a source of

risk to an organization. The thumb drive could be lost forever, or it could be found and

returned. Each of these outcomes is uncertain since it is not possible to determine in

advance whether or not a lost thumb drive will be found and returned to its owner.

A consequence is a potential outcome of a specific risk. Loss of confidentiality due to

theft of data is an example of a consequence.

Every risk has a likelihood or probability of occurrence.

Each risk also has a payoff value. This payoff may be positive or negative and is associated

with the consequence. Some consequences are good or beneficial, while other

consequences are bad or harmful. Payoff values are usually expressed in monetary terms

2/2/22, 5:20 PM Risk Concepts

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 2/4

and can require complex calculations involving multiple consequences for a single risk.

The term impact is used to refer to the change in the value of an asset that results from

the occurrence of a specific risk. Impact can be positive or negative and is usually

expressed in monetary terms. Impact can also be expressed in relative terms (low,

medium, high).

A simple risk-impact metric can be calculated using the likelihood of the event and the

payoff if the event occurs, such that risk = likelihood × payoff.

Internal Risks

Internal risks arise from inside of the company, and can be classified under the categories

technology, physical, and people. Examples of each are below:

Type Example

Technology The company’s software cannot function in a cloud environment due

to a programming error.

Physical The company suffers a fire at its headquarters and loses all physical

prototypes of its voting devices.

People A dishonest employee steals the company’s plan for migration and

publishes it. This erodes public trust and results in contract

cancellation.

External Risks

External risks arise from outside of the company and include natural factors, such as

natural disasters, and political factors, such as new political leadership.

Vendor-Related Risks

Vendor-related risks are substantial for the cloud computing model, and can include

vendor insolvency, service outages, and a vendor arbitrarily choosing to discontinue cloud

services without notice.

2/2/22, 5:20 PM Risk Concepts

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 3/4

Service-Level-Related Risks

In a cloud computing model, your internal information technology organization is not

responsible for all aspects of your company’s platform. If your cloud computing vendor

suffers an outage, then your customers suffer as well, and you may not have any re

course.

This situation could lead to a significant impact on revenue, and be detrimental to

customer perception of your organization.

Opportunities and Threats

Opportunities are situations or events where the anticipated payoff of a risk is positive or

beneficial. For example, a textbook buyer has the opportunity to save money by

purchasing lower-cost, time-limited access for an electronic version of the textbook for a

course.

Threats, in contrast, are situations or events that could result in negative payoffs or

undesirable outcomes. Undesirable outcomes may be financial losses or, for information

and information systems, the outcome may be a loss of confidentiality, integrity,

availability, nonrepudiation, and so on.

Vulnerabilities

A vulnerability is a weakness in an asset that can be exploited by a threat to cause harm

or loss. For risks arising out of threats, the risk metric is expanded to incorporate a

measure of the vulnerability of the asset to each specific threat. The risk metric becomes

risk (threat, asset) = probability × vulnerability × impact

where

risk (threat, asset) means the risk metric associated with a specific threat to a

specific asset,

and where

probability is the likelihood of occurrence,

vulnerability is a measure of the asset’s susceptibility to the threat, and

impact is a measure of loss or damage to the asset (based upon the asset’s value).

2/2/22, 5:20 PM Risk Concepts

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 4/4

References

National Institute of Standards and Technology. (2011, March). Managing information

security risk: Organization, mission, and information system view (NIST Special

Publication 800-39). Gaithersburg, MD: Author. Retrieved from

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final

Organization for Economic Cooperation and Development. (2005). Corporate governance.

Retrieved from http://stats.oecd.org/glossary/detail.asp?ID=6778

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:21 PM Third Party Outsourcing Issues

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/third-party-outsourcing-issues.html?ou=622270 1/3

Learning Topic

Third Party Outsourcing Issues
A third party is a resource provider between the organization and its customers. Cloud

services make up today’s third-party outsourcing solutions, and there is a strong business

case for their use. Organizations benefit by reduced equipment and personnel costs, more

flexibility in customizable services offered, predictable cash flows, and increased security.

Virtualized redundant services are scalable on demand and resilient to hardware

component outages.

Some problematic issues for government customers are unpredictable data location,

shared services, and cloud provider certification. More generally, since processing, storage

and administration are not location-specific, jurisdictional legal issues are common.

The Federal Risk and Authorization Management Program (FedRAMP) significantly

mitigates risk while containing costs for federal agencies by arranging for commercial

cloud providers who compete in the federal marketplace. Authorized cloud providers must

offer a strictly standardized set of security controls and binding memoranda of agreement

(MOA). Secure private, public and hybrid cloud options are available through tailoring.

Third-party outsourcing, using FedRAMP or non-FedRAMP providers, reduces security

requirements, but the organization is still responsible for any residual risk. Just as with in-

sourced IT, organizations should contain risk in their dynamic environments by

implementing continuous monitoring auditing controls and user training.

Software as a Service (SaaS) and Infrastructure as a Service (IaaS)

(https://leocontent.umgc.edu/content/dam/course-

content/tgs/cca/cca-

610/document/SoftwareasaServiceSaaSandInfrastructureasaServic

eIaaS_checked ?ou=622270)

Resources

https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/SoftwareasaServiceSaaSandInfrastructureasaServiceIaaS_checked ?ou=622270

2/2/22, 5:21 PM Third Party Outsourcing Issues

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/third-party-outsourcing-issues.html?ou=622270 2/3

Choose the best answer to each question:

Question 1

Which of the following is a disadvantage of third-party (cloud)

outsourcing to organizations?

Cloud costs cannot be controlled.

Data storage location is too unpredictable.

Data storage location is too predictable.

By definition, data cloud storage is shared among cloud users.

Question 2

Risks in third-party outsourcing (cloud use) include _______.

potential data integrity loss in public clouds

third-party administrators may not be adequately cleared

cloud providers keep their security policies private

all of these choices

Question 3

The Federal Risk and Authorization Management Program (FedRAMP)

significantly mitigates risk for federal agencies using cloud services, while

containing costs, by producing authorized commercial cloud providers

who compete in the federal marketplace.

True

Check Your Knowledge

2/2/22, 5:21 PM Third Party Outsourcing Issues

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/third-party-outsourcing-issues.html?ou=622270 3/3

False

Question 4

Authorized cloud providers must offer a strictly standardized set of

security controls but do not have to be binding to a memorandum of

agreement (MOA).

True
False

Question 5

A third party is a resource provider between the organization and its

customers.

True
False

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:33 PM Cloud Security Alliance (CSA)

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-security-alliance–csa-.html?ou=622270 1/1

Learning Topic

Cloud Security Alliance (CSA)
The Cloud Security Alliance (CSA) works to define best practices for all cloud computing

practitioners and customers. CSA offers research on cloud security, as well as education,

certification, events, and products, and enlists the help of industry, associations,

government, and other members for subject-matter expertise, according to CSA’s website

(CSA, n.d.).

References

Cloud Security Alliance. (n.d.). About. Retrieved from

https://cloudsecurityalliance.org/about/

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:24 PM Best Practices for Cloud Adoption

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/best-practices-for-cloud-adoption.html?ou=622270 1/1

Learning Topic

Best Practices for Cloud Adoption
As you consider the cloud computing model, you will need to evaluate best practices for

cloud adoption. There are a number of best practices that can be applied to the cloud

computing model:

Define and set goals and success criteria early.

Fail quickly and learn from mistakes.

Design your solution around performance and availability.

Take advantage of the flexibility of the cloud, and don’t lock yourself in.

Focus on self-service for your end users, whether they are internal or external to the

organization.

Build security into the DNA of your cloud solution.

Understand how regulation and legal systems affect your business.

An Essential Guide to Possibilities and Risks of Cloud Computing

(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-

cca610/learning-resource-list/an-essential-guide-to-possibilities-

and-risks-of-cloud-computing.html?ou=622270)

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

Resources

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/an-essential-guide-to-possibilities-and-risks-of-cloud-computing.html?ou=622270

2/2/22, 5:26 PM

Types of Risk

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/types-of-risk.html?ou=622270 1/2

Types of Risk

There are two categories of risk: internal and external.

Internal Risks

Internal risks arise from inside of the company, and the types can include technology,

physical, and people. Examples of each are below:

Type Examples

Technology The company’s software cannot function in a cloud environment

because of a programming error.

Physical The company suffers a fire at its headquarters and loses all physical

prototypes of its voting devices.

People A dishonest employee steals the company’s plan for migration and

publishes it. This erodes public trust and results in contract

cancellation.

External Risks

External risks arise from outside of the company. There are natural factors such as natural

disasters and political factors such as new political leadership.

Vendor-Related Risks

Vendor-related risks are a substantial risk for the cloud computing model, and can include

vendor insolvency and service outages. In addition, a vendor may choose to arbitrarily

discontinue cloud services without notice.

Service-Level Related Risks

2/2/22, 5:26 PM Types of Risk

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/types-of-risk.html?ou=622270 2/2

In a cloud computing model, your internal information technology organization is not

responsible for all aspects of the company’s platform. If your cloud computing vendor

suffers an outage, your customers suffer as well and you may not have any recourse. This

could lead to reduced revenue and leave an unfavorable perception of your organization

for customers.

Data Security, Privacy, Availability and Integrity in Cloud

Computing: Issues and Current Solutions

(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-

cca610/learning-resource-list/data-security–privacy–availability–

and-integrity-in-cloud-com.html?ou=622270)

Managing the Risk Inherent in Cloud Services

(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-

cca610/learning-resource-list/managing-the-risk-inherent-in-cloud-

services.html?ou=622270)

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

Resources

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/data-security–privacy–availability–and-integrity-in-cloud-com.html?ou=622270

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/managing-the-risk-inherent-in-cloud-services.html?ou=622270

2/2/22, 5:21 PM Cloud Computing Risk Factors

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-computing-risk-factors.html?ou=622270 1/3

Learning Topic

Cloud Computing Risk Factors
Risk factors are internal or external threats to the security posture of an organization that

can pose a risk to the organization if not monitored or handled properly.

Risk

Factor Description

1. Vul
nerabi

lities

Vulnerabilities can be exploited by attackers and result in lack of data
integrity and/or loss, theft, destruction.

Minimize risk by: Patching to mitigate vulnerabilities, vulnerability and

virus scanning, monitoring aging infrastructure.

2. Thr
eats

Properly identifying the threat landscape is critical to determining risk.
This accounts for cyber threats, insider threats, brand reputation threats,

domain-based threats, and third-party threats.

Minimize risk: For insider threats, invoke separation of duties so that one

employee does not have privileges over too many business processes;

keep employees happy with good benefits, decent pay, reasonable working

hours, and training for the position and organizational security.

Brand threats: If an incident were to occur, customers could be vulnerable,

business could be lost, profits could decrease. Therefore, there should be a

plan in place for incidents or disasters.

2/2/22, 5:21 PM Cloud Computing Risk Factors

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-computing-risk-factors.html?ou=622270 2/3

Risk
Factor Description

3. Poli
cy and

Plans

Proper policies must be in place to account for these threats and hold
personnel accountable for taking the necessary steps and precautions.

Disaster recovery plans should be in place for a disaster, as well as other

plans for incidents such as an incident response plan.

Minimize risk by: Getting managerial and executive buy-in, routinely

testing plans, and updating policies.

4.
Endpo

ints

Endpoints that store the data pose a great risk to the company if the
device is stolen or lost.

Minimize risk by: Encrypting hard drives and having software to remotely

wipe devices, tracking the devices, managing and accounting for hardware,

and properly destroying hardware at end of life.

5.
Data

Having too much data and not analyzing it properly for risk can be a
danger to the business. Also, if anything happens to the data, specifically

personally identifiable information or protected health information, there

can be legal, state, local, or federal ramifications.

Minimize risk by: Following proper protocols for the data stored on the

network, managing endpoints and inventory appropriately, minimizing

vulnerabilities.

6.
Regul

atory

Not being in compliance with regulations pertinent to the industry that
you operate in.

Minimize risk by: Having a regulatory compliance program defined, with

appropriate policies, procedures, and well-defined roles and

responsibilities for staff.

2/2/22, 5:21 PM Cloud Computing Risk Factors

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-computing-risk-factors.html?ou=622270 3/3

An organization can perform a cloud computing risk assessment to determine the cloud

computing risks. Once these risks have been identified, an organization must determine

how to handle the risks (risk avoidance, acceptance, mitigation, control, monitoring, and

transfer).

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:31 PM

ISO Standards

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/iso-standards.html?ou=622270 1/2

ISO Standards

The International Organization for Standards (ISO) is a global, independent,

nongovernmental organization that develops and promulgates international standards for

a variety of products and services. One such standard, ISO 27001, identifies best

practices for an information security management system.

Last revised in 2013, ISO 27001 not only details the requirements to establish,

implement, maintain and improve information security management systems, but also

addresses the requirements for both assessing and mitigating information security risks.

The goal of this standard is to preserve confidentiality, integrity and availability by

implementing a risk management process.

ISO 27001 addresses (2013):

understanding an organization’s needs, scope, and information management system;

clear articulation of leadership commitment, roles, and organizational policies;

planning for information security risks and the treatment of the risks;

support in the areas of communications, competence, resources, and awareness;

operations and associated operational planning;

performance evaluation that includes audit and performance review; and,

improvement and corrective actions.

References

ISO/IEC 27001:2013. (2013). Information technology – security techniques – information

security management systems – requirements.

https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en

© 2022 University of Maryland Global Campus

Learning Resource

2/2/22, 5:31 PM ISO Standards

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/iso-standards.html?ou=622270 2/2

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/2/22, 5:34 PM Elections Industry Guidelines

https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/elections-industry-guidelines.html?ou=622270 1/1

Learning Topic

Elections Industry Guidelines
The Help America Vote Act of 2002 authorized the National Institute of Standards and

Technology (NIST) to assist the Election Assistance Commission (EAC) by providing

technical guidelines and advisement on issues such as:

voting systems-related computer, network, and data storage security

fraud detection and prevention

voter privacy protection

accessible voting technologies for individuals with disabilities and varying levels of

literacy

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

– Please cite your work in your responses

– Please use APA (7th edition) formatting 

– All questions and each part of the question should be answered in detail (Go into depth)

– Response to questions must demonstrate understanding and application of concepts covered in class, 

– Use in-text citations and at LEAST 2 resources per discussion from the school materials that I provided to support all answers. 

– No grammatical errors; Complete sentences are used. Proper formatting is used. Citations are used according to APA

Lastly, Responses MUST be organized (Should be logical and easy to follow)

QUESTIONS:

As an IT analyst for BallotOnline, a company providing voting solutions to a global client base, you are working to convince the organization to move the current infrastructure to the cloud. Your supervisor and the director of IT, Sophia, has asked you to summarize for the company executives the potential risks and compliance issues that BallotOnline will have to contend with in the transition to the cloud.

Question 1-Step 1: Research Risks Associated with Cloud Adoption

The first step in 

assessing risk in cloud computing

 will be to identify and describe 

risk concepts

 and 

cloud computing risk factors

 associated with cloud adoption. As a software as a service (SaaS) company considering an infrastructure as a service (IaaS) cloud service provider for your hosting needs, consider 

third party outsourcing issues

 and the generally accepted

best practices for cloud adoption

and review relevant 

cloud risk case studies

. You should also consider best practices for cloud adoption.

As part of the 

risk management process

, identify and describe other 

types of risk

, such as risks associated with having a 

service-level agreement (SLA)

. An example of a potential risk could be if your company is obligated to protect personal information, and then the cloud provider that you use suffers a security breach exposing that personal information.

Here, identify and describe other types of risks or potential liability issues that apply to BallotOnline and discuss them with your colleagues in the Discussion: Risk forum.

Question 2-Step 2: Identify the Most Appropriate Guidelines for Managing Risks

In order to identify guidelines applicable to your company’s industry, you must have an understanding of the different types of risk management guidelines that exist and are frequently applicable in cloud environments.

There are several cybersecurity standards applicable to cloud computing environments such as the 

NIST Cybersecurity Framework

,  

ISO standards

, and US federal government standards (DoD/FIPS), as well as several major sets of 

risk guidelines

 for dealing with the risks involved. Also, there are organizations such as the 

Cloud Security Alliance (CSA)

 that recommend best practices for managing risks.

Review the different guidelines and determine which are most appropriate for BallotOnline. For example, NIST has responsibility for developing a number of 

elections industry guidelines

 within the United States.

Identify why those guidelines are most appropriate and compile these items into a brief (one page or less) recommendation and justification of your choice. Your recommendation will also be incorporated into your final report in the final step.

Submit your recommendation for review using the steps described below.

Order a unique copy of this paper

600 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
Top Academic Writers Ready to Help
with Your Research Proposal

Order your essay today and save 25% with the discount code GREEN