Deploying A Cloud Security Control
Information security, which involves assuring the confidentiality, integrity, and availability of mission-critical data, is typically a primary concern of regulators. Business executives are responsible for aligning corporate policies to the requirements of regulation and follow up to ensure that the policies and associated controls are being enforced.
Regulatory compliance requires that enterprise IT departments meet certain technical standards that conform to specific requirements that are defined by either an external authoritative governmental or industry organization or by internal enterprise policies. Both internal and external regulations may have significant impacts on enterprise IT operations. Complying with any regulatory rule often constrains IT managers by imposing network and system design features that may be quite costly. Likewise, the cost of not complying with regulations may lead to both civil and criminal penalties.
In this assignment, you address security issues related to information security-related regulatory compliance.
Preparation
Identify and research a specific information security-related regulatory requirement whose compliance is dictated by one of the following regulatory rules:
Family Educational Rights and Privacy Act (FERPA).
Gramm–Leach–Bliley Act (GLBA).
Health Insurance Portability and Accountability Act (HIPAA).
Payment Card Industry Data Security Standard (PCI DSS).
Sarbanes–Oxley Act (SOX).
Assume an organization is planning to move a significant IT function, such as data storage or office productivity applications, to a public cloud computing service provider. Identify one of the regulatory rules above as one that would likely govern or be important to the organization and a security control that is appropriate for achieving compliance with it.
Make sure to do the following:
Explain how your security control protects your cloud data.
Create a logical network diagram that indicates the appropriate placement of your security control.
Explain how your security control enables regulatory compliance.
Sample Solution
The Family Education Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. It applies to any school receiving funds from the US Department of Education, including public schools, private schools, universities and colleges (U.S. Department of Education 2020). To comply with this regulation, organizations must ensure they have adequate policies in place when it comes to collecting, managing, storing and disclosing student data.
To protect cloud data from unauthorized access or disclosure in accordance with FERPA requirements, my security control strategy would involve implementing multi-factor authentication for accessing sensitive information pertaining to students’ educational records (U.S. Department of Education 2020). This could be accomplished by utilizing either two-factor authentication which requires users provide two different forms of identification such as a password followed by a one time code sent via SMS or email or biometrics such as facial recognition or fingerprints (Kendrick et al., 2018). Additionally ,I also recommend creating access control lists which restrict access only to authorized personnel based on their roles within the organization (Bell et al., 2019). Furthermore ,it is crucial that organizations create audit trails which monitor user behavior when accessing confidential information thus increasing visibility into their activity while simultaneously providing traceability if there were ever any violations in terms of regulatory noncompliance (Hassan et al., 2018).
Overall ,my approach for protecting cloud data involves implementing both technical security controls such as multi-factor authentication along with administrative measures like access control lists and audit trails . These steps help ensure that only those individuals who need access to students’ personal information can do so while minimizing the risk unauthorized exposure or misuse.
Hi, Welcome to Compliant Papers.