prepare a cloud security policy. The first CIO of the US mandated that cloud

QUESTION

prepare a cloud security policy. The first CIO of the US mandated that cloud services be implemented in organizations whenever possible. Review the scenario below and prepare a cloud security policy for the organization.Project 6 – Cloud Computing Security PolicyThis week you will prepare a cloud security policy. The first CIO of the US mandated that cloudservices be implemented in organizations whenever possible. Review the scenario below andprepare a cloud security policy for the organization. Complete the following section readingsfrom “Challenging Security Requirements for US Government Cloud Computing Adoption,”NIST Cloud Computing Public Security Working Group, NIST Cloud Computing Program,Information Technology Laboratory, sections 1.1, 1.3, 1.6, 1.8, and 1.9; prior to starting yourwork on the policy:PROCESS-ORIENTED SECURITY REQUIREMENTS1.1 NIST SP 800-53 SECURITY CONTROLS FOR CLOUD-BASED INFORMATIONSYSTEMS: page 101.3 CLOUD CERTIFICATION AND ACCREDITATION: page 171.6 CLARITY ON CLOUD ACTORS SECURITY ROLES AND RESPONSIBILITIES: page 271.8 BUSINESS CONTINUITY AND DISASTER RECOVERY: page 311.9 TECHNICAL CONTINUOUS MONITORING CAPABILITIES: page 34Background:A small non-profit organization (SNPO-MC) has received a grant which will pay 90% of itscloud computing costs for a five year period. But, before it can take advantage of the moniesprovided by this grant, it must present an acceptable cloud computing security policy to the grantoverseers.Tasking:You are a cybersecurity professional who is “on loan” from your employer, a managementconsulting firm, to a small non-profit organization (SNPO-MC). You have been tasked withresearching requirements for a Cloud Computing Security Policy and then developing a draftpolicy for the non-profit organization, SNPO-MC. The purpose of this policy is to provideguidance to managers, executives, and cloud computing service providers. This new policy willsupersede (replace) the existing Enterprise IT Security Policy which focuses exclusively uponenterprise security requirements for organization owned equipment (including database servers,Web and email servers, file servers, remote access servers, desktop computers, workstations, andlaptop computers) and licensed software applications. The enterprise IT security policy alsoaddresses incident response and disaster recovery.As part of your policy development task you must take into consideration the issues list whichwas developed during brainstorming sessions by executives and managers in each of the threeoperating locations for the non-profit organization.Your deliverable for this project is a 5 to 8 page, single spaced, professionally formatted draftpolicy. See the following resources for suggested formats.https://it.tufts.edu/cloud-polhttps://www.american.edu/policies/upload/IT-Security-Policy-2013.pdfOrganization Profile:The organization is headquartered in Boston, MA and has two additional operating locations(offices) in New Orleans, LA and San Francisco, CA. Approximately 50 employees work in aformal office setting at one of these locations. These employees use organization owned ITequipment. The remaining 1,000 staff members are volunteers who work from their home officesusing personally owned equipment.The organization provides a variety of management consulting services for its clients (charitiesand non-governmental organizations) on a fee for service basis. Fees are set on a sliding scalebased upon the client’s ability to pay. The organization receives additional funding to support itsadministrative costs, including IT and IT security, through grants and donations from severalFortune 500 companies.The non-profit organization is in the process of hiring its first Chief Information Officer. Theorganization has a small (3 person) professional IT staff that includes one information securityspecialist. These staff members are located in the Boston headquarters office.Definitions:Employees of the organization are referred to as employees.Executives and other staff who are “on loan” from Fortune 500 companies are referred to asloaned staff members. Loaned staff members usually telework for the organization one to twodays per week for a period of one year.Volunteers who perform work for the organization are referred to as volunteer staff members.Volunteer staff members usually telework from their homes one to two days per week.Cloud Computing includes but is not restricted to:Platform as a ServiceInfrastructure as a ServiceSoftware as a ServiceIssues List:Who speaks with authority for the firm?Who monitors and manages compliance with laws and regulations?Ownership of contentPrivacy and confidentialityEnforcementPenalties for violations of policyUse by sales and marketingUse by customer service / outreachUse by public relations and corporate communications (e.g. information for shareholders,customers, general public)Use for advertising and e-commerceUse by teleworkersReview requirements (when, by whom)Use of content and services monitoring toolsContent generation and management (documents, email, cloud storage)Additional issues listed in http://www.cloud-council.org/Security_for_Cloud_ComputingFinal_080912.pdfResources (suggested by the organization’s IT Staff for your consideration):1. http://www.nsa.gov/ia/_files/support/Cloud_Computing_Guidance.pdf2. http://www.cloud-council.org/Security_for_Cloud_Computing-Final_080912.pdf3. http://www.sans.org/reading-room/whitepapers/analyst/cloud-security-complianceprimer-349104. http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdfThe documents below are useful resources in planning your cloud security policy:Cloud Security: A Comprehensive Guide to Secure Cloud Computing by Ronald L.Krutz and Russell Dean Vines John Wiley & Sons © 2010(384 pages), ISBN:9780470589878 Chapter 3: Cloud Computing Software SecurityFundamentals http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=34770NIST Guide to Information Technology Security Servicesat http://www.nist.gov/customcf/get_pdf.cfm?pub_id=90656725 point implementation plan to reform informationtechnology http://www.dhs.gov/sites/default/files/publications/digital-strategy/25-pointimplementation-plan-to-reform-federal-it.pdfUnderstanding Cloud Computing (NIST SP 500-291) and (NIST SP 500292) http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909024 500-291 – Standards: Chapter 3and Chapter 5.5White Paper: “Challenging Security Requirements for US Government Cloud ComputingAdoption,” NIST Cloud Computing Public Security Working Group, NIST Cloud ComputingProgram, Information Technology Laboratory

ANSWER:

REQUEST HELP FROM A TUTOR