A medium sized organization of around 30 employees that provides address correction services to

crown corporations such as Canada Post is interested in understanding its security risk posture. This
concern arises from the vast amount of Personal Identifiable Information (PII) that the organization
collects, uses, stores and discloses. The organization has decided that in order to upgrade its services
and allow for an ease of digitization, the organization will move its entire infrastructure over to a
Cloud Service Provider (CSP). Subsequently, the organization has engaged you to conduct a risk
assessment that is designed to measure risks related to the collection, use, storage and dissemination
of PII.

Using your knowledge from domain 1 to 3, describe how you would go about conducting this
assessment, what would be the key stakeholders you would interview, key systems you would
review, what can you expect to find, and what type of recommendations are you likely to
recommend?

A medium sized organization of around 30 employees that provides address correction services
to crown corporations such as Canada Post is interested in understanding its security risk
posture. This concern arises from the vast amount of Personal Identifiable Information (PII) that
the organization collects, uses, stores, and discloses. The organization has decided that in order
to upgrade its services and allow for an ease of digitization, the organization will move its entire
infrastructure over to a Cloud Service Provider (CSP). Subsequently, the organization has
engaged you to conduct a risk assessment that is designed to measure risks related to the
collection, use, storage and dissemination of PII.
Using your knowledge from domain 1 to 3, describe how you would go about conducting this
assessment, what would be the key stakeholders you would interview, key systems you would
review, what can you expect to find, and what type of recommendations are you likely to
recommend?

To conduct a risk assessment of Canada Post, I must first understand the organization's mission,
strategy, goals, and objectives before determining how to adequately serve the organization
demands securely. However, the purpose is to identify, reduce, and offer solutions to better
protect and mitigate any risks connected with shifting the infrastructure to a cloud service
provider (CSP). Risk cannot be completely removed, but it may be lowered to an acceptable
level and monitored to better recognize and improve as technology advances.
To conduct the risk assessment, I would communicate with the organization's stakeholders,
including the Chief Executive Officer (CEO), the Information Technology and Security manager
(ITS), the Project Manager (PM), the Legal and Compliance Manager (LC), the Enterprise
Resource Planning manager (ERP), the Human Resource manager (HR), the administrative team,
and Cloud Storage Provider (CSP). To comprehend the current risk assessment strategy, asset
inventory, current regulation, and compliance agreements, database system, and human
resource tasks and obligations.
Following that, I would execute an assessment of the database system in terms of collection,
use, storage, and distribution, as well as what is considered and required to be kept confidential
by applicable laws, regulatory regulations, industry standards, and contractual agreements.
Names, birthdates, addresses, and Social Insurance Numbers (SIN) are examples of Personal
Identifiable Information (PII). The International Organization for Standardization (ISO) and
International Electrotechnical Commission (IEC) 27001, have a holistic approach to secure and
manage sensitive organizational data that governs the PII. Some keys control domains are
Information security policies, human resource security, access control, cryptography, and
compliance. Since, the organization is a Canadian base I would entail the Personal Information
Protection and Electronic Documents Act (PIPEDA) that businesses must adhere to protect PII.
Key principles such as accountability, limiting collection, use, disclosure and retention,
safeguard, and challenging compliance.
Furthermore, I would engage the IT, PM, and ERP teams to assess the current state of all IT
equipment and ongoing projects, to verify that they are up-to-date or need to be updated with
applications, licenses, security patches, IT logs. Moreover, to verify IT security policies, and
procedures follow the General Data Protection Regulation (GDPR) regulation standard and
article 15. Some key principles are data minimization, accuracy, storage limitation, integrity and
confidentiality and accountability of the CIA triad. I would collaborate with the HR team to
examine the human capital (employees, contractors, and vendors) of the organization, their job
titles, duties, and responsibilities to identify any vulnerabilities and threats. As well, collaborate
with administrative team on the current state of the organization building, if is conducive for the
type of business, its people safety and make amendment going forward.
Since the firm wishes to move forward with its service by utilizing cloud infrastructure to
facilitate digitization. Using the Cyber Security Framework (CSF), a risk assessment will be
undertaken to outline the benefits and drawbacks of migration.
Preliminaries must be completed to assure the organization's safety and that its data is very
secure in the cloud. The on-premises solution is an option, but it may be more susceptible to
vulnerabilities and threats. The organization will have complete control over its IT infrastructure
and data and will be responsible for all security upgrades and patches, which can be time-
consuming and costly. Employees will have restricted access to information. Unexpected natural
disasters can disrupt business operations, resulting in extended downtime, loss of business and
reputation.
A quantitative analysis can help identify the level of risk the organization is willing to accept, by
measuring the Annualized Loss Expectancy (ALE) that helps quantify the impact of the
organization assets. A Single Loss Expectation (SLE) and the annual rate of occurrence (ARO)
combine to create the ALE, which is measured in dollars. An SLE determines the amount of
money the organization would lose if a specific realized threat materialized just once. As an
illustration, SLE=Asset Value (AV) x Exposure Factor (EF), where EF is an expected percentage of
loss to an asset due to a certain threat. ARO measures the number of times that you expect a
specific risk event to occur annually.
Identifying an CSP is an important factor in determining where the organization PII will be
managed and stored. PII collected, managed, and stored outside of its border are liable to little
or no jurisdiction and laws to protect it. Another important factor is locating data centers in
areas of known geographical instability (earthquakes, tornadoes, and flooding).
A Business Impact Plan (BIP) can assist in identifying the level of Critical Business Function
(CBF). There are numerous methods for determining the amount of impact of a disaster.
Maximum Tolerable Downtime (MTD) is the total amount of time an essential business function
can be unavailable without causing significant long-term damage to the organization. A
Recovery Time Objective (RTO) is a plan for restoring a system to the point when it was working
flawlessly. When the MTO is exceeded, unexpected disasters can occur; therefore, the RTO must
be less than or equal to the MTD that best corresponds with the organization and CSP.
Disgruntled and departed voluntary and involuntary human elements can sabotage data
confidentiality, integrity, accessibility, and confiscate data. which can be viewed as an insider risk
that can halt organization operations. A lack of ventilation, fire exits, and poor fire suppression
systems can endanger both employees and the organization.
According to US International Tariff in Arms Regulations (ITAR) regulations and the Canada
Security Information Act, PII data acquired, processed, and stored within its borders will be
more secure, regulated by laws, and subject to government request. Economic advantages will
also encourage the operation of data processing centers to establish facilities near national
borders. In this case, a private CSP Software as a Service (SaaS) model would be a preferable
solution for the organization to operate.
A CSP would be responsible for all IT infrastructure, security, application, and database. There
will be little or no down time, unlimited access, and low cost. It is important to ensure that CSP
SLA has risk transference; it involves shifting the responsibilities and potential losses of risks to
third parties known as risk insurance. The availability of the PII data such as accessibility,
usability, and timeliness. System Organization Control (SOC)2, ISO/IEC 27043:2015 industry
standard, Data remanence industry standard, Business Continuity (BCP) and Data Recovery
Plans (DR) to mitigate disaster are key factors that must be agreed upon.
The organization should have well-defined policies and procedures for handling separation of
duties and rotation. This involves reviewing employees’ access to data and evaluating the need
to continue access of the data are ways to mitigate risks. In order to protect the security of its
systems and data, the organization must carefully consider hiring suitable people for positions
by conducting background checks on applicants. Onboarding employees are required to agree
to the organization's Employment Agreements and Policies (EAP) and sign them. Employees
must be reminded of their responsibility to protect the organization's systems, data, and report
any security incidents. Onboarding employees would undergo security orientation training.
Recertification is a useful way to make sure all parties with access continue to adhere to the
organization's standards. Employees and other parties with access to system information must
go through regular security awareness training. On a quarterly basis the organization should do
a Security Conduct Audit (SCA) to ensure its security and privacy control remains effective.
Appropriate care must be taken when employees exit the organization such as suspending
electronic access, recovering their access badge and equipment, accounting and changing key
code on cypher locks that the employees used are among many others standard practices to
mitigate risks .
The organization must have a (BCP) in place to protect its most important organization
operations and stakeholders (employees, contractors, clients, and vendors), as well as to
function effectively in an emergency situation, and at a level of service that satisfies legal and
regulatory standards.
To avoid IT failures, BCP must include the procedures and controls for thorough system and data
backups, including multiple backup copies of the most important systems and data. keeping
those backup copies encrypted in numerous on-site and cloud locations within its territorial
jurisdiction. The traversing and backups of sensitive data between networks must be encrypted.
In order to ensure continuous operation in the event of failures, two secure, encrypted Internet
Service Provider (ISP) lines that can fail-over automatically are required to mitigate risks.
To maintain the organization's operations, the building must have a variety of redundancies,
including a central Uninterruptible Power Supply (UPS) to keep vital IT systems running for a
while and a generator to continuously power the building and UPS until the electricity is
restored. The UPS must be checked frequently to monitor the power output and the generator
must be checked frequently to make sure it has enough fuel to operate. Regular building
maintenance is required to ensure that fire equipment is operational, and fire safety training is
critical to keeping employees and the organization running. In the event of a disaster, BCP must
ensure that its employees are safe during and after the event, and that they have access to
other work sites and basic survival essentials.
To protect sensitive data from an organizational standpoint, Microsoft's STRIDE modelling
approach, among other standards and regulations, would be implemented. Tampering,
repudiation, information exposure, and elevation of privilege are some major aspects to
consider in maintaining the CIA triad. It is critical in the cloud environment to encrypt sensitive
data and maintain the key outside of the cloud environment where the data lives. Using the
Cloud Access Security Broker (CASB) to monitor, identify, and safeguard all cloud operations, as
well as to implement centralized control to enforce security.
To summarize, Canada Post should relocate its operations to the private cloud within its
geographical borders, where it will have greater control over its systems and data, which are
governed and regulated by laws within its borders to assure security. Assuring that the CSP SLA
adheres to industry standards, guidelines, and legislation applicable to the organization's
geographical border. To manage risks at all levels within the organization, the organization must
have well-defined policies and procedures for organizational restructuring, onboarding new
employees, exiting employees, and engaging in continual security awareness training to mitigate
risks at all levels within the organization.
The organization must have a BCP outlining policies and processes to address any failures to
sustain its operations regardless of the amount of risk. It is advised to have numerous local sites
to store encrypted sensitive data and various encrypted cloud storage locations within its
geographical border to store sensitive data backups. It is also recommended to have a well-
documented Disaster Recovery Plan (DRP) as a countermeasure to aid in business operations. It
is essential that the organization maintain up-to-date industry standards and regulations in
order to further secure sensitive data and prevent penalties.