Professional Documents
Culture Documents
You will proceed through a number of steps in developing the final RFP,
service level agreement (SLA), and cloud statement of work
(SOW). For Audit Learners, you will not submit your documents, and will
instead use your documents to complete the self-assessments and
exams. For Verified Learners, you will submit your documents as a final
project, and as interim deliverables. The executive board will evaluate your
RFP, SLA, and SOW based on the degree to which you are able to apply
industry best-practices and standards to meet the business needs of the
BallotOnline organization in migrating the selected system to the cloud
platform.
The first step is to decide which legacy system or service will be migrated.
It is important to examine the benefits and disadvantages of migrating a
particular legacy system to the cloud to understand potential security,
financial, workload-related, and relevant cloud-specific compliance issues
that would make certain systems or services better candidates for cloud
migration than others.
The cloud computing model requires a shift away from locally controlled systems,
which can lead to concerns about compliance with privacy regulations. Privacy
regulations are not consistent worldwide, and therefore there is a risk of liability if
an organization shifts to the cloud, and the cloud provider does not comply with
privacy regulations. The European Union (EU) has very strict privacy protections,
and failure to comply can result in substantial financial penalties and/or
sanctions. According to the Council of European Professional Informatics
Societies, there are two main privacy related issues: 1) loss of control over data,
and 2) dependence on an external cloud provider.
Compliance Issues
In a cloud environment, there are compliance issues that are not present in a
traditional on-premise IT environment.
Your cloud provider may need to meet the same regulatory policies and procedures
that you must comply with. You have to make sure that your contract with the
provider outlines how the provider will achieve compliance and enforcement, as
well as incur penalties for failures.
How does multi-tenancy in a cloud environment affect security and compliance
requirements?
Where is the cloud provider's data center located? You need to know where your
data is because you may have to comply with regulations.
Best Practices
When considering whether to adopt a cloud computing model, you need to
consider practices to adopt. Best practices associated with cloud
computing may include (in no particular order):
Fully assess the needs of the business, by engaging with stakeholders early in the
process:
Perform needs analysis
Analyze current IT processes
Seek buy-in from management
Identify cloud solutions that offer the following characteristics:
Mature and evolving self-service management solutions
On-demand and quick elasticity
Extensive reporting capabilities
End-to-end automated management solutions
Create a compliance program:
Conduct compliance training
Designate a compliance officer with ultimate responsibility for compliance matters
Create and update policies and procedures
Audit and report on policy compliance
Assess performance of systems on the existing platform to establish a baseline, and
then perform an assessment on the cloud platform:
Acquire baseline performance standard
Perform user acceptance testing
Perform regular monitoring to quickly identify potential issues
Make regular adjustments to the systems based on growth
Industry best-practices and standards:
Many industries have specific compliance requirements, and failure to meet those
requirements can lead to criminal prosecution, monetary fines, and/or civil
sanctions. Examples include:
(Dodd-Frank)
Help America Election Assistance Commission
Vote Act of
Elections 2002 (HAVA)
Federal Federal Election Commission
Election
Campaign Act