August 25, 2022

Many organizations have adopted cloud comp

Many organizations have adopted cloud computing. In this assignment, you will research cloud computing and explore its advantages and disadvantages. You will also consider best practices for adopting cloud computing, selecting a particular cloud computing service model, and assessing and mitigating security risks. 3 – 4 Pages

For your research, please consult Chapters 13 and 14 of your ppt and these articles:

"A Brief Review: Security Issues in Cloud Computing and Their Solutions."

"Cloud Computing Security Risks: Identification and Assessment."

"Cloud Computing – Recent Trends in Information Technology."

Note: If you wish you may consult additional articles, but this is not required.

Requirements

Specifically, you will write a 3–4-page paper in which you:

1. Outline the planning process that needs to be in place before adopting cloud computing.

2. Be sure to identify the stakeholders who need to be involved and the discussions that need to take place.

3. Evaluate the advantages and disadvantages of cloud computing.

4. Describe the methodology you would use to select a cloud computing service model.

5. Review the security risks and mitigation activities that need to take place before adopting cloud computing.

Locate and integrate at least three quality, peer-reviewed academic resources written within the past five years into the assignment.

· Include your textbook as one of your resources.

· Wikipedia and similar websites do not qualify as quality resources.

Formatting

This course requires the use of APA Writing Standards. Note the following:

The preferred method is for your paper to be typed, double-spaced, using Times New Roman font (size 12), with one-inch margins on all sides.

Include a cover page containing the assignment title, your name, your professor's name, the course title, and the date. The cover page is not included in the required page length.

Include a source list page. Citations and references must follow the APA format. The source list page is not included in the required page length.

William Stallings Effective Cybersecurity 1st Edition

Lecture slides prepared for “Effective Cybersecurity”, 1/e, by William Stallings.

Chapter 13

Supply Chain Management and Cloud Security

This chapter is concerned with security services related to the use of external providers/vendors of products and services. It begins with an introduction to the concept of supply chain and supply chain management issues. Next, it examines the application of risk management and risk assessment policies and procedures to the security concerns related to supply chain management.

The remainder of the chapter looks at significant type of external provision, namely cloud computing services, and deals with the issues peculiar to this topic. Section 13.3 introduces basic concepts of cloud computing, and Section 13.4 discusses cloud security from the point of view of the cloud service customer.

Information and communications technology (ict)

Refers to the collection of devices, networking components, applications, and systems that together allow people and organizations to interact in the digital world. ICT is sometimes used synonymously with IT; however, ICT represents a broader, more comprehensive list of all components related to computer and digital technologies than IT

Information and communications technology (ICT)

Refers to the collection of devices, networking components, applications,

and systems that together allow people and organizations to interact in the digital world. ICT is sometimes used synonymously with IT; however, ICT represents a broader, more comprehensive list of all components related to computer and digital technologies than IT.

The supply chain

Traditionally, a supply chain was defined as:

"The network of all the individuals, organizations, resources,

activities, and technology involved in the creation and sale of

a product, from the delivery of source materials from the supplier

to the manufacturer, through to its eventual delivery to the end user”

More recently the term supply chain has been used in connection with information and communications technology (ICT)

Traditionally, a supply chain was defined as the network of all the individuals, organizations, resources, activities, and technology involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual delivery to the end user. In this traditional use, the term applies to the entire chain of production and use of physical products. The chain can link a number of entities, beginning with raw materials suppliers, through manufacturers, wholesalers, retailers, and consumers.

More recently the term supply chain has been used in connection with information and communications technology (ICT). National Institute of Standards and Technology (NIST) SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, defines the term ICT supply chain as follows:

Linked set of resources and processes between acquirers, integrators, and suppliers that begins with the design of ICT products and services and extends through development, sourcing, manufacturing, handling, and delivery of ICT products and services to the acquirer. Note: An ICT supply chain can include vendors, manufacturing facilities, logistics providers, distribution centers, distributors, wholesalers, and other organizations involved in the design and development, manufacturing, processing, handling, and delivery of the products, or service providers involved in the operation, management, and delivery of the services.

An enterprise procures the following from external sources:

Services: Examples include cloud computing services, data center services, network services, and external auditing services.

Software/data: Examples include operating system and application software and databases of information, such as threat information.

Hardware/products: Examples include computer and networking equipment. The procured items are often for internal use but can be packaged, integrated, or otherwise prepared for sale to external customers.

Figure 13.1 indicates three types of flows associated with a supply chain:

■ Product/service flow: A key requirement is a smooth flow of an item from the provider to the enterprise and then on to the internal user or external customer. The quicker the flow, the better it is for the enterprise, as it minimizes the cash cycle.

■ Information flow: Information flow comprises the request for quotation, purchase order, monthly schedules, engineering change requests, quality complaints, and reports on supplier performance from the customer side to the supplier. From the producer’s side to the consumer’s side, the information flow consists of the presentation of the company, offer, confirmation of purchase order, reports on action taken on deviation, dispatch details, report on inventory, invoices, and so on.

■ Money flow: On the basis of the invoice raised by the producer, the clients examine the order for correctness. If the claims are correct, money flows from the clients to the respective producer. Flow of money is also observed from the producer side to the clients in the form of debit notes.

Supply chain management (SCM) is the active management of supply chain activities to maximize customer value and achieve a sustainable competitive advantage. It represents a planned initiative by the enterprises to develop and run supply chains in the most effective and efficient ways possible. Supply chain activities cover everything from product development, sourcing, production, and logistics to the information systems needed to coordinate these activities.

Figure 13.2 illustrates a typical sequence of elements involved in supply chain management.

The elements of supply chain management include the following:

Demand management: This function recognizes all demands for goods and services to support the marketplace. It involves prioritizing demand when supply is lacking. Proper demand management facilitates the planning and use of resources for profitable business results.

Supplier qualification: This function provides an appropriate level of confidence that suppliers, vendors, and contractors are able to supply consistent quality of materials, components, and services in compliance with customer and regulatory requirements. An integrated supplier qualification process should also identify and mitigate the associated risks of materials, components, and services.

Supplier negotiation: In this process of formal communication, two or more people come together to seek mutual agreement on an issue or issues. Negotiation is particularly appropriate when issues besides price are important for the buyer or when competitive bidding does not satisfy the buyer’s requirements on those issues.

Sourcing, procurement, and contract management: Sourcing refers to the selection of a supplier or suppliers. Procurement is the formal process of purchasing goods or services. Contract management is a strategic management discipline employed by both buyers and sellers whose objectives are to manage customer and supplier expectations and relationships, control risk and cost, and contribute to organizational profitability/success. For successful service con- tract administration, the buyer needs to have a realistic degree of control over the supplier’s performance. Crucial to success in this area is the timely avail- ability of accurate data, including the contractor’s plan of performance and the contractor’s actual progress.

Logistics and inventory control: In this context, logistics refers to the process of strategically managing the procurement, movement, and storage of materials, parts, and finished inventory (and the related information flows) through the organization and its marketing channels. Inventory control is the tracking and accounting of procured items.

Invoice, reconciliation, and payment: This is the process of paying for goods and services.

Supplier performance monitoring: This function includes the methods and techniques for collecting information to be used to measure, rate, or rank sup- plier performance on a continuous basis. Performance refers to the ability of the supplier to meet stated contractual commitments and enterprise objectives.

Supply chain risk management (SCRM) is the coordinated efforts of an organization to help identify, monitor, detect, and mitigate threats to supply chain continuity and profitability. SCRM, in essence, applies the techniques of risk assessment, as discussed in Chapter 3, “Information Risk Assessment,” to the supply chain. All the techniques discussed in that chapter are relevant to this discussion of SCRM.

NIST has published two useful documents related to SCRM. SP 800-161 describes the SCRM process, provides a detailed description of supply chain threats and vulnerabilities, and defines a set of security controls for SCRM. NISTIR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems, focuses on best practices for SCRM. NIST also maintains a website devoted to SCRM that includes a number of industry papers on the subject.

Figure 13.3, from SP 800-161, illustrates the risk assessment process applied to the supply chain (compare Figure 13.1). Like any other form of risk assessment, SCRM risk assessment begins with an analysis of threats and vulnerabilities. As shown in Figure 13.3, threats come from either an adversarial source that intends deliberate harm or from a non-adversarial source, which is an unintentional threat. Vulnerabilities in the supply chain can be external to the organization or internal.

Once the threats and vulnerabilities are determined, it is possible to estimate the likelihood of a threat being able to exploit a vulnerability to produce harm. Risk assessment then involves determining the impact of the occurrence of various threat events.

Supply chain risk assessment is a specific example of the risk assessment done by an organization and is part of the risk management process depicted in Figures 3.2 and 3.3.

SP 800-161 makes use of a risk management model defined in SP 600-39, Managing Information Security Risk, shown in Figure 13.4. The model consists of three tiers:

Tier 1: This tier is engaged in the development of the overall ICT SCRM strategy, determination of organization-level ICT SCRM risks, and setting of the organization-wide ICT SCRM policies to guide the organization’s activities in establishing and maintaining organization wide ICT SCRM capability.

Tier 2: This tier is engaged in prioritizing the organization’s mission and business functions, conducting mission/business-level risk assessment, implementing Tier 1 strategy and guidance to establish an overarching organizational capability to manage ICT supply chain risks, and guiding organization wide ICT acquisitions and their corresponding system development life cycles (SDLCs).

Tier 3: This tier is involved in specific ICT SCRM activities applied to individual information systems and information technology acquisitions, including integration of ICT SCRM into these systems’ SDLCs.

Richard Wilding’s blog post “Classification of the Sources of Supply Chain Risk and Vulnerability” [WILD13] provides a useful perspective on categorizing supply chain risk areas. In general terms, supply chain risks may be either external or internal, as illustrated in Figure 13.5.

Demand: Refers to disturbances to the flow of product, information, or cash from within the supply chain between the organization and its market. For example, disruptions in the cash resource within the supply chain needed to pay the organization can have a major impact on the operating capability of organizations.

Supply: The upstream equivalent of demand risk; it relates to potential or actual disturbances to the flow of product or information from within the supply chain between the organization and its suppliers. In a similar way to demand risk, the disruption of key resources coming into the organization can have a significant impact on the organization’s ability to perform

Environmental: The risk associated with external and, from the firm’s perspective, uncontrollable events. The risks can impact the firm directly or through the firm’s suppliers and customers. Environmental risk is broader than just natural events like earthquakes or storms. It also includes, for example, changes created by governing bodies such as changes in legislation or customs procedures, as well as changes in the competitive climate.

The internal risks are as follows:

Processes: The sequences of value-adding and managerial activities undertaken by the firm. Process risk relates to disruptions to key business processes that enable the organization to operate. Some processes are key to maintaining the organization’s competitive advantage, while others can underpin the organization’s activities.

Controls: The rules, systems, and procedures that govern how an organization exerts control over processes and resources. In terms of the supply chain, controls may relate to order quantities, batch sizes, safety stock policies, and so on, plus the policies and procedures that govern asset and transportation management. Control risk is therefore the risk arising from the application or misapplication of these rules.

Contingency: The existence of a prepared plan and the identification of resources that are mobilized in the event of a risk being identified. Contingency plans may encompass inventory, capacity, dual sourcing, distribution and logistics alternatives, and backup arrangements.

The internal risks are as follows:

Intellectual property rights (ipr)

Rights to the body of knowledge, ideas, or concepts produced by an entity that are claimed by that entity to be original and of copyright- type quality

intellectual property rights (IPR)

Rights to the body of knowledge, ideas, or concepts produced by an entity that are claimed by that entity to be original and of copyright- type quality.

Key performance indicators (kpis)

Quantifiable measurements, agreed to beforehand, that reflect the critical success factors of an organization

key performance indicators (KPIs)

Quantifiable measurements, agreed to beforehand, that reflect the critical success factors of an organization.

Table 13.1

Supply Chain

Threat

Considerations

(Table is on pages 456-457 in the textbook)

Table 13.1, from SP 800-161, provides examples of threat considerations and different methods that can be used to characterize ICT supply chain threats at different tiers. These considerations provide an organized way of approaching the threat analysis that is part of risk assessment.

exfiltration

A malware process that automates the sending of harvested victim data, such as login credentials and cardholder information, back to an attacker-controlled server

exfiltration

A malware process that automates the sending of harvested victim data, such as login

credentials and cardholder information, back to an attacker-controlled server.

Table 13.2

Adversarial Supply

Chain Threat Events

(Table is on pages 457-458 in the textbook)

As indicated in Figure 13.3, threats are categorized as adversarial or non-adversarial. It is very useful for an organization to have a reliable list of the types of events in each category in order to ensure that all threats are considered in the threat analysis. Table 13.2, from SP 800-161, lists possible adversarial threat events, broken down into seven distinct areas. As shown, the task of threat analysis is formidable.

In the category of non-adversarial threat events, SP 800-161 lists the following:

An authorized user erroneously contaminates a device, an information system, or a network by placing on it or sending to it information of a classification/ sensitivity that it has not been authorized to handle. The information is exposed to access by unauthorized individuals, and as a result, the device, system, or network is unavailable while the spill is investigated and mitigated.

An authorized privileged user inadvertently exposes critical/sensitive information.

A privileged user or administrator erroneously assigns a user exceptional privileges or sets privilege requirements on a resource too low.

Processing performance is degraded due to resource depletion.

Vulnerabilities are introduced into commonly used software products.

Multiple disk errors may occur due to aging of a set of devices all acquired at the same time, from the same supplier.

Table 13.3

Supply Chain

Vulnerability

Considerations

(Table is on pages 459-460 in the textbook)

As with threats, SP 800-163 provides guidance on tier-based analysis of supply chain vulnerabilities. Table 13.3 provides a systematic way of working down from tier 1 through tier 3 to consider all vulnerabilities.

For example, in tier 1, a type of vulnerability is a deficiency or weakness in organizational governance structures or processes, such as a lack of an ICT SCRM plan. Ways to mitigate this vulnerability include providing guidance on how to consider dependencies on external organizations as vulnerabilities and seeking out alternative sources of new technology, including building in-house.

An example of a vulnerability at tier 2 is no budget being allocated for the implementation of a technical screening for acceptance testing of ICT components entering the SDLC as replacement parts. The obvious remedy is to determine a reasonable budget allocation.

An example of a vulnerability at tier 3 is a discrepancy in system functions not meeting requirements, resulting in substantial impact to performance. The mitigation approach is to initiate the necessary engineering change.

Supply chain security controls

SP 800-161 provides a comprehensive list of security controls for SCRM. These controls are organized into the following families:

Access control

Awareness and training

Audit and accountability

Security assessment and authorization

Configuration management

Contingency planning

Identification and authentication

Incident response

Maintenance

Media protection

Physical and environmental protection

Planning

Program management

Personnel security

Provenance

Risk assessment

System and services acquisition

System and communications protection

System and information security

SP 800-161 provides a comprehensive list of security controls for SCRM. These controls are organized into the following families:

■ Access control

■ Awareness and training

■ Audit and accountability

■ Security assessment and authorization

■ Configuration management

■ Contingency planning

■ Identification and authentication

■ Incident response

■ Maintenance

■ Media protection

■ Physical and environmental protection

■ Planning

■ Program management

■ Personnel security

■ Provenance

■ Risk assessment

■ System and services acquisition

■ System and communications protection

■ System and information security

All these control families, with the exception of the provenance family, are adapted for

the specific needs of SCRM from the security controls defined in SP 800-53.

Provenance controls

There is a new family of controls provided in SP 800-163 that does not appear in SP 800-53, known as provenance controls. SP 800-163 defines provenance as follows:

“For ICT SCRM, the records describing the possession of, and changes to,

components, component processes, information, systems, organization,

and organizational processes. Provenance enables changes to the baselines

of components, component processes, information, systems, organizations,

and organizational processes, to be reported to appropriate actors, functions,

locales, or activities”

The concept of provenance relates to the fact that all systems and components originate at some point in the supply chain and can be changed throughout their existence

The recording of system and component origin along with the history of, the changes to, and the recording of who made the changes is called provenance

There is a new family of controls provided in SP 800-163 that does not appear in SP 800-53, known as provenance controls. SP 800-163 defines provenance as follows:

For ICT SCRM, the records describing the possession of, and changes to, components, component processes, information, systems, organization, and organizational processes. Provenance enables changes to the baselines of components, component processes, information, systems, organizations, and organizational processes, to be reported to appropriate actors, functions, locales, or activities.

The concept of provenance relates to the fact that all systems and components originate at some point in the supply chain and can be changed throughout their existence. The recording of system and component origin along with the history of, the changes to, and the recording of who made the changes is called provenance.

Provenance controls

The three security controls in the SP 800-163 provenance family deal with creating and maintaining provenance within the ICT supply chain

The objective is to enable enterprise agencies to achieve greater traceability in the event of an adverse event, which is critical for understanding and mitigating risks

The three security controls in this family are:

Provenance policy and procedures

Provides guidance for implementing a provenance policy

Tracking provenance and developing a baseline

Provides details concerning the tracking process

Auditing roles responsible for provenance

Indicates the role auditing plays in an effective provenance policy

The three security controls in the SP 800-163 provenance family deal with creating and maintaining provenance within the ICT supply chain. The objective is to enable enterprise agencies to achieve greater traceability in the event of an adverse event, which is critical for understanding and mitigating risks. The three security controls in this family are:

Provenance policy and procedures: Provides guidance for implementing a provenance policy.

Tracking provenance and developing a baseline: Provides details concerning the tracking process.

Auditing roles responsible for provenance: Indicates the role auditing plays in an effective provenance policy.

Scrm best practices

There a number of useful sources of guidance for best practices for SCRM, including the Information Security Forum’s (ISF’s) Standard of Good Practice for Information Security (SGP), NISTIR 7622, and the ISO 28000 series on supply chain security

The ISO series includes the following standards documents:

ISO 28000, Specification for Security Management Systems for the Supply Chain

ISO 28001, Best Practices for Implementing Supply Chain Security, Assessments and Plans –Requirements and Guidance

ISO 28003, Requirements for Bodies Providing Audit and Certification of Supply Chain Security Management Systems

ISO 28004, Guidelines for the Implementation of ISO 28000

Supply chain risk management must be conducted as part of the overall risk management function in an organization

A chief information security officer (CISO) or a person in a similar position is responsible for overseeing risk management and risk assessment for all the functions of an organization, including supply chain risk management

ISO 28000, Specification for Security Management Systems for the Supply Chain

ISO 28001, Best Practices for Implementing Supply Chain Security, Assessments and Plans –Requirements and Guidance

ISO 28003, Requirements for Bodies Providing Audit and Certification of Supply Chain Security Management Systems

ISO 28004, Guidelines for the Implementation of ISO 28000

Supply chain risk management must be conducted as part of the overall risk management function in an organization. Thus, ultimately, a chief information security officer (CISO) or a person in a similar position is responsible for overseeing risk management and risk assessment for all the functions of an organization, including supply chain risk management.

Cloud computing

Enterprise cloud computing

Involves moving a substantial portion, or even all, IT operations to an Internet-connected infrastructure

NIST defines cloud computing in NIST SP-800-145, The NIST Definition of Cloud Computing, as follows:

“A model for enabling ubiquitous, convenient, on-demand network

access to a shared pool of configurable computing resources (for example,

networks, servers, storage, applications, and services) that can be rapidly

provisioned and released with minimal management effort or service provider

interaction. This cloud model promotes availability and is composed of five

essential characteristics, three service models, and four deployment models”

There is an increasingly prominent trend in many organizations, known as enterprise cloud computing, that involves moving a substantial portion

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.

Many organizations have adopted cloud comp

Related Posts

Write 3-5 page paper on implementing and monitoring a technology initiative within an educational system. Discuss strategies for overcoming resistance and en

This week, you will?write your rough draft of the APA documented research paper. The paper will be?between 5 and 7 pages in length. The assumption is that yo

What would be your approach to introduce potential information systems security (ISS) risks to management? Also, how could you enforce the security control