Itc 568 Cloud Privacy And Assessment Answers

The DAS (Department of the Administrative Service) is responsible for delivering many services for the various departments of the state government in Australia. The data centre of the DAS is the one who is accountable for delivering the services for the department. A new service provider has been introduced to DAS in order to upgrade the existing system named ‘SaaS’ (Software-as-a-Service),

which is a centrally hosting licensed model and software delivery services. A team of two members is being introduced to the management for the delivery of a risk management program, which will be helpful in identifying the threats and risks to the privacy and security of employee’s data, who are employed in DAS. Following report presents a severity matrix in order to show the likelihood, priority and the impact of the identified risks and threats. They are rated based on the consideration.

1. Cloud Computing: Cloud computing can lead to various security issues related to the information of the employees that are being saved on the Cloud. Saving files and information on the internet makes it vulnerable to cyber-attacks and data breaches. Considering latest data breaches it can be said that cybercrimes are the real concern for this new digital world.
2. Poor configuration:It can be considered as a pre-existing threat that was complete responsibility of the providers and suppliers. Poor configured system can easily be breached by the intruders and could lead to several security issues related to the employees of DAS (Lafuente, 2015). Proper IT team should be appointed before making purchase of computers in order to pre-check the supplies.
3. Weak security architecture or non-existing of security architecture:Weak security architecture of the network is another important aspect that can lead expose of personal and sensitive information and alternatively affect the security of the employees and the organization too. There should be updated and always presence of a security architecture for the network that is being used within the organization.

Personal information is defined in the Privacy Act 1988 as: “...information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Management of personal information is an important process by Government Agencies to ensure provision of proper and considerate services to their respective citizens. Improper management of personal information may cause compromise of critical data of individuals.

Efficient and efficient delivery by the Administrative Services demands end to end responsibility to ensuring secure and reliable protection of personal information. Individuals that provide their data for service provision have entrusted the respective Agency to protect and secure their data. Management of personal information compose of principles and guidelines concerning the collection, accuracy, access and correction, storage and security, use, disclosure, and transparency of the personal information ("Guidelines for the Management of Personal Information", 2013)

Collection of personal information requires that only necessary information of the targeted information should be collected to ensure relevance for the service delivery. This is to avoid other unnecessary information from being stored that does not concern the provision of the administrative services.

Accuracy, access, and correction of personal information demands that collected personal information should be accurate without any perceivable errors. Individuals should have access to their personal information as well make necessary correction according to the procedure outlined by the Administrative services.

Storage and security is a part of management of personal information that ensures no misuse or loss of personal information as well as prevention of inappropriate disclosure.

Moreover, collected personal information should only be used for the primary purpose it was intended for. The Administrative Service Agency should table measures that prevent personal information from being inappropriately used.

Disclosure of personal information should not be allowed to people, organizations or any third parties that do not concern the primary purpose of the collected personal data.

A part of integrity of personal information is transparency, transparency ensures that the stored information is availed to the public when demand arises according to accessibility guidelines provided by the Administrative Services.

collection and management of solicited personal information

The Australian Privacy Principle 3(APP3) outlines the collection of solicited personal information a process whereby an APP entity solicits personal information if it explicitly requests another entity to provide personal information, or it takes active steps to collect personal information ("Chapter 3: APP 3 — Collection of solicited personal information| Office of the Australian Information Commissioner - OAIC", 2014).

Personal information can be collected by an agency where it is reasonably necessary for, or directly related to the agency's functions and activities. This explains that personal information should not be collected for purposes apart from the organization's predefined functions and activities outlined in their guideline. Any organization, may only collect personal information from individuals and from other organizations where it is necessary for the organization's functions and activities. Both agencies and organizations collecting the information should do so by lawful and fair means. Moreover, personal information should only be collected from the concerned individual whenever possible, unless it is not reasonable or inapplicable.

APP3 states that all personal information help by any entity such as the administrative services is generally treated as information that was collected by the entity from different people to form the meta data.

Solicited personal information include personal information provided only by the individual in response to a request or an order by agencies or organizations, personal information provided by another entity in ensuring the sharing and transferring of the personal information by both involved parties, personal information provided at an official meeting, where one way or another relates to the interest of the purpose of the collected data.

Individuals who are providing their personal information agencies or organizations should express consent; which implies that the individual is well informed of an understanding of the implications of their data being collected in terms of the purpose of their collected data and the security measures put in place to safeguard their information without being coerced. The individual can only give consent voluntarily whereby the consent is current and specific.

Use and disclosure of personal information

The collection of personal information is one thing while its disclosure is another thing altogether, according to APP6, the use and disclosure of personal information, An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies ("Chapter 6: APP 6 — Use or disclosure of personal information| Office of the Australian Information Commissioner - OAIC", 2014).

The purpose of which personal information is collected also known as 'primary purpose' of collection is the and specific reason for which the entity intended for the collected personal information.

The secondary purpose where an exception applies outline other functions apart from the primary activity that was hitherto intended by the Administrative Agency. The exceptions include:

1. The APP entity is an organization a permitted health circumstance exists in relation to the secondary use or disclosure of the personal information which requires the individual personal health records for provision of efficient health services.
2. The secondary use or disclosure of personal information is required or authorized by or under an Australian law or a court/tribunal order specified by the Australian Constitution of the privacy act.
3. The APP entity is an Agency that discloses biometric information or biometric templates to an enforcement body, and the disclosure is done according to the provided guidelines made by the Information Commissioner for the purpose of the APP.
4. The individual whose personal information is collected from has consented to a specified secondary use or disclosure of personal information.
5. The individual would reasonably have expected that the Administrative Services would use or disclose their personal information for that secondary purpose and that the specified purpose relates to the primary purpose of data collection.

However, the use and disclosure of personal information by an organization does not apply to the collection of personal information for direct marketing or government related identifiers.

Use and security of digital identities

With the rise of digitalization of everything technological possible, with innovations such as 'cloud first ' and 'shared services', internet users leave a digital trail behind us online. The provision of personal information before access and use of online services is a huge contributor to the collection of our personal data of which when collected can statistically tell us of our identification (Himmelsbach, 2015).

A digital identity is a set of attributes related to an entity used by computer systems to represent a person, organization, application, or advice. These set of attributes may include username and password, date of birth, social security number, online history and reactions that is linked to one or more identifiers such as an email address or a URL. Modern technologies have deployed the use of digital identities for authentication and authorization where authorized personnel access the system through a Single Sign On link to a secure URL which is managed by a specified session.

Digital Identity combines different mechanisms to secure the accessibility of private information, through authentication, it determines whether users accessing applications and information are who they say they are. By authorization, it ensures that information is only accessible to those that are allowed, authorized or have the permission privilege to access it. It also uses digital signature to generate information that can be used to improve the integrity and accountability of accessed data. Finally, digital identity uses encryption to transform raw data to encrypted data to secure it as it moves over multiple networks.

The Single Sign On(SSO) is a security mechanism that used to ensure that authentication keys are only valid for one-time sign in. This prevents any possibility of leaked keys to be used by unauthorized personnel to access various systems.

Digital Identities have been collaborated with blockchain technology which is a methodology that lets organizations verify many types of transactions by leveraging a collaborative digital ledger and a predetermined network of individual contributors or keepers of the blockchain. Once transactions or other data are inside the secure blockchain ledger, cryptography takes over and verification hurdles drastically decrease the chances of data being stolen (Stanganelli, 2016). Blockchain is both private based and public based whereby, private is permission based and can only be accessed by authorized people while public is anonymous. Their combination provides a stronger security methodology for securing sensitive information over any network.

Security of personal information

Security of personal information is critical for agencies and organizations to uphold personal information with integrity. According to Australian Privacy Policy (APP 011), an entity must take reasonable steps to secure and protect personal information that it holds from unauthorized access, misuse, interference, modification, or disclosure ("Chapter 11: APP 11 — Security of personal information| Office of the Australian Information Commissioner - OAIC", 2015). It is required therefore that whenever the entity no longer needs personal information for any reasonable purpose under both primary or secondary purpose, the respective entity should take measures to destroy the personal information accordingly or ensure that the data cannot be identified whatsoever.

Implementation of strategies in enabling secure personal information include access security, ICT security, data breaches, physical security, third party providers' used security features, internal procedures, and standards for the protection of the personal information.

The security considerations that ensure security of personal information is composed of measures to avoid:

1. Misuse of personal information – this is a situation where an Agency uses personal information for a purpose that is not permitted by the Privacy Act. All organizations that hold personal information should uphold bound privacy requirements in relation to the use of personal information.
2. Interference with personal information – this occurs when an attack on personal information both internal and external. The attacks on a computer system then interferes the information held by an APP entity leads to exposure of personal information.
3. Loss of personal information – explains a situation that covers deliberate or accidental loss of personal information held by an APP entity both physically and electronically. Physical loss is whereby hard copy documents and any computer resource while electronical loss means that information is lost in an event of systems failure. This specified loss may also result from theft from unauthorized access on the data.
4. Unauthorized access of personal information – occurs when personal information that an entity holds is accessed by any individual that is not allowed to access the information. Unauthorized access can also be internal by employees or external entities.
5. Unauthorized modification of personal information – this is a scenario where stored personal information is altered by unauthorized person.
6. Unauthorized disclosure – occurs when an entity makes personal information accessible and visible to other entities outside the specified organization or release the personal information from its effective control.

Access to personal information

The Data Protection Acts, 1988 and 2003 outlines that, an individual has the right to find out, free of charge, if a person (an individual or an organization) holds information about you. Moreover, one has the right to obtain a description of explanation to be told of the purpose for holding their information as well as obtaining a copy of their personal information.

APP 12 requires an APP entity that holds personal information about an individual to give the individual access to that information on request ("Chapter 12: APP 12 — Access to personal information| Office of the Australian Information Commissioner - OAIC", 2014). The Australian Privacy Principle allow individual to be granted access of their information from an entity that holds their data.

However, the accessibility of personal information in guided by outlined minimum access requirements that has to be met by an individual or any third-party organization that request access of any personal information. Proper verification of individual identity is key before granting access to personal information. It approves the accessibility from documented legislation or other applicable legislation. Further processing of personal information may require the individual to abide by the Freedom of Information Act. The accessibility of any personal information under the FOI act requires an individual to meet the minimum stipulated requirements.

Organizations may refuse to grant access to individuals under the APP 12. The Australian Privacy Principle has outlaid grounds unto which individuals may be refuted access to their personal information. The grounds include:

1. Giving access of personal information may reveal the intentions of the organization in relation to the negotiations that in one way or the other prejudice those negotiations.
2. The organization reasonably believes that giving access would pose a serious threat to the life, health, and safety of any individual or the public.
3. Giving access would be unlawful.
4. Giving access would reveal evaluative information generated within the organization regarding a commercially sensitive decision?making process, among others.

Quality and correction of personal information

An APP entity must take reasonable steps to ensure that the personal information it collects, uses and discloses in regard to the primary purpose is accurate, up-to-date, complete and relevant ("Chapter 10: APP 10 — Quality of personal information| Office of the Australian Information Commissioner - OAIC", 2014). These measures are vital in ensuring that the personal information held does not have negative privacy implications to the organization.

Holding accurate personal information is essential in building trust and confidence to the related individuals as well as the society. Key measures to ensure quality of personal information must be taken when the personal information is collected and when the personal information is used or disclosed. To ensure accurate and up to date personal information, constant reviews must be made to update the information when necessary.

Reasonable measures such as implementation of principles and procedures to audit systems, identity and correct poor-quality information must be laid. Protocols must be put in place to ensure that the stored data is in consistent format both in the content and its formatting. Measures to remind individuals that their personal information is held should be reminded periodically to update and correct their information where necessary. Moreover, agencies and organizations holding personal information should contact individuals to verify the quality of the personal information held about them.

According to the Australian Privacy Principle (APP 13), an organization must take reasonable steps to correct any personal information it holds if it believes it is out of date or inaccurate, asks the individual to correct their personal information or allow individual requests to correct their personal information to do so. If any correction of the stored personal information might jeopardize the operations of entity hence refusing to correct the information, it should accompany a clear statement explaining the refusal and other available alternatives for the individual to lay out their request.

Mitigation to privacy risks

Release of personal information is faced with so many privacy risks such as breach of privacy, unauthorized access, unauthorized modification, disclosure of personal information to untargeted public, amongst others.

Mitigation of privacy risks is the process of appreciating possibilities of privacy risks occurring and preparing an organization by putting measures to combat the risks when they occur. There are many mitigation procedures that can be put in place to mitigate release of information risks, these include:

1. Proper and clear well documented policies and procedures of all the policy mandate of all employees governing their roles and responsibilities before and after recruitment.
2. Create a disciplinary board with the executive leadership identify any privacy and security breaches of personal information and take necessary measures to punish the responsible internal and external involved parties.
3. Educate all employees and personnel that are associated with handling personal information. Education is paramount to the creation of awareness to people about the impact of privacy risks. It helps in initiating a preparedness mindset in people in handling breach of privacy to the personal information.
4. Encrypt all electronically stored personal information. Personal information stored in their raw format poses a risk of being seen and manipulated by malicious people. Encryption is one way of ensuring that information stored and on transit is safe and secure.
5. Implement technologies that detect and prevent unauthorized access and use of personal information. Technologies can be put in place to automatically detect and prevent people without permission from access stored personal information
6. Implement privileges in permissions and access levels for authorization purposes. Different permission groups can be created to distinguish different access levels of the system users on what they should access and what they should not access.
7. Invest in cyber insurance to mitigate any financial risks of breach of privacy of personal information (Bowen, 2017).
8. Conduct constant and periodic risk assessments and controls to identify points of weaknesses in the privacy and security of personal information. By identifying the gaps of possible risk manipulation, the organization can set up measures to solve the susceptible gaps hence ensure strong privacy.
9. Physical monitoring of operation devices. The Department of Administrative Services should implement telephone monitoring devices to check all incoming and outgoing calls and verify their transparency to the organizational transactions. Implementation of application software that monitor all activities and operations of employees pertaining their jurisdiction to their responsibilities including which sites they visit and email monitoring.

Implement of the privacy Strategy

To develop a comprehensive privacy strategy of information stored on the centralized database on the cloud, any company careful examine their organizational position and adopt an efficient framework that is recommendable. A privacy strategy includes three main stages: Planning, Implementation, and Operation.

Planning

During this stage, organizations and institutions establish policies and strategies to achieve security objectives (Jadhaw, 2015). Planning involves setting up objectives to be met by the privacy strategy and the cloud technology that assures provision of the set goals. It involves the consideration of both the financial aspect and organizational change that will be influenced by the change of the new implementation.

Privacy and security rules and regulations from different governing bodies should be considered and their implication to the future of the organization. The specified standard minimum requirements should be met before the implementation stages. This phase requires that the organization outlines the roles and responsibilities that different people will handle with set timelines.

Implementation

After the planning stage, the organization must assess the process involved in the data flow and prioritize the processes in accordance to their privacy strength (Lui, 2016).  Implementation involves identification of the cloud deployment models and data privacy approaches to be used in the privacy strategy.

Cloud deployment models should be analyzed keenly and model implementation should be decided in accordance to the needs and requirements of the organization. The choice of a private cloud, community cloud, public cloud or a hybrid cloud infrastructure should be met to ensure provision of efficient and effective service provision.

Data privacy is a key consideration to be considered regarding the storage and transmission of data between business processes in different environments. Technologies such as encryption algorithms and tokenization should promise a secure privacy to the stored data.

Operation

The operation phase is the most important stage of the privacy strategy whereby a continuous review and monitoring of the implemented technology. Privacy policies and regulatory requirements are examined against the operation of the working technology to verify compliance to the privacy principles. In case of any privacy risk gaps, the implementing organization should immediately execute mitigation plan to ensure reliability and compliance.

Department of Administrative Services(DAS) have an obligation to protect personal information that holds in their servers. It should therefore ensure compliance with the act of The Protection of Personal Information(POPI). It should assume end to end responsibility of the personal information it contains with integrity and transparency (Isaacs & Crawford, 2014).

The Department must follow the policies and regulations of the organization that are set in place to meet all obligations in order to protect the interests of the personal information. However, DAS should not collect personal information, use personal information or disclose personal information of individuals who have not consented with the organization.

The department should notify individual of the collection of their personal information through writing or verbally. Moreover, DAS should ensure transparency in verification of the data collected from the individual, this is important in ensuring that the individual is aware of the specific information collected from them.

The primary purpose of the data collected from individuals should be well stated and outlined by the Department of Administrative Services. Any secondary purpose that is related to the personal information collected should explained. The organization must adhere to the stated functions and activities stated in the primary purpose, failure to which is a breach of privacy.

DAS must put all measures necessary to protect the collected personal information. It should prioritize in keeping the information safe without any breach of privacy. Disclosure of personal information should abide by the Privacy Act, whereby an individual may request access of their personal information after they meet certain criteria or requirements set. The department should reasonably grant individuals to confirm, verify or update their personal information accordingly if either party believe that the information is either inaccurate or out of date. However, the permission to edit the personal information should not pose any security risk to the data or jeopardize the transactions of the Department of Administrative Services.

Authorized access and disclosure of personal information

The Department of Administrative Services must implement permission access levels to grant access to employees and personnel with authorization keys that will authenticate them into the systems. Personal information should not be accessed by any employee in the organization, therefore people with the access level should be allowed to access the personal information. Modification of personal information is very critical hence it should be restricted to individuals that are allowed by the system to do so.

DAS should implement technologies that automatically detect any unauthorized intrusion into the system. The technologies should also record logs and sessions of all users that have been accessing personal information from the system. This mechanism helps in accountability of the activities a system user has been doing with the personal information without denial. The Single Sign On approach should be implemented in all accessible URLs to prevent unauthorized people from obtaining login logs and session data and use them to gain access.

The department should disclose personal information if and only of the individual has consented to the disclosure or if the individual would reasonably expect the disclosure of their personal information. In other circumstances, the Department of Administrative Services can disclose personal information if it required or authorized by law.

The organization must not go against the agreement of the primary purpose of the personal information and disclose personal information for direct marketing of be used by government related identifiers ("Chapter 6: APP 6 — Use or disclosure of personal information| Office of the Australian Information Commissioner - OAIC", 2014). The Department of Administrative Services should disclose personal information upon individual's request, the individual should meet certain criteria before their copy of information is availed to them. However, the organization should not disclose personal information when it senses breach of privacy or security as well as breach of privacy agreement with the individual personal information.

De-identification of personal data

This explains the process whereby the personal data is no longer about the identity of an individual or an individual who is reasonably identifiable. De-identification of personal information can enable information to be shared or published without jeopardizing personal privacy while safeguarding privacy and confidentiality ("Privacy business resource 4: De-identification of data and information| Office of the Australian Information Commissioner - OAIC", 2014).

The Department of Administrative Services should take precautions while removing or altering personal identifiable data to de-identify it. It should ensure that it conducts the process with integrity and transparency, to maintain confidentiality of the individual identity. DAS should undertake assessment reviews of the de-identified data to eliminate all possibilities of the data being matched with an identifiable individual. All risks of re-identifications should be mitigated and managed accordingly to prevent unintended disclosure of an individual.

The organization should de-identify personal data according to specified circumstances required by the Privacy Act. It should de-identify the personal data it stores when a third party has requested the disclosure of the personal information for research or any other secondary purpose. It is s good practice for the department to de-identify personal data that it has suspected a breach of confidentiality. The primary goal of the organization is to ensure that confidentiality of the individuals it holds data about is not in risk. Therefore, upon a suspected breach of privacy, the organization should ensure that all involved personal data is de-identified.

DAS should de-identify personal data when the privacy of personal information is compromised by an external party gaining unauthorized access to organization information, an internal employee gains access to information that they are not authorizes to and when the personal data is being published to accessed by the public. The Department of Administrative Services should suppress data, which involves not disclosing information that that may enable re-identification of individuals.

Use of personal digital identities

Personal digital identity has gained credit in the authentication of online users. It contains associated attributes of asserted person's identity that identify a person on an online environment.  In online systems, access to protected resources is controlled by requiring people to present digital credentials before access is granted. If the person presenting those credentials is not the person to whom the credential was issued, an authentication error occurs (Blythe, 2010).

The Department of Administrative Services should implement personal digital identity to mitigate risks of authentication and authorization errors and enhance strong security to ensure that access of personal information or sensitive information is only granted to the authorized or intended people. A combination of different security identity mechanisms should be implemented to ensure that a reliable and secure personal digital identities are created. Blockchain is a technology that has been use currently to implement personal digital identity. It uses private and public keys to protect the personal data. Once transactions or other data are inside the secure blockchain ledger, cryptography takes over and verification hurdles drastically decrease the chances of data being compromised.

The department should implement personal digital identities to eliminate any possible ghost employees that use unverified means to access personal information as well as loath organizational resources. It is an important technology because it improves electoral integrity in accessing personal information. With many malicious people on the internet that manipulate authentication loopholes, personal digital identities have been an answer to the prevention of unauthorized access to personal data.

Many security technologies have been compromised by hackers but this implementation has gained trust and confidence from reputable companies. The personal attributes of an individual uniquely identify the authenticity of an individual whereby any other person cannot possibly penetrate into the systems. A combination of Single Sign On accessibility on a secure URL has maintained very strong privacy and security strategy that cannot be easily compromised.

Security of personal data

Primarily, the Department of Administrative Services should educate its employees on safeguarding their personal data while accessing the internet. Any internet user risk being hacked by malicious people; therefore, all employees should be informed of the measures to protect their personal information in the internet.

The Department of Administrative services should take reasonable steps to protect personal data it holds from misuse, interference, unauthorized modification, access and disclosure. The organization should therefore put strong policies and guidelines to protect personal information from falling in the hands of unauthorized persons.

The organization should prevent misuse of personal information whatsoever. It should avoid using the personal data it holds apart from the primary purpose it had earlier agreed upon with the individual. Any secondary use of the personal information should be consented by the individual, abide by the Privacy Act or adhere to the Australian Privacy Principle. The department should prioritize in safeguarding personal data from being interfered either by attack on the computer system or any other possible attack.

Backup of all personal data in different locations is mandatory for reliable operation of the department. Constant and periodic backups should be made daily to protect data from one point of failure that can lead to loss of data. Moreover, the organization must deploy strict security policies and technologies that protect personal data from unauthorized access. Employees or any other person that is not permitted to access personal information should be prevented automatically by the system and any unauthorized attempt to access data should be reported and prevented.

To maintain data integrity, unauthorized modification of personal data should not be allowed. Alteration of personal data from both internal people of external people must be prevented possible. Lastly, unauthorized disclosure of personal data to be accessible to others outside the organization must not be permitted.

Archiving of personal data

The Department of Administrative Services over time stores considerably a lot of data. The data stored on the servers of the department with time clog and slows the operations of the implemented systems. Archiving is necessary to store inactive data that is not directly required by active transactions but is necessary for accountability and referencing. Archived data should be moved from the operational server into a dedicated server in order to improve performance and optimization of the active data (Power, 2016).

The storage of the archived data should maintain a consistent format. Data migration policies have to implemented in order to guide the circumstances of archiving personal data. The executive people should set up the criteria upon which personal data is rendered inactive and should be archived. A consistent format of the archived data is necessary to ensure easy retrieval of personal data on a later date.

DAS should also consider encrypting the personal data before archiving them. Protection of the privacy of personal information being the priority of securing data, the organization should deploy technologies that encrypt the archived data. Upon retrieval, the encrypted archived data is decrypted to be referenced and used.

Archiving personal data will help the organization reducing the storage cost while improving performance of the operational processes. While the data stored by the department has to readily available, an online data storage of the archived data should be possibly considered. This will enable all time accessibility to the data whenever a need arises. This option might be costly but it is worthwhile considerable than an offline data storage that will require office space, physical infrastructural set up and regular maintenance.

Recommended personal data protection strategy

Mitigation of personal data security risks involve reducing the impact of the occurrences of the risks. Personal data is precious to be accessed or manipulated by unauthorized individuals, therefore, it is recommended that the Department of Administrative Services take all measures to prevent or mitigate risks. These include:

1. Encrypt all electronically stored personal files. Personal information stored in their raw format poses a risk of being seen and manipulated by malicious people. Encryption is one way of ensuring that information stored and on transit is safe and secure. Encryption of all information should protect all credentials from access by unauthorized people.
2. The department must adhere to all Data Protection Policies. It should update all the policies and principles in regard to the protection of personal data. Relevant security guidelines must be followed to the latter in order to ensure that personal data is not compromised whatsoever by malicious activities.
3. The Department of Administrative Services must constantly test all perceivable vulnerabilities. Testing all endpoints and network security is crucial to ascertain that penetration testing is satisfiable conducted. All identified vulnerabilities and weaknesses that can be manipulated by attackers should be closed ("3 Tips For Mitigating Data Protection Risk Following GDPR | think S3", 2015).
4. The cloud technology supplier should be audited to ensure that it adheres to the Privacy and Data Protection Acts. It must follow the policies in ensuring that personal data is protected and guided from malicious attacks.
5. DAS must purchase insurance to cover events that might not be bounded by the agreement. The insurance cover is necessary to protect the interest of the company in case any un foreseeable event happens that threatens the operations of the organization.
6. Lastly the company should deploy intrusion detection technologies that detect and prevent any unauthorized access to the systems personal information.

Implement the personal data protection strategy

To minimize security risks and protect personal data, a proper data protection strategy must be developed for the utilization of a cloud computing solution. The following are some of the strategies that I would recommend the Department of Administrative Services to implement:

1. A proper and comprehensive research on the appropriate cloud solution. There are many cloud solutions available offered by different companies with various services. Irrespective of the cloud solution, research of the reputation of the vendor's security record is necessary. Keen scrutiny of security policies and practices must be tabled to ensure the extent of security coverage of the data to be stored.
2. Use Single Sign-on (SSO) mechanism to improve security. A user on the cloud may access a service on several occasions in different sessions, these multiple login instances poses a risk of a potential unauthorized access to the services. Therefore, a Single Sign On solution will prevent any manipulative malicious access to the services.
3. Implement end-to-end encryption. To reduce the likelihood of data being breached by online attackers, an end-to-end encryption must be implemented. This encryption protects the personal data being stored and any personal data on transit. For secure network communication, both involved parties must ensure the implementation of reliable encryption mechanism to protect personal data (Chu, 2015).
4. Create an incident-response plan. As much as all prevention and protection procedures have been put in place, incidents can happen that might impair the operations of the organization. Therefore, an incident-response plan must be created to be executed in case of such occurrences.

References

1. Guidelines for the Management of Personal Information. (2013). Ombudsman Western Australia.
2. Chapter 3: APP 3 — Collection of solicited personal information| Office of the Australian Information Commissioner - OAIC. (2014). gov.au. Retrieved 23 September 2017, from https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-3-app-3-collection-of-solicited-personal-information
3. Chapter 6: APP 6 — Use or disclosure of personal information| Office of the Australian Information Commissioner - OAIC. (2014). gov.au. Retrieved 24 September 2017, from https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-6-app-6-use-or-disclosure-of-personal-information
4. Himmelsbach, V. (2015). The evolving nature of digital identities and security. Highlight: The world of enterprise IT is changing, fast. Keep up.. Retrieved 24 September 2017, from https://www.ca.com/en/blog-highlight/evolving-nature-digital-identities-security.html
5. Stanganelli, J. (2016). Blockchain & The Battle To Secure Digital Identities. Dark Reading. Retrieved 24 September 2017, from https://www.darkreading.com/endpoint/blockchain-and-the-battle-to-secure-digital-identities/a/d-id/1327279
6. Chapter 11: APP 11 — Security of personal information| Office of the Australian Information Commissioner - OAIC. (2015). gov.au. Retrieved 24 September 2017, from https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-11-app-11-security-of-personal-information
7. Chapter 12: APP 12 — Access to personal information| Office of the Australian Information Commissioner - OAIC. (2014). gov.au. Retrieved 24 September 2017, from https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-12-app-12-access-to-personal-information
8. Chapter 10: APP 10 — Quality of personal information| Office of the Australian Information Commissioner - OAIC. (2014). gov.au. Retrieved 24 September 2017, from https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-10-app-10-quality-of-personal-information
9. Bowen, R. (2017). Seven Strategies to Mitigate Privacy and Security Risks During the ROI Process - For The Record E-news Exclusive. com. Retrieved 24 September 2017, from https://www.fortherecordmag.com/news/enews_1015_01.shtml.
10. Jadhaw, V. (2015). How to Mitigate Cloud Data Privacy and Security Risks in the Financial Services Industry. Finextra Research. Retrieved 24 September 2017, from https://www.finextra.com/blogs/fullblog.aspx?blogid=11230
11. Lui, S. (2016). How To Implement A Data Privacy Strategy Without The Pain. Lifehacker Australia. Retrieved 24 September 2017, from https://www.lifehacker.com.au/2016/02/implement-a-data-privacy-strategy-without-the-pain/
12. Isaacs, R., & Crawford, K. (2014). Protection of Personal Information Act (POPI) <br/>- Ten things to know. com. Retrieved 24 September 2017, from https://www.nortonrosefulbright.com/knowledge/publications/119575/protection-of-personal-information-act-popi-br-ten-things-to-know
13. Chapter 6: APP 6 — Use or disclosure of personal information| Office of the Australian Information Commissioner - OAIC. (2014). gov.au. Retrieved 24 September 2017, from https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-6-app-6-use-or-disclosure-of-personal-information
14. Privacy business resource 4: De-identification of data and information| Office of the Australian Information Commissioner - OAIC. (2014). gov.au. Retrieved 24 September 2017, from https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-4-de-identification-of-data-and-information
15. Blythe, E. (2010). Standard for Personal Digital Identity Levels of Assurance.
16. Power, K. (2016). Everything You Need to Know About Personal Data Archiving - BestBackups.com. com. Retrieved 24 September 2017, from https://www.bestbackups.com/blog/7153/everything-you-need-to-know-about-personal-data-archiving/
17. 3 Tips For Mitigating Data Protection Risk Following GDPR | think S3. (2015). think S3. Retrieved 24 September 2017, from https://www.thinks3.co.uk/3-tips-for-mitigating-data-protection-risk-following-gdpr/
18. Chu, W. (2015). 5 Ways to Mitigate Cloud Computing Risks - HardBoiled. HardBoiled. Retrieved 24 September 2017, from https://blog.neweggbusiness.com/over-easy/5-ways-mitigate-cloud-computing-risks/