Risk and Compliance Evaluation - Essay Example

? EXECUTIVE SUMMARY Software as a Service and Cloud Computing are innovations that were spawned by the internet technology. Both concepts could practically lessen the operating expenses of the Retail Investment Brokerage Firm including its capital expense by outsourcing its Software needs as well as its computing requirements. The two concepts would enable the Retail Investment Brokerage Firm to enjoy what technology has to offer in terms of functionality and speed while being relieved of the burden of its prohibitive costs. However, the use of Software as a Service and Cloud Computing is not without risks and exposure to the very client of the Brokerage Firm. In fact, there are specific provisions of the Data Protection Act of 1998 and the Financial Services Authority’s Business Principles that would be violated should the Brokerage Firm forces the issue of using such concept in its operation without any proper control or safeguards. The use of Software as a Service and Cloud computing would also expose the Brokerage Firm to be open to Breach of Confidence legal actions. To prevent such legal actions it is strongly advised that the Retail Investment Brokerage Firm adopt an Information Security Management System that will provide the controls that will protect the information of the clients. The implementation of an Information Security Management System would make the Brokerage Firm diligent in the protection of its client’s information. TABLE of Contents EXECUTIVE SUMMARY 2 TABLE of Contents 3 INTRODUCTION 4 SAAS and CLOUD COMPUTING 5 Cloud Computing 5 Software as a Service 7 CLOUD AND SAAS RISK ASSESSMENT 7 SECURITY FRAMEWORKS 8 SAAS and CLOUD COMPUTING Risk Assessment 9 IT GOVERNANCE AND COMPLIANCE 10 Article 8 European Convention on Human Rights 10 Breach of Confidence 10 Data Protection Act of 1998 11 Financial Service Authority’s Principles for Business 11 SAAS and CLOUD COMPUTING GOVERNANCE ISSUES 12 DISCUSSION 13 CONCLUSION AND RECOMMENDATION 16 ISMS and Risk Assessment vs. Governance RequirementS 17 RECOMMENDATION 18 Bibliography 19 Books 19 Online Sources 20 Figures 21 PERSONAL DEVELOPMENT PLAN 22 INTRODUCTION The Retail Investment Brokerage Company has in its possession sensitive financial information of its clients (Christoffersen, 2003). The operational possession of client information requires a huge amount of responsibility since any unauthorized release of information would cause undue harm or it can expose the client to dangers (Marshall, 2001). Even the European community in general has recognized the right to privacy of financial information as a right not to be trifled with. The Parliament of the United Kingdom has passed the Data Protection Act of 1998 to safe guard against such unauthorized intrusion to the lives of its subject. While the Financial Services Authority that is tasked to govern organizations that provides financial service to select clients have mandated several edict that aims to protect the clients of organization providing financial services. The financial services and the information technology industry also responded in kind by delivering a set of standards that can be used as framework with the sole purpose of protecting client data (Davidson, 2010). The advent of technology not only made it easier to bring enormous profit or revenue to the financial services organization’s clients it also made it easier to procure information that could adversely affect the life of its owner. The delicate balance between what is permissible exposure to threat in the face of enormous profit at the soonest possible time made it mandatory for financial services organization to manage the risks involved (Snedaker, 2007). The internet has spawned several innovations that would increase productivity in the same manner that it would raise the revenue for the client of the Retail Investment Brokerage firm. One such innovation is the Software as a Service concept or simply SaaS (Adler & Benoiff, 2009). Companies wishing to have the flexibility with the number of users that uses its mission critical application normally resort to SaaS (Blokdijk, 2008)., The strategy will ensure that no excess software licenses or cost will be paid for or purchased at any time. Another innovation worth looking into is the Cloud Computing Concept wherein computing power will not be assigned to a specific server but rather it will be assigned to other available servers that can accommodate the extra computing demand (Rhoton, 2009). However, SaaS and Cloud Computing are replete with security loopholes that expose the Retail Investment Brokerage firm’s process and information’s Confidentiality, Integrity and Availability (Hardin, 2009). It is therefore imperative to conduct a risk assessment analysis of all the Saas and Cloud Computing information assets to determine the controls needed to comply with the requirements of the law. SAAS and CLOUD COMPUTING Cloud Computing It is a concept that can be likened to an electric grid of a city where each house is connected to the network via the grid. The concept in the electric grid is that the series of power plants connected to the grid supplies power to the grid. The way the system is designed, the customers of the grid do not have any specific power plant supplying it but it is logical to assume that the primary power plant where it draws power the most is the one nearest to it (Velte, Velte, & Elsenpeter, 2010). In the context of computing or information technology, an Application Service Provider in order to spread its load installs several duplicate sites in strategic locations. The idea is for the user nearest to a particular site be connected or homed to that site. The purpose is two-fold; first is to maintain Quality of Service (QoS) since the site is nearer to the user the service connection will be better against a site that is on the other side of the globe that would require more hops. The other is to de-load the other set of servers in other countries this could improve the application usage experience of the client. Figure 1: Sam Johnston To illustrate: Google has several sites spread all over the world users from the United Kingdom normally access or is homed to the Google’s set of servers that is nearest to the United Kingdom. The same can be said about Google users that are located in the United States, Australia and Singapore. However, except for some countries Google users can access other sites and make that site its home site. The concept has many advantages that would include the following. No capital cost - since there is no need to invest heavily on infrastructure. Reliability - since other sites can take over if in case the primary site the client is connected to is not available. Scalability - since the company, adopting it need not add any more infrastructures to accommodate an increase in users or clients. Operating cost – since the expense will be limited to licensing and on a per usage fee. Software as a Service It is a concept that was originally known as Application Service Provisioning. Instead of purchasing the application that will be used by its employees and clients alike the application is readily available from the internet or from the network. There is no need for the company to pay for licenses that may not be used due to attrition or for software that cannot be used immediately because the client has not been signed up yet. The on-demand capability of the concept makes the operation of the company portable, meaning clients and even employees can work from home (Greer, 2009). The concept has many advantages aside from those mentioned above this would include reliability – since the software can be hosted from anywhere there is no danger of clients being denied any service. System maintenance cost is not going to be an expense that will accrue against the company since it will be part of the pay per use agreement. CLOUD AND SAAS RISK ASSESSMENT An organization’s information security policy is the focal point for establishing and conveying security requirements. The policy is THE tone for the information security practices within the organization it defines the right behaviour and is the platform for the security program. A firmly applied policy that provides guidance in the formulation of information security processes, and controls can assist in the implementation and compliance from all level of the organization (McGlasson, 2007). COBIT and ISO17799 requires the establishment of a security policy to set the tone and direction of how the Retail Investment Brokerage Firm will protect its client’s information. SECURITY FRAMEWORKS COBIT – or Control Objectives for Information and related Technology was released in 1996 by ISACA or Information Systems Audit and Control Association. It has 318 Control Objectives categorized in four domains, which are the Planning and Organization, Acquisition and Implementation, Delivery and Support and the last Monitoring and Evaluation (Gilling, 2009). ISO17799 – was previously the BS7799 that was adopted by ISO in part to incorporate the Plan Do Check Act (Deming, 1986) model. In 2005, ISO17799 was renumbered to become the ISO27002. In the old and new form the framework has twelve main implementation parts: (1) Risk assessment, (2) Security Policy, (3) Organization of information Security, (4) Asset Management, (5) Human resources Security, (6) Physical and Environmental security, (7) Communications and operations management, (8) Access Control, (9) Information System Acquisition, development and Maintenance, (10) Information Security Incident Management, (11) Business Continuity Management, (12) Compliance (Calder & Watkins, 2010). While COBIT provide the framework for top management ISO27002 provisions for the creation of a business continuity plan that is congruent to the seventh principle of the Data Protection Act of 1998. ITIL – or Information Technology Infrastructure Library is currently is on its third version already. It is a set of best practices for Information Technology Services Management that ensures compliance to most if not all statutory requirements for IT governance. ITIL has nine parts which would include: (1) Service Support, (2) Service Delivery, (3) Information and Communication Technology Infrastructure Management, (4) Security Management, (5) The Business Perspective, (6) Application Management, (7) Software Asset Management, (8) Planning to Implement Service Management (9) ITIL Small Scale Implementation (Malone, Menken, & Blokdijk, 2010). IT Governance Institute – The purpose of IT governance is to direct IT endeavors, to ensure that Its performance meets the following objectives: For IT to be aligned with the organization’s goals to realize the benefits; For IT to enable the organization to exploit opportunities and maximize benefits; For IT resources to be used responsibly; For IT related risks to be managed appropriately (IT Governance Institute, 2011). OGC Risk Management Strategy – Propose how risks will be managed during the lifecycle of the project. Used to plan the way risks are handled within the project (Office of Government Commerce, 2010). SAAS and CLOUD COMPUTING Risk Assessment The primary risk involving the Software as a Service concept is the lack of control of the Retail Investment Brokerage Firm over the source code and the inability of the Brokerage Firm to audit the source code for malicious codes. While the primary risk involving Cloud Computing are the lack of control which set of hardware will be used in computing the information of the clients of the Brokerage Firm. Outsourcing the use of the software as well as the hardware that will be used in processing the information of clients of the Retail Investment Brokerage Firm without the proper controls infringes the provisions of the Data Protection act of 1998. By making the information available through the internet via the SaaS and Cloud Computing concept without any controls will make the information available from other locations. IT GOVERNANCE AND COMPLIANCE The law is very strict and serious in protecting the privacy of individuals from the European Convention up to the agency in charge of governing the conduct of the Trading Company. Organization that directly deals with client information not only has the fiduciary responsibility to protect client information they are responsible for keeping its confidentiality, integrity and availability. The most compelling argument of the advocates of the protection of the details of financial data of clients is the possibility of the data being used in court or in criminal activities by those people with nefarious intents. Article 8 European Convention on Human Rights The European Convention on Human Rights particularly article 8 declared that every individual has the right to keep his family life, home and correspondence private. The convention among other things enjoined that governments shall respect this right in accordance to its principle of freedom and democracy with reservation to its national security and responsibility to protect its citizen (European Convention on Human Rights, 1953). Breach of Confidence In order for “Breach of Confidence” to set in the following elements should exist the information being breached should be of prime importance that it shall cause harm and injury or infringe on the right of the owner. The information keeper was obligated to provide protection to the information and was to release it according to a set of rules. There were an unauthorized disclosure of the information from people who were not supposed to have it in the first place (Health and Safety Executive, 2009). Data Protection Act of 1998 Seventh Principle of the Data Protection Act posits that diligent application of technical and organization protection should be taken by holders of information entrusted to keep such information. Protection that would include appropriate measures against loss, destruction or damage should be included (Data Protection Act, 1998). Reasonable due diligence is an opt repeated phrase in data security due to the enormous cost associated in protecting data from what could and may not happen. Risk Assessment may provide the balance needed to assess the value of the information being protected against the cost of protecting it (Liberty, 2009). The Eighth Principle of the same law, enjoined that no data belonging to citizens shall be transferred outside the European Economic Area. However, if the territory will ensure adequate protection to the rights and freedoms of the people to whom the information belongs to access may be allowed under certain conditions (Data Protection Act, 1998). Exposure in the internet means there is a possibility that global access is not only possible but also a reality given the breadth and reach of the technology. Thus, most if not all nations have made it mandatory to ensure that sensitive information of its citizen remain within the realm of the country or its borders, which is impossible when an entity is connected to the internet. Thus, to protect the citizen only friendly countries are allowed to have access to sensitive data (Liberty, 2009). Since the operation of the Trading House is confined within the United Kingdom there is not much use for this. However, adequate protection must be installed to ensure that access to the computer system will be limited to the United Kingdom. Financial Service Authority’s Principles for Business The Financial Service Authority provided guidance for financial business owners on how to protect their client’s information. Specifically Principle 5, 6 and 10 have been provided thereof. All three principles mandates that organizations should at all times provide reasonable care in effectively implementing risk management systems in its processes. This is to ensure that financial services firm’s client is treated fairly and equitably and their assets adequately protected (Financial Services Authority, 1999). SAAS and CLOUD COMPUTING GOVERNANCE ISSUES Software as a Service and Cloud Computing by themselves violates the eight principle of the Data Protection Act of 1998, which specifically state that no sensitive data of subjects shall be made available outside of the realm. It should be noted that the company providing the Software as a Service and the Cloud Computing concept has for its business model the availability of their service outside the United Kingdom. It may not directly provide the service outside the realm but the very nature of the internet makes the service available outside the United Kingdom. Since the internet is available everywhere. There is also a clear breach of confidence due to the presence of the following element “The information was provided in circumstances importing an obligation of confidence” and “There was an unauthorized use or disclosure of that information and, at least the risk of damage”. The Retail Investment Brokerage Firm shall make all its data or the financial information of their client reside in the servers of the Software as a Service Company. The Retail Investment Brokerage Firm would practically abrogate the care of their client’s information in favor of another company that has a limited engagement with the Retain Investment Brokerage Firm and no agreement with the clients. The above violations of the laws can be remediated, however, the remediation cost as will be discussed later may be prohibitive that could only defeat the purpose of the Software as a Service concept. This reality eliminates the possible savings that could have been earned by the concept. Studying the provisions COBIT, ITIL and ISO17799 Software as a Service and Cloud Computing also violates some of its controls, particularly source code control, process controls and access control. Since the client’s data will be made available using the internet either for storage by the Software as a Service Company. Examining the very concept of Software as a Service alone indicates that the source code for the software is not readily available for audit. The audit is required to determine if there are Trojans, backdoors or even malicious codes within the Software that is being used by the Company providing Software as a Service. These exposures however are not without remedy. But the remedies are not without cost as well bringing into question the wisdom and the efficacy of the argument of implementing Software as a Service that regard it as cost effective. DISCUSSION Risk in any financial endeavor is the natural consequence of profit, but that is not to say that in order to profit more one must risk recklessly more. Therefore, the consequence for recklessness is dire and exacting as far as the law is concerned. Protecting the interest of the clients of the Retail Investment Brokerage Firm is the very essence of the laws enumerated above that is to ensure that the investing public continues to have or gain confidence to the firms that provide this kind of service. Since the business of the Retail Investment Brokerage firm is the very essence of free market. Software as a Service and Cloud computing has been an innovation that have been popularized at the advent of the internet. It is considered as an equalizer of the computing power accorded to large organization by virtue of their unlimited resources with that of the small to midsize range companies. Software on demand would enable one company in this case the Retail Investment Brokerage Firm to share the cost of development, maintenance of software applications including the management of its infrastructure. The idea is to make the functionality of software applications normally available only to large corporation be available as well to the small business owners. And for Cloud Computing make the functionality normally reserved only to large computers be made available to the small business owners. The essence of risk assessment or Information Security Management System is not to prevent the use of innovations such as Software as a Service or Cloud Computing. The essence of risk assessment or an Information Security Management System is to calibrate the risk presented by these new concepts or any tool for that matter, that include processes and other similar information objects. Diligent assessment includes the application of a systematic framework that will provide for a process on how to calibrate the risk and formulate the appropriate control mechanism that will neutralize the threats and resolve the vulnerabilities. Diligent protection by the Retail Investment Brokerage firm includes the incorporation of the processes that will limit the vulnerabilities and the exposure to the threats. Figure 2: Innovative Solutions 2008 Putting the processes as determined from the risk assessment analysis as part of the Retail Investment Brokerage firm’s operation constitutes due diligence as well (Bing, 2008). The drive for continuous improvement should also be defined in the processes being implemented. There would also be a regular review of the Information Security Management System’s performance indicators to ensure that each incident reported have been investigate thoroughly. Learning from the performance indicators as well as the incident reports to determine new ways of protecting the information assets of the company will reach a point where outmost protection have already been given. COBIT, ISO17799 and the latest version of ITIL, provides a framework that would comply with the requirements of the law as far as due diligence is concerned. The frameworks also provide a way to put the processes into operation ensuring that the implementation capitalizes on continuous improvement. Another area where the framework is held in high regard in the industry is the way the process develops the Business Continuity Plan, Contingency Plans, Disaster Recovery Plans and the Emergency Plans. To resolve the issue posited earlier with regard to the laws and legal principles that Software as a Service and Cloud Computing has violated. The Retail Investment Brokerage Firm can choose a Software-as-a-Service Company that is compliant to either COBIT or ISO17799 with most of its employees ITIL certified. For its cloud-computing requirements, the Retail Investment Brokerage Firm can implement a series of encryption program to obfuscate the information being computed or processes by other servers. The firm can also collaborate with companies that are COBIT or ISO17799 compliant only. It is recommended however that a close community cloud be used instead of a public cloud. The cloud-computing provider should guarantee that its network is not accessible from the outside of the United Kingdom in general and unauthorized user in particular. A strict legal instrument in a form of a contract that will bind all companies to their obligation should be executed and signed. The contract should provide heavy penalties in case there is a violation of the confidentiality, integrity and availability of any client information stored by the SaaS Company Provider. Retail Investment Brokerage Firm should also put into operation several processes that will regularly test the security safe guards that the SaaS Company should have strictly implemented. The caveat however is if the SaaS company will be amenable to the arrangement or not. CONCLUSION AND RECOMMENDATION The requirement of the law is that Due Diligence should be exerted by the Trading Firm to ensure the confidentiality, integrity and availability of the financial data entrusted by clients to the Trading Firm. Due diligence includes the application of controls that would include administrative, logical and physical controls. Information Security Management System does not mandate that the operation of a company be stymied into paralysis to secure assets. Information Security Management System mandates that productive use of information assets by processes should be governed by controls determined through a proper risk assessment process. ISMS and Risk Assessment vs. Governance RequirementS Risk assessment includes the determination of the level of risk that is attendant to each information asset (Borodzicz, 2005). Risk assessment determines the level of Protection and the dimension of the measured response needed to neutralize threats to comply with the requirements of Adequate Protection provided for by the law (Blyth, 2008). Due Diligence employs the application of controls that would include administrative, logical and physical controls. Extra Ordinary Effort in managing the risk attendant to protecting information assets of the organization’s clients requires the employment of Business Continuity Plan, Disaster Recovery Plan, Contingency Plan and Emergency Response Plan (Property Advisers to the Civil State: Central Advise Unit, 1998). Information Security Management System includes all of the above and the execution of the following processes. Security governance, incident response plans and change management (Whitman & Mattord, 2010). The law requires that due diligence have been exerted by the Retail Investment Brokerage Firm to protect the financial information of its clients. Due diligence can only be apparent when the Retail Investment Brokerage Firm have followed an auditable framework that systematically analyzed the kind of protection needed at all levels. However, due diligence does not end with the installation of controls the Retail Investment Brokerage Firm should also keep within its operation processes that is information security centric. RECOMMENDATION The first step is to formulate the information security goals and objectives in a form of a security policy (Humphreys, 2007). The second step is to conduct the risk assessment process that starts by conducting an inventory of information assets. The risk assessment shall then deliver the control processes, the Business Continuity Plan, Disaster Recovery Plan and Contingency Plans. The third step is to deploy the information security infrastructure that would include the deployment of tools such as the help desk system, Business Continuity infrastructure etc (Barnes, 2001). While the policies and procedures are being drafted and eventually approved for implementation. The fourth is the operation of the processes that would include the implementation of the help desk that uses the incident response plans, escalation procedures and the change management processes (Clark & Wright, 2009). COBIT, ISO17799 and ITIL v9 and some other Information Security Management System provides the framework that can be used to make the organization comply with the requirements of the law (APM group Limited, 2007). SaaS and Cloud Computing are considered tools that can safely be used in the Retail and Investment Brokerage industry. Provided their use and operation are governed with, the controls provided for by a complete risk assessment process within the recommended framework of COBIT, ISO17799 and or the latest version of ITIL. Bibliography Books Adler, C., & Benoiff, M. (2009). Behind the Cloud: The untold story of how salesforce.com went from idea to Billion Dollar Company and Revolutionized and Industry. New York: Josey Press. Barnes, J. (2001). A guide to Business Continuity Planning. West Sussex: John Wiley & Sons Ltd. Bing, G. (2008). Due Diligence Techniques and Analysis: Critical question for Business Decision. London: British Library. Blokdijk, G. (2008). SaaS 100 Success Secrets: How Companies Successfully Buy, Manage, Host and Deliver Software as a Service. New York: Emereo Publishing. Blyth, M. (2008). Risk and Security Management: Protecting People and Sites Worldwide. Hoboken, New Jersey: John Wiley and Sons, Inc. Borodzicz, E. (2005). Risk, Crisis and Security Management. West Susssez: Wiley and Sons Inc. Calder, A., & Watkins, S. G. (2010). Information Security Risk Management for ISO27001/ISO27002. London: IT Governance Ltd. Christoffersen, P. F. (2003). Elements of Financial Risk Management. San Diego CA.: Academic Press. Data Protection Act. (1998). Data Protection Act 1998. United Kingdom Parliament. legislation.gov.uk. Deming, E. (1986). Out of Crisis. Boston: Massachusetts Institute of Technology ISBN 0-911379-01-0. Financial Services Authority. (1999). Financial Services Authority Principles for Business. London: Financial Services Authority. Gilling, T. (2009). Beginner's COBIT Companion. Leicester: Troubador Publishing Ltd. Greer, M. B. (2009). Software as a Service Inflection Point: Using Cloud Computing to Achieve Business Agility. Bloomington, Indiana: iUniverse Inc. Humphreys, E. (2007). Implementing the ISO/IEC 27001 Information Security Management System Standard. Norwood, MA: Artech House Inc. Malone, T., Menken, I., & Blokdijk, G. (2010). ITIL V3 Foundation Complete Certification Kit - Third Edition: Study Guide Book and Online Course. Queensland Australia: Emereo Pty. Lrd. Marshall, C. L. (2001). Measuring and Managing Operational Risks in Financial Institutions: Toold Techniques and other Resources. New York: Wiley and Sons. Rhoton, J. (2009). Cloud Computing Explained. New York: New York. Snedaker, S. (2007). Business Continuity Planning and Disaster Recovery Planning. Burlington: Elsevier Inc. Velte, A. T., Velte, T. J., & Elsenpeter, R. (2010). Cloud Computing a Practical Approach. New York: McGraw Hill. Whitman, M. E., & Mattord, H. J. (2010). Management of Information Security. Boston: Course Technology. Online Sources APM group Limited. (2007, October). What is ITIL. Retrieved December 29, 2010, from ITIL.com: http://www.itil-officialsite.com/AboutITIL/WhatisITIL.asp Clark, W. F., & Wright, R. (2009). Enhancing the Efficiency of Your IT Infrastructure. Retrieved December 15, 2010, from Computer Associates: http://www.ca.com/~/media/Files/TechnologyBriefs/enhancing-efficiency-it-infrastructure_203323.pdf Davidson, E. (2010). Business Continuity and Data Planning Redundancy. Retrieved December 29, 2010, from ehow.com: http://www.ehow.com/way_5379303_business-continuity-data-planning-redundancy.html European Convention on Human Rights. (1953). Article 8 Eurpean Convention on Human Rights. European Convention on Human Rights. London: European Convention on HUman Rights. Hardin, B. (2009, November 4). Confidentiality Integrity Availability. Retrieved December 29, 2010, from Misc. Security: http://misc-security.com/2009/11/04/confidentiality-integrity-availability/ Health and Safety Executive. (2009, July 7). Breach of Confidence. Retrieved March 17, 2011, from Health and Safety Executive: http://www.hse.gov.uk/enforce/enforcementguide/court/reporting-breach.htm IT Governance Institute. (2011). Purpose of IT Governance. Retrieved March 20, 2011, from IT Governance Institute: http://www.itgi.org/template_ITGI9bfe.html?Section=Purpose&Template=/ContentManagement/HTMLDisplay.cfm&ContentID=19659 Liberty. (2009, June 15). Overview of the Data Protection Principles. Retrieved March 18, 2011, from Yourrights.org.uk: http://www.yourrights.org.uk/yourrights/privacy/data-protection/overview-of-data-protection-principles.shtml McGlasson, L. (2007, August 3). Key to Your Information Security Training Policies and Standards. Retrieved March 15, 2011, from Bank Information Security: http://www.bankinfosecurity.com/articles.php?art_id=523 Office of Government Commerce. (2010, June 8). Risk Management Strategy. Retrieved March 20, 2011, from Office of Government Commerce: http://www.ogc.gov.uk/documentation_and_templates_risk_management_strategy_.asp Property Advisers to the Civil State: Central Advise Unit. (1998, May). Business Continuity Planning Guide. Retrieved December 29, 2010, from Office of Government Commerce of the United Kingdom: http://www.ogc.gov.uk/documents/PACE_-_BCPG.pdf Figures Innovative Solutions. (2008). Information Security. Retrieved March 22, 2011, from Innovative Corporate Solutions: http://images.search.yahoo.com/images/view?back=http%3A%2F%2Fimages.search.yahoo.com%2Fsearch%2Fimages%3F_adv_prop%3Dimage%26b%3D22%26ni%3D21%26va%3Drisk%2Bassessment%2Bdrawing%26xargs%3D0%26pstart%3D1%26fr%3Db2ie7&w=490&h=500&imgurl=www.innovative-csi.co Johnston, S. (2009, March 3). Cloud Computing. Retrieved March 22, 2011, from Wikipedia: http://en.wikipedia.org/wiki/File:Cloud_computing.svg PERSONAL DEVELOPMENT PLAN Reading and digesting what the concepts of Software as a Service and Cloud Computing are. I have initially contemplated following the book of Christoffersen, P. F. entitled Elements of Financial Risk Management as a guide to conduct a risk assessment. To determine for my self the amount of risk involved in implementing Software as a Service and Cloud Computing. But going through the details of the risk assessment process additional training and knowledge is required since I neither have the experience nor the working knowledge of the operation of the Retail and Investment Brokerage Firms operation as it relates to the use of the Software as a Service and Cloud Computing. I instead focused on the critical evaluation of the Software as a Service and Cloud Computing to determine what is wrong with it that could be the source of vulnerability. After determining the possible exposure I perused through the abundant information regarding financial governance and control. There I found three related laws and several cases that pertains to the duties and responsibilities of Retail Investment Brokerage Companies to its clients and to regulators. Going over the cases that would include the examination of its facts and details including the merits of their arguments. It is my considered opinion that what is needed to comply with the law to comply with the privacy rights of clients is for the brokerage firm to conduct a diligent risk assessment and implement the controls determined thereof. Various frameworks comply with the requirements of the law in providing controls to protect client information. However, it is not sufficient to provide the infrastructure but it is equally important that operational controls should also be implemented to determine the root cause of incidents. For my personal development regarding this topic, it is imperative that details of the software as a service be given to determine the kind of application needed and consequently, the infrastructure needed for the Cloud Computing to determine the attendant risks involved. Read More