ict.govt.nz is being migrated into digital.govt.nz
This snapshot contains remaining content not yet migrated

Assess the risks of cloud services

Cloud services, like traditional IT systems, come with certain risks. Here’s how agencies can assess these risks in a way that is tailored to their risk appetite and signed-off at an appropriate level. This section includes vendor responses to questions from the cloud considerations document.

A briefing note on how to right-size cloud risk assessments is available.

Agencies are responsible for risk assessments

Cabinet requires agencies to make cloud adoption decisions on a case-by-case basis following a risk assessment. Agencies decide how they want to run the risk assessment process, but DIA has optional tools and guidance available.

Why agency-led?

The risks involved with cloud services depend on how they are used, and require a new way of operating, so agencies are best placed to understand their own business risks.

Risk assessments are driven by business context

Each agency must understand the business context of its use of cloud services. In addition, the time and effort spent on the risk assessment should be proportional to the level of risk. In practice, this means carrying out an initial assessment of the classification of the information involved, and whether there are any privacy or sovereignty issues.

If the initial assessment concludes that risks are negligible, then a detailed risk assessment will not usually be required. Where significant risks are present, then a more-detailed risk assessment will typically be needed. Regardless of the risk level, assessments will help agencies to understand and mitigate risks, and establish a residual risk position.

Cloud risk assessment process

The Cloud Risk Assessment Process allows you to establish the information value and risk of placing your data in the cloud. Understanding your agency’s risk appetite is a key feature of accepting a cloud vendor’s operating model and terms of use. The cloud assessment tool is intended to complement a risk assessment with cloud specific content.

In following the cloud risk assessment considerations, you will be presented with questions that cover:

  • confidentiality: such as how protected is the information by the cloud provider and or the country it is stored in? Does the cloud provider have good encryption and key management procedures? 
  • integrity: such as does the cloud provider have good processes and infrastructure to keep your data separate from other customers?
  • availability: such as does the cloud provider have good DR, BCP and incident management practices? Does the location of the datacentres introduce latency issues? Are the SLAs appropriate for your use, is your data adequately removed on termination of the service?

In general these are all good risk questions that you would want answered if you were operating the service yourself. When answering them, it is helpful to consider how you get assurance from a service that you are trusting with your information.

Risk assessments, whilst important, are a precursor to effective information risk management. Organisations should direct their resources towards managing information risk through treatment (the selecting and implementing of controls) – especially when their resources are limited. The service provider would normally bear the larger resource requirement for completing the cloud considerations questionnaire phase.

Note: a risk assessment should be appropriately sized relative to the value of the information you are trusting to the service.

Cloud provider answers to cloud risk assessment tool

DIA provides security guidance for specific cloud services and maintains a list of cloud service providers below who have provided responses to the government cloud security and privacy considerations questionnaire. These are available to help agencies carry out a risk assessment of the providers’ services:

  • Agilyx New Zealand (Unit4 Business World - Enterprise Resource Planning)
  • Amazon Web Services
  • Catalyst IT’s Catalyst Cloud (NZ)
  • Complete Learning Solutions (Docebo Learning Management System)
  • ComplyWatch
  • ComplyWith
  • Controls Reporting (ComplyWith NZ)
  • Critchlow Limited (SungardAS Assurance CM)
  • Delib Limited
  • Eagle Technology Group Ltd (Esri ArcGIS Online)
  • Healthscope HDP
  • Microsoft Azure
  • Microsoft Dynamics CRM Online 
  • Microsoft Intune
  • Microsoft Office 365
  • Netskope (CASB)
  • Opal3
  • Quantate Risk
  • Quantate Compliance
  • Quantate Project
  • Salesforce
  • SAP Time and Attendance Management (SAP TAM) by Workforce Software
  • SAP SuccessFactors
  • ServiceNow
  • Skyhigh CloudTrust
  • TiE by Softsource Ltd
  • Working Wise (GOSH Health & Safety)

Contact the provider directly to obtain their answers. Agencies are responsible for evaluating the answers and determining whether they are relevant.

Please note that the appearance of a cloud service on this page does not indicate that the service or the answers have been endorsed by DIA.

Risk assessments completed by agencies

Where they have a similar business context, agencies may adapt risk assessments completed by other agencies.  A list of collaboration services that have had risk assessments completed by one or more agencies can be accessed here: Risk assessments completed by agencies

Contact ICTAssurance@dia.govt.nz to obtain contact details from the agencies that have completed these risk assessments

Sign-offs can be delegated

Each agency must ensure the risk assessment is signed-off by chief executive or delegate(s) – direct reports and below. Delegations should be made at a level relative to the risks of using the services (check your agency risk framework or contact your risk team). The sign-off should describe the process used and accept any residual risks.

Agencies provide copies of signoffs to DIA

Agencies are required to submit both the Cloud Risk Assessment Tool (xlsx, 76kb), or similar, and the Cloud Endorsement by Agency (docx, 98kb), or similar, to ICTAssurance@dia.govt.nz. DIA does not endorse agency sign-offs. DIA logs the assessments and only uses them in high-level reporting to Ministers around ICT Assurance for cloud services.

Additional information

Page last updated: 26/03/2019