Frequently Asked Questions-Cloud Risk Assessment

Cabinet has directed [Cabinet Minute (13) 37/6B] all State Services agencies to contact the GCIO for advice and guidance when considering the use of any cloud service, and to follow a mandatory and uniform information management process issued by the GCIO.  Agencies within the GCIO functional leadership mandate are required to follow the cloud risk assessment and endorsement process established by the GCIO.  All State Service agencies are expected to follow the process in line with Cabinet direction.

The GCIO ICT Assurance and Government Enterprise Architecture (GEA) teams have compiled the following list of common questions asked, and the answers we have provided. If your query isn't here, please contact the GCIO Assurance team on ICTAssurance@dia.govt.nz

Cloud

  1. What is a cloud service?
  2. What is Shadow Cloud?
  3. How should an agency approach Shadow Cloud?
  4. Does the cloud process apply for cloud services hosted in New Zealand as well as overseas?
  5. Where a cloud service is developed as part of a project or programme, when should the risk assessment take place?
  6. If multiple cloud products make up a service, can we do a combined risk assessment and endorsement?
  7. Are mobile apps cloud services?
  8. Is it proposed that the Cloud Questionnaire and approvals process be used for IT Services other than Cloud?

The Cloud Risk Assessment Tool

  1. Do we have to complete all the questions on the Cloud Risk Assessment Tool?
  2. Is the new Excel tool version of the cloud questionnaire (Cloud Risk Assessment Tool) different from the guidance originally published?
  3. Do we need to map items in the Cloud Risk Assessment Tool to the New Zealand Information Security Manual (NZISM)?
  4. Is there a Sparx model available for the Cloud Risk Assessment Tool?

Endorsements

  1. Do we have to endorse all of our current cloud services retroactively?
  2. Do we need to let the GCIO know about cloud services we have not yet endorsed?
  3. Who is responsible for accepting the residual risk of adopting a cloud service?
  4. Do we have to complete a Cloud Risk Assessment Tool and endorsement for all-of-government cloud services (e.g. Common Capabilities)?
  5. We have completed the Cloud Risk Assessment Tool for a service.  Is that all we have to do?
  6. Can we use an alternate or custom format for the endorsement or risk assessment?
  7. Where do we send the completed endorsement form and Cloud Risk Assessment Tool?
  8. Do we have to complete all the activities on the endorsement form’s tick list?
  9. Do we have to provide evidence to the GCIO of the formal delegated authority to approve cloud services?
  10. Won’t this new risk assessment process slow down cloud adoption by our agency’s business units?
  11. What is the relationship between security Certification and Accreditation (C&A), Privacy Impact Assessments (PIAs), and cloud endorsements?
  12. Is the GCIO cloud endorsement process consistent with the requirements of the Protective Security Requirements (PSR)?
  13. If a third party is providing a cloud service to our clients (e.g. the public) on our behalf, do we have to follow the risk assessment and endorsement process?
  14. After we send our artefacts to GCIO, how long will we have to wait for a response before implementing the cloud service?
  15. Do we have to stop using a cloud service if we find an appropriate risk assessment was never done?
  16. Can we restrict the information our employees put in the cloud to reduce the risk?

System-wide Collaboration

  1. Can we leverage cloud risk assessments done by other agencies for the same cloud service?
  2. Will the GCIO make the cloud register available to all agencies?
  3. If other agencies are using the cloud service, or providing it to me, doesn’t this mean they have done a risk assessment?
  4. What if a service provider refuses to provide information we need for our risk assessment?
  5. Have any cloud service providers prepared responses to the Cloud Risk Assessment Tool?
  6. When service providers provide information for our risk assessment, can we share this with other agencies?

The Role of GCIO

  1. Is the GCIO ICT Assurance team endorsing cloud services?
  2. Can the GCIO direct agencies to stop using a cloud service?
  3. Does the GCIO ICT Assurance function provide assurance to agencies over all-of-government Common Capabilities?
  4. Will the GCIO review drafts or incomplete assessment tools?
  5. The cloud guidance states that it may be possible to have security and privacy terms included in contracts.  Is there any standard contract language the GCIO can provide for this?
  6. What will happen if the ICT Assurance team decides our endorsement or risk assessment process is incomplete or insufficient?
  7. Will the GCIO pay for agencies to complete cloud risk assessments?

 

Cloud

1. What is a cloud service?

Any IT service outside the direct control of the agency and outside the agency network boundary, where the agency’s information is stored or processed. 

There are a variety of definitions of cloud computing in use worldwide.  GCIO guidance has referenced the National Institute of Standards and Technology (NIST) definition of cloud computing which focusses on cloud as a service delivery model.  However, we realise this definition may not be helpful to security professionals, technical staff, or risk and assurance practitioners who may need to decide whether a solution is cloud computing based on the technical attributes of the service. 

If you are unsure, please contact the GCIO ICT Assurance Team to discuss whether a service is or is not cloud.

2. What is Shadow Cloud?

Shadow Cloud refers to cloud services that are used without explicit organisational approval, or the knowledge and oversight of the ICT management, operations or information security departments within an organisation.   These might be services procured by a business unit or an employee where official and/or personal information is stored in the cloud, or a cloud service is accessed from a government network.  Government information could be compromised where risks are not understood and controls are not in place.

3. How should an agency approach Shadow Cloud

Agencies should identify all cloud services in use by their organisation which involve government (official or personal) information or are accessed from government networks. 

There are various software tools and third party services that facilitate this.  All cloud services require a proper risk assessment and endorsement in line with GCIO guidance, but agencies should take a risk based approach to prioritising and managing this activity.  To discourage 'Shadow Cloud' proliferation, agencies should adopt clear policies and procedures, and set expectations to manage cloud usage.  Contact ICTAssurance@dia.govt.nz for further guidance.

4. Does the cloud process apply for cloud services hosted in New Zealand as well as overseas?

Yes.

The process applies regardless of where the cloud service is hosted.

5.  Where a cloud service is developed as part of a project or programme, when should the risk assessment take place?

The risk assessment should begin as early as possible.

6.  If multiple cloud products make up a service, can we do a combined risk assessment and endorsement?

Yes.

An example of this would be a third-party cloud product hosted on IaaS.

7.   Are mobile apps cloud services?

Mobile apps are considered part of a cloud service if they store, process, or transport agency information outside your network boundary.  A risk assessment must be done over the service.

8.   Is it proposed that the cloud risk assessment and endorsement process be used for IT services other than Cloud?

No.

The GCIO does not intend to extend the cloud process to cover other IT Services at this time.

Agencies are welcome to adopt and adapt the process for their own internal use if it helps their processes. Similarly, the cloud questionnaire may also be used in the assessment of other IT services.

The Cloud Risk Assessment Tool

1. Do we have to complete all the questions on the Cloud Risk Assessment Tool?

Not necessarily.

You should consider all the questions that apply.  The first 27 questions help you understand the sensitivity, value, classification, sovereignty and privacy of the information set concerned with the particular service being considered.  This can help inform the depth of the risk assessment required in the rest of the tool.  If the information is personally identifiable or is ‘IN-CONFIDENCE’ or above, you should seek full answers to the remaining questions (28-105) that are relevant to the solution.  If the information is unclassified and contains no personal information, the business may wish to accept the risk of having incomplete information in a certain risk area, but this decision should be documented.  Agencies should also consider the risk of publically accessible information, particularly from a reputational integrity, and availability perspective.  In no case should questions be ignored without any consideration.  

The Security and Related Services Panel lists approved providers who are able to assist in conducting cloud risk assessments.

2.  Is the new Excel tool version of the cloud questionnaire (Cloud Risk Assessment Tool) different from the guidance originally published?

No.

However, we have added one additional question (Q.105), and some questions with multiple considerations have been split into their component parts for ease of completion.  We will be reviewing the question set in late 2015.

3.  Do we need to map items in the Cloud Risk Assessment Tool to the New Zealand Information Security Manual (NZISM)?

No.

The Cloud Risk Assessment Tool includes a column for this, but it is a placeholder for future development of the tool.  If an agency completes this mapping exercise we would be happy to incorporate its work in an update to the tool.

4.  Is there a Sparx model available for the Cloud Risk Assessment Tool?

Not yet. 

It is our intent to provide a Sparx model question set during 2015.  This would map to the planned NZISM and PSR Sparx models to assist agency risk and security architecture practices.

Endorsements

1.  Do we have to endorse all of our current cloud services retroactively?

Yes.

However, we expect agencies to adopt a prioritised plan based on an overall risk assessment.

2.  Do we need to let the GCIO know about cloud services we have not yet endorsed?

Please advise GCIO ICT Assurance at ICTAssurance@dia.govt.nz of any cloud risk assessments you have planned or underway so that these can be added to our cloud register.  At a minimum, please tell us the name of the cloud service, service provider name, and your contact information.

3.  Who is responsible for accepting the residual risk of adopting a cloud service?

CEs are ultimately accountable for decisions to use cloud services.  The approvals of the Chief Information Officer (CIO) and either the Chief Information Security Officer (CISO) or Chief Security Officer (CSO) are also required.

4.  Do we have to complete a Cloud Risk Assessment Tool and endorsement for all-of-government cloud services (e.g. Common Capabilities)?

Yes.

Common capabilities come with agency-specific risks that must be accepted or managed by each subscribing agency.  Cloud assessment tool responses or other artefacts may be available from Common Capability product managers to assist in your own risk assessment.

5.  We have completed the Cloud Risk Assessment Tool for a service.  Is that all we have to do?

You must also obtain endorsement by the CIO, CISO/CSO and CE (or formal delegate) and send your Cloud Endorsement by Agency (endorsement form) and assessment tool to GCIO.  This helps provide the GCIO and Ministers with confidence that sufficient agency assurance and oversight is in place.

6.  Can we use an alternate or custom format for the endorsement or risk assessment?

You can submit the information in any format you like, as long as it includes the content of the risk assessment and the three required endorsement signatures.

7.  Where do we send the completed endorsement form and Cloud Risk Assessment Tool?

We prefer to receive submissions electronically via email at ICTAssurance@dia.govt.nz.  Please use SEEMAIL where appropriate.  Or, you can submit via post to:

Department of Internal Affairs
Attn: Director ICT Assurance, SST (GCIO)
PO Box 805, Wellington 6140.  

Or hand deliver to DIA reception at Level 1, 46 Waring Taylor Street, Wellington.

8.  Do we have to complete all the activities on the endorsement form’s tick list?

No. 

The list is useful for informing us what assurance activities you have completed, but your own risk assessment should determine which assurance activities are required.  Consult the GCIO document Cloud Computing: Information Security and Privacy Considerations for what to consider in your risk assessment.

9.  Do we have to provide evidence to the GCIO of the formal delegated authority to approve cloud services?

Only if requested.

The GCIO will only require evidence of formal authority delegation in exceptional circumstances.  Agencies may need to revisit their existing delegated authorities to ensure they align with the GCIO cloud endorsement process.

10.  Won’t this new risk assessment process slow down cloud adoption by our agency’s business units?

It shouldn’t.

The risk assessment process is not new.  Cabinet Minute (13) 37/6B was issued on 29 October 2013 directing agencies to complete risk assessments, and the GCIO issued cloud risk assessment guidance in April 2014.  Risk assessments are a fundamental due diligence obligation and may appear to slow the pace of cloud adoption if your agency has not followed a robust process in the past.  The requirement to submit the endorsement form to the GCIO is new, but should not add to the time required to assess a cloud service.

11.  What is the relationship between security Certification and Accreditation (C&A), Privacy Impact Assessments (PIAs), and cloud endorsements?

While the processes should be well coordinated, there are a number of differences between C&A and the cloud endorsement processes.  The main difference is that cloud endorsements are just for cloud services, and C&A is considered for all agency systems.  All cloud services require agency endorsement.

The New Zealand Information Security Manual (NZISM),  is the authoritative source for system Certification and Accreditation (C&A) Process.  The cloud risk assessment can be a component of a C&A process, along with Privacy Impact Assessments. Similarly, C&A process steps can inform the cloud endorsement process where appropriate. Both the C&A process and the cloud endorsement process result in the acceptance of residual risk by an accountable executive, who gives authorisation for the agency to use a particular service or system.

12.  Is the GCIO cloud endorsement process consistent with the requirements of the Protective Security Requirements (PSR)?

Yes.

Conducting a robust risk assessment over all cloud solutions contributes toward agencies meeting the information security governance and control expectations of the PSR.  The PSR framework supports cloud risk assessments by communicating how information should be protected. The New Zealand Information Security Manual (NZISM) also requires agencies to follow the GCIO process for cloud risk assessments and endorsements.

13.  If a third party is providing a cloud service to our clients (e.g. the public) on our behalf, do we have to follow the risk assessment and endorsement process?

Yes.

As agencies are responsible for the services delivered on their behalf, as well as any agency and personal information involved, the cloud risk assessment and endorsement process applies.

14.  After we send our artefacts to GCIO, how long will we have to wait for a response before implementing the cloud service?

You don’t have to wait. 

The ICT Assurance team will aim to acknowledge receipt of endorsements by email within two business days.  However, as the ICT Assurance team is not endorsing the submissions, you can implement the service as soon as the three required sign-offs are obtained.  We require your risk assessment and endorsements to support our system-wide view of key risks, and so that we can provide confidence to Ministers that agencies are managing their cloud risks.

15.  Do we have to stop using a cloud service if we find an appropriate risk assessment was never done?

Not necessarily.

You will need to weigh the business risks of stopping the service against the potential risks of allowing it to continue.

16.  Can we restrict the information our employees put in the cloud to reduce the risk?

Yes.

Limiting the type of information users can store in a cloud product (e.g. prohibiting personally identifiable information) is an acceptable way to lower the risk.  However, the restrictions need to be well communicated, monitored, and enforced, and a plan for doing this should be included in your risk assessment documentation. 

System-wide Collaboration

1.  Can we leverage cloud risk assessments done by other agencies for the same cloud service?

We maintain a cloud register and may be able to connect you with other agencies that have performed risk assessments for the service.  You will still need to perform the steps in the risk assessment unique to your agency.  If no other agencies have performed a risk assessment, you will be performing the first one, so other agencies may look to you to share information.  To double check that you are not duplicating work that has been done, ask the service provider if they have provided risk assessment information to any other New Zealand agencies. Similarly, if you are performing the first risk assessment on a cloud service, ensure the service provider is aware that their responses are being provided to The Crown for NZ Government Public Sector use.

2.  Will the GCIO make the cloud register available to all agencies?

We are currently exploring options for publishing the register securely, as it contains Commercial-In-Confidence information.

3.  If other agencies are using the cloud service, or providing it to me, doesn’t this mean they have done a risk assessment?

Our experience has shown that you should not assume that agencies have performed risk assessments in line with the GCIO guidance over the cloud services they are currently using or offering.

4.  What if a service provider refuses to provide information we need for our risk assessment?

If agencies cannot obtain the information they need to assess the risk, or obtain acceptable third-party assurance (e.g. SOC2 audit reports, certifications, etc.), or mitigate the risk in some other way, the cloud service should not be used. 

We expect that service providers will supply the information agencies need to decide whether the service meets their requirements.

5.  Have any cloud service providers prepared responses to the Cloud Risk Assessment Tool?

Some service providers have created sets of standard responses to many of the questions, specifically for the New Zealand market.  Contact us and we may be able to advise you on what is available. 

The service provider should provide you with the applicable response set if you ask.  You will still need to perform the risk assessment steps unique to your agency.

6.  When service providers provide information for our risk assessment, can we share this with other agencies?

Agencies need to decide what information needs to remain internal and what can be shared. 

Service providers should expect that information they provide is being provided to The Crown (NZ Public Sector) and will be shared among all interested agencies.  Agencies can help by ensuring that agreements support and allow for this sharing.

The Role of GCIO

1.  Is the GCIO ICT Assurance team endorsing cloud services?

No.

Agency executives endorse cloud services.

2.  Can the GCIO direct agencies to stop using a cloud service?

Yes.

GCIO has been authorised by Cabinet to direct agencies to modify their use of cloud services.  It is our intent, however, to help agencies manage their own cloud risks, which limits the need for GCIO intervention.

3.  Does the GCIO ICT Assurance function provide assurance to agencies over all-of-government Common Capabilities?

No.

Agencies are required to seek their own assurance over Common Capabilities, in collaboration with the lead agency and, if applicable, the GCIO product manager overseeing the service.

4.  Will the GCIO review drafts or incomplete Cloud Risk Assessment Tools?

No.

We can provide general advice on the overall risk assessment and endorsement process, and help you understand the tools available, although in most cases we will not review or comment on the content of assessment tools.  If you need specific assistance with your risk assessments, we encourage you to look to the ICT Security and Related Services Panel or collaborate with other agencies interested in the same cloud service.

5.  The cloud guidance states that it may be possible to have security and privacy terms included in contracts.  Is there any standard contract language the GCIO can provide for this?

Unfortunately not.

Each agency’s circumstances are unique, and we cannot provide legal advice on contracting issues. 

We encourage agencies to consider the assessment tool questions related to contracts prior to subscribing to a cloud service.  We hope to be able to provide more guidance on this topic in the future.

6.  What will happen if the ICT Assurance team decides our endorsement or risk assessment process is incomplete or insufficient?

We will not raise a concern unless there is a significant unmitigated risk, or if the cloud service is missing a required endorsement.  If this is the case, we will work with you to resolve the issue.

In some cases we may provide comments back to you on how to improve the cloud risk assessment process.

7.  Will the GCIO pay for agencies to complete cloud risk assessments?

No.

Agencies are expected to assess and manage their risk, and to cover the costs of doing so.  Agencies should consider the initial and ongoing cost of assurance when making investment decisions.

Page last updated: 14/02/2017