Assess the risks of cloud services
Cloud services, like traditional IT systems, come with certain risks. Here’s how agencies can assess these risks in a way that is tailored to their risk appetite and signed-off at an appropriate level. This section includes vendor responses to questions from the cloud considerations document.
Agencies are responsible for risk assessments
Cabinet requires agencies to make cloud adoption decisions on a case-by-case basis following a risk assessment. Agencies decide how they want to run the risk assessment process, but DIA has optional tools and guidance available.
The risks involved with cloud services depend on how they are used, and require a new way of operating, so agencies are best placed to understand their own business risks.
Risk assessments are driven by business context
Each agency must understand the business context of its use of cloud services. In addition, the time and effort spent on the risk assessment should be proportional to the level of risk. In practice, this means carrying out an initial assessment of the classification of the information involved, and whether there are any privacy or sovereignty issues.
If the initial assessment concludes that risks are negligible, then a detailed risk assessment will not usually be required. Where significant risks are present, then a more-detailed risk assessment will typically be needed. Regardless of the risk level, assessments will help agencies to understand and mitigate risks, and establish a residual risk position.
Cloud risk assessment process
In following the cloud risk assessment considerations, you will be presented with questions that cover:
- confidentiality: such as how protected is the information by the cloud provider and or the country it is stored in? Does the cloud provider have good encryption and key management procedures?
- integrity: such as does the cloud provider have good processes and infrastructure to keep your data separate from other customers?
- availability: such as does the cloud provider have good DR, BCP and incident management practices? Does the location of the datacentres introduce latency issues? Are the SLAs appropriate for your use, is your data adequately removed on termination of the service?
In general these are all good risk questions that you would want answered if you were operating the service yourself. When answering them, it is helpful to consider how you get assurance from a service that you are trusting with your information.
Risk assessments, whilst important, are a precursor to effective information risk management. Organisations should direct their resources towards managing information risk through treatment (the selecting and implementing of controls) – especially when their resources are limited. The service provider would normally bear the larger resource requirement for completing the cloud considerations questionnaire phase.
Note: a risk assessment should be appropriately sized relative to the value of the information you are trusting to the service.
Cloud provider completed risk assessments
DIA provides security guidance for specific cloud services and maintains a list of cloud service providers below who have provided responses to the government cloud security and privacy considerations questionnaire. These are available to help agencies carry out a risk assessment of the providers’ services:
- Catalyst IT’s Catalyst Cloud (NZ)
- Complete Learning Solutions
- Controls Reporting (ComplyWith NZ)
- Microsoft Azure
- Microsoft Dynamics CRM Online
- Microsoft Intune
- Microsoft Office 365
- Skyhigh CloudTrust
Contact the provider directly to obtain their answers. Agencies are responsible for evaluating the answers and determining whether they are relevant.
Please note that the appearance of a cloud service on this page does not indicate that the service or the answers have been endorsed by DIA.
Agencies may also be able to adapt the risk assessments completed by other agencies that have a similar business context.
Sign-offs can be delegated
Each agency must ensure the risk assessment is signed-off by chief executive or delegate(s) – direct reports and below. Delegations should be made at a level relative to the risks of using the services (check your agency risk framework or contact your risk team). The sign-off should describe the process used and accept any residual risks.
Agencies provide copies of signoffs to DIA
Agencies are required to submit both the Cloud Risk Assessment Tool (xlsx, 76kb), or similar, and the Cloud Endorsement by Agency (docx, 98kb), or similar, to ICTAssurance@dia.govt.nz. DIA does not endorse agency sign-offs. DIA logs the assessments and only uses them in high-level reporting to Ministers around ICT Assurance for cloud services.
- Cloud Service Requirements (docx, 116kb)
summarises the Cloud Risk Assessment Framework.
- Cloud Computing: Information Security and Privacy Considerations (pdf, 196kb)
describes how to identify, analyse and evaluate information security and privacy risks associated with cloud services. We recommend you read the considerations document before utilising the Cloud Risk Assessment Tool below.
- Cloud Risk Assessment Tool (xlsx, 76kb)
is an Excel tool that can be used to capture the information identified using “Cloud Computing: Information Security and Privacy Considerations.” This is an input used before and during a risk assessment process. Completing the assessment tool does not represent a risk assessment by itself.
- Risk Assessment Template (docx, 264kb)
is a good practice example for risk management that can be used for cloud services.
- Cloud Endorsement by Agency (docx, 98kb)
is a sample template for signing-off risk assessments.
- FAQs for Cloud Risk Assessments covers common questions often asked by agencies.