Cloud computing - mitigating risk

Cloud computing risk and assurance framework - Background to Government’s approach

Along with great benefits, using cloud services also has risk. In October 2013, Cabinet agreed to a Cloud Computing Risk and Assurance Framework [CAB Min (13) 37/6B] (pdf, 277kb) for government agencies. All State Service agencies are expected to follow the process in line with Cabinet direction. 

The key points from this framework are:

  • Decisions on all cloud computing services, including continuation of existing services and decisions to renew contracts, require case-by-case consideration by agency chief executives with GCIO oversight. Refer to the Cloud Service Requirements chart (docx, 115kb) for further guidance. This chart summarises the process for completing the requirements for cloud computing as detailed on these pages.
  • Agency chief executives are ultimately responsible for decisions to use cloud services, and are accountable for their risk exposure.
  • No data above RESTRICTED should be held in a public cloud, whether it is hosted onshore or offshore.
  • Agencies in the State Services are expected to follow a uniform and robust information risk management process that includes:

When agencies are taking up ICT Common Capability cloud services developed for All-of-Government by the GCIO, the lead agency developing the cloud ICT Common Capability will undertake the initial cloud assessment and other agencies may be able to place reliance on some of the assessment results. However, even with ICT Common Capabilities there are always agency-specific risks and considerations.

Cloud computing and ICT Assurance – What agencies must do when adopting cloud services

Requirements

All cloud computing decisions need to be made on a case-by-case basis after a proper risk assessment. State Service agencies are expected to follow the process issued by the GCIO.

For decisions on all cloud computing services, including Government ICT Common Capabilities, continuation of existing services and decisions to renew contracts, mandated agencies must:

  • Use Government ICT Common Capability cloud solutions where they exist, rather than source an individual cloud solution [CAB Min (12) 29/8A] (pdf, 242kb).
  • Conduct an initial cloud services information risk assessment of each cloud solution. The parent document is the Cloud Computing: Information Security and Privacy Considerations (pdf, 196kb). However, the GCIO has developed an easy to use spreadsheet based on this document called the Cloud Risk Assessment Tool (xlsx, 77kb). Start by completing the first three sections (questions 1-27) of the Cloud Risk Assessment Tool (xlsx, 77kb). If you are using a Government ICT Common Capability, you can leverage the initial analysis undertaken by the lead agency, however, you may be required to complete additional fields based on your agency’s profile.
    • The classification of the information,

    • The presence of Personally Identifiable Information (PII).

    • Any sovereignty and reputational issues.

  • Complete the relevant remaining sections of the Cloud Risk Assessment Tool (xlsx, 77kb) as needed, based on the results of the initial information risk assessment in the first three sections. Agencies may need to collect information directly from the cloud vendor.  Several cloud vendors have developed standard answer sets for some of the questions in the Cloud Risk Assessment Tool (xlsx, 77kb).  See the section Vendor answer sets below for a current list of products with answer sets.
  • Apply appropriate expertise in completing the Cloud Risk Assessment Tool (xlsx, 77kb).  If there is insufficient in-house expertise, agencies should obtain assistance from an All-of-Government Security and Related Services Panel provider.
  • Evaluate the information collected.
  • Perform any required testing and follow-up queries in order to understand and assess the risks, existing mitigations (controls), and residual risk to the agency.
  • Obtain sign-off from their agency’s Chief Executive or formal delegate attesting to the completeness and adequacy of the risk assessment, including the acceptance of any residual risk.  A Cloud Endorsement by Agency (docx, 97kb) is provided as a sample template for this endorsement.
  • Submit both the Cloud Risk Assessment Tool (xlsx, 77kb) and the Cloud Endorsement by Agency(docx, 97kb), or similar, to the GCIO ICTAssurance@dia.govt.nz   

The GCIO will use the results of agencies’ cloud risk review activities to assess on an ongoing basis whether the correct guidance and risk-based processes Cloud Computing: Information Security and Privacy Considerations guide (pdf, 197kb) are being applied and followed. The GCIO will not assess the underlying risk assessments as this is the responsibility of each agency CE. Endorsement of the cloud solution will not be required from the GCIO in advance of an agency adopting the cloud service.

The GCIO Government Enterprise Architecture team can provide limited guidance on the application of this framework.  Refer to the Cloud Service Requirements chart (docx, 115kb) for further guidance or email ICTAssurance@dia.govt.nz.

Information sharing

To further assist agencies and promote efficiency, the GCIO encourages and facilitates the sharing and re-use of existing cloud assessment materials among agencies.

All cloud documents submitted by agencies are logged in a register. We can put agencies who are beginning to assess a cloud solution in touch with other agencies that have completed a Cloud Risk Assessment Tool (xlsx, 77kb) for that particular service.  

Agencies must apply their own agency specific answers to relevant questions and ensure vendor information received in this manner is current and applicable to their own risk assessment.

Agencies should also ensure that third-party contracts related to cloud solutions (including those relating to assistance completing the Cloud Risk Assessment Tool (xlsx, 77kb) contain clauses allowing the sharing of Cloud Risk Assessment Tool (xlsx, 77kb) results within the State Services.

Please contact the ICT Assurance team ICTAssurance@dia.govt.nz for more information.

Page last updated: 24/07/2017