Design for and implement security controls for cloud services
To reduce time and effort for agencies, this section contains the security guidance currently available for major public cloud services. It also describes all guidance in development, including guidance on office productivity services.
Certification and Accreditation
Agencies are required to certify and accredit their own IT systems and services. The certification and accreditation processes set out in the New Zealand Information Security Manual (NZISM) will be reviewed by the GCSB to make sure that they are relevant for cloud services.
In addition, DIA is developing guidance for agency security certification and accreditation processes. This will help agencies streamline their existing processes.
Security certification for major public cloud services
Security certification documents for some public cloud services are now available. This will significantly reduce the time and effort to complete security certification for these services.
These documents typically include a generic risk assessment, independent audit report of security controls, and a security certificate. Security certificates summarise the security position, residual risks and any risk remediation plans.
Security certification documents are available or coming soon for the following services:
- Microsoft’s Office 365 service: available now are a risk assessment, service security certificate, and independent audit report.
- Microsoft’s Azure Active Directory service: available now is a risk assessment and service security certificate.
- Microsoft’s Azure service: a risk assessment is tracking to be released during February 2017. A service security certificate is anticipated to be ready in April 2017.
- Amazon Web Services infrastructure services: a risk assessment is anticipated to be released during February 2017. A service security certificate is anticipated to be completed by April 2017.
This guidance is not available on ict.govt.nz. Agencies should request this security guidance through Sharon Dilks (email@example.com).
NZISM 2017 Update (coming)
The NZISM will be updated in 2017 to better enable the adopting of cloud services. This is part of a wider collaboration between the GCIO and GCSB to develop guidance to assist agencies in implementing cloud services safely and consistently. The NZISM update will incorporate the new security requirements and provide new sections to specifically support agencies risk management (and Certification and Accreditation) practices.
In July 2016, Cabinet agreed that agencies can use offshore-hosted office productivity services, provided they comply with new guidance on security requirements for using these services: CAB-16-MIN-0316 (pdf, 343KB).
DIA and GCSB have jointly developed this guidance, which describes how the New Zealand Information Security Manual (NZISM) should be applied in the context of these offshore-hosted services. This guidance is now available:
- Security requirements for OH Office Productivity - January 2017 (pdf, 472KB)
- Security requirements for OH Office Productivity - January 2017 (docx, 193KB)
General guidance for cloud services (coming)
General guidance and architectural reference patterns will be developed to help agencies to securely use public cloud services.