Cloud service requirements
Flowchart showing the procedure for completing the New Zealand Government requirements for cloud computing.
The requirements are designed to provide assurance that cloud service risks are managed. The extent of assurance required depends on the sensitivity of the information the cloud service will contain.
For all cloud services including continuations of existing services and contract renewals
Agencies MUST contact GCDO via email or phone for guidance. GCDO will maintain a register of agency cloud service reviews, principally to facilitate information sharing among agencies. Ask us for details. We may have an example from another agency you can use.
Agencies MUST apply the relevant guidance in Cloud Computing: Information Security and Privacy Considerations. Not all questions may be relevant to every initiative. The GCDO has developed the Cloud Risk Assessment Tool to assist agencies in collecting information that will be required in risk assessment evaluations. Please see guidance on ict.govt.nz.
Agencies MUST have the Chief Information Officer, the Chief Executive (or delegate for the acceptance of business risk) and either the Chief Security Officer or the Chief Information Security Officer sign-off on the risks and mitigations. The GCDO has developed a Cloud Endorsement by Agency form as an example.
Agencies MUST submit the following to the GCDO:
- The Cloud Risk Assessment Tool with relevant sections completed.
- A Cloud Endorsement by Agency or similar
GCDO staff will review the submission to ensure appropriate sign-off by the agency. They will not assess the underlying risk assessment.
Agencies MUST NOT adopt new cloud services until the sign-offs have been obtained and the above documentation has been forwarded to the GCDO.
Email submissions to ICTAssurance@dia.govt.nz
For queries email ICTAssurance@dia.govt.nz
Agencies are expected to adopt Government ICT Common Capabilities where available instead of sourcing their own cloud solutions. Agencies using Common Capability cloud providers can leverage the assessment done by the lead agency in many areas of the Assessment Tool. However, agencies MUST complete any additional sections of the Assessment Tool and Cloud Endorsement by Agency (or similar) specific to the agency and submit them to the GCIO.
Apply appropriate expertise
Agencies MUST apply the appropriate expertise in completing the Assessment Tool. If there is insufficient in-house expertise, agencies should obtain assistance from an All-of-Government (AoG) Security and Related Services panel provider.
Classification of the Assessment Tool
Assessment Tools and Cloud Endorsements by Agency (or similar) MUST be classified to the appropriate security classification. This may not necessarily be the same classification as the information the cloud service will contain.
Agencies SHOULD ensure that third-party contracts related to cloud solutions (including those relating to assistance completing the Assessment Tool) contain clauses allowing the sharing of the results of the Assessment Tool within the NZ Public Sector.
Re-use of Assessment Tool responses and assessment materials
GCIO will encourage and facilitate the sharing and re-use of existing cloud assessment materials among agencies.
Agencies SHOULD ensure any information received in this manner, including re-used vendor responses, is current and applicable to their own risk assessment.
1 A Cloud Endorsement by Agency is not equivalent to a system certification or accreditation (described in Chapter 4 of the New Zealand Information Security Manual), which should be sought where required following the agency’s own processes. Rather, it is a document attesting to the completeness of the risk assessment, including acceptance of the residual risk.