Risk management is about understanding, assessing and documenting the scope of your risk in relation to service delivery, reputation, legal exposure, security and integrity, customer confidentiality and investment.
The core elements of risk management will always follow a similar pattern, based on the following Public Service intranet (PSI) advice:
- Identification — identifying risks and creating a risk register.
- Analysis — understand the risk and estimate the level of impact. Develop a risk impact scale.
- Evaluation — decide if the risk level is acceptable or not.
- Treatment — decide how you will approach each risk (for example avoid it, transfer the liability, mitigate the likelihood, or accept the risk).
Risk assessments are part of many business processes. The key ones in a digital space will usually relate to privacy and security.
Assessing cloud service risks
Specific tools and resources have been developed to clarify the expectations and help streamline the processes for assessing risks related to using cloud services.
The GCDO has worked closely with security agencies to address their major concerns about using cloud services. These include:
- Offshoring and jurisdictional risk
- Social licence (engaging with citizens to validate their level of comfort)
Consider your exposure at key stages of any project or process to identify:
- ways of reducing risks and minimising impacts.
- high risk processes or systems
- where to prioritise resources.
- Risk Assessment Process: Information Security
- Risk Assessment Process: Information Security (PDF 295KB)
- Cloud services risk assessments
- Security and privacy – Establish a risk profile
- Protective Security Requirements
- NZ Information Security Manual