Assess the risks of using a public cloud service
Complete your risk assessment — to help with this, use your answers to the relevant questions in the tool for public cloud services.
Finish all of the steps — this avoids shadow cloud
It’s important to complete all the steps in your risk assessment and use it with your security and information technology teams.
If you stop short of the final step, your use of a public cloud service becomes ‘shadow cloud’. This is because your risks and security controls are not being formally monitored and reviewed.
Assess the risks — follow these steps
Do a risk assessment for using a public cloud service.
Use the following steps to make sure you manage NZ government and New Zealanders’ information in safe and respectful ways.
Check if you need to do a risk assessment
You need to assess risks when looking for or starting to use services — and when there are any significant changes or new risks.
Understand what the service will be used to achieve
Be clear about the business needs and types of work the people in your organisation will be using the service to achieve. Make sure the service fits with your organisation’s cloud plan.
Use the risk discovery tool
Use this tool to find out which risks and security controls to consider. This helps you do your risk assessment in a way that matches your effort with the risk and value of the information you’ll be using in a public cloud service.
Assess the risks of using the public cloud service
Use your answers from the tool to help you with your organisation’s risk assessment process. Find out if using the public cloud service fits:
- what your people will be using it for — purposes and business needs
- how valuable the information is to your organisation, the NZ government and New Zealanders
- the level of security assurance you need for your information — this depends on your decision about the information’s value.
Use your organisation’s approved process
Your organisation should have a process for assessing risks approved by their senior management. There might be situations when your organisation is developing or improving its process.
If needed — identify security controls
See if there are security controls that can bring risks that are currently too high down to a suitable level.
The Government Chief Digital Officer has examples of this risk evaluation process.
Finish your risk assessment — make a decision
Decide if the public cloud service:
- is suitable and can be used
- needs more security controls to make it fit your organisation’s risk tolerance
- is not suitable — continue looking for another public cloud service
- is not suitable — and neither would another public cloud service.
If no — you’re not going to use the service
It’s best practice to still file the risk assessment with your security and information technology departments. This way, others do not duplicate the work or can reference it as a starting point in the future.
If yes — you decide to use the service
Continue with steps 7 to 9.
Sign off the risk assessment at the right level
See your organisation’s policies to know who is authorised to accept the risk level of your assessment.
Send your risk documents to the GCDO
To the Government Chief Digital Officer (GCDO), send your completed:
- questions from the risk assessment tool
- endorsement form.
Use your risk assessment
Put your risk assessment to:
- immediate use — add your information’s security controls to your organisation’s risk registers
- ongoing use — work with your organisation’s security and information technology teams to schedule future reviews.