Skip to main content

Assess the risks of using a public cloud service

Complete your risk assessment — to help with this, use your answers to the relevant questions in the tool for public cloud services.

Finish all of the steps — this avoids shadow cloud

It’s important to complete all the steps in your risk assessment and use it with your security and information technology teams.

If you stop short of the final step, your use of a public cloud service becomes ‘shadow cloud’. This is because your risks and security controls are not being formally monitored and reviewed.

Shadow cloud

Assess the risks — follow these steps

Do a risk assessment for using a public cloud service.

Use the following steps to make sure you manage NZ government and New Zealanders’ information in safe and respectful ways.

  1. 1

    Check if you need to do a risk assessment

    You need to assess risks when looking for or starting to use services — and when there are any significant changes or new risks.

    When to assess the risks of using a public cloud service

  2. 2

    Understand what the service will be used to achieve

    Be clear about the business needs and types of work the people in your organisation will be using the service to achieve. Make sure the service fits with your organisation’s cloud plan.

    Use your cloud plan

  3. 3

    Use the risk discovery tool

    Use this tool to find out which risks and security controls to consider. This helps you do your risk assessment in a way that matches your effort with the risk and value of the information you’ll be using in a public cloud service.

    Risk discovery tool for public cloud services

  4. 4

    Assess the risks of using the public cloud service

    Use your answers from the tool to help you with your organisation’s risk assessment process. Find out if using the public cloud service fits:

    • what your people will be using it for — purposes and business needs
    • how valuable the information is to your organisation, the NZ government and New Zealanders
    • the level of security assurance you need for your information — this depends on your decision about the information’s value.

    Use your organisation’s approved process

    Your organisation should have a process for assessing risks approved by their senior management. There might be situations when your organisation is developing or improving its process.

    Create or improve your organisation’s process for assessing risks

  5. 5

    If needed — identify security controls

    See if there are security controls that can bring risks that are currently too high down to a suitable level.

    The Government Chief Digital Officer has examples of this risk evaluation process.

    Evaluate the risks to an information system

  6. 6

    Finish your risk assessment — make a decision

    Decide if the public cloud service:

    • is suitable and can be used
    • needs more security controls to make it fit your organisation’s risk tolerance
    • is not suitable — continue looking for another public cloud service
    • is not suitable — and neither would another public cloud service.

    If no — you’re not going to use the service

    It’s best practice to still file the risk assessment with your security and information technology departments. This way, others do not duplicate the work or can reference it as a starting point in the future.

    Use your risk assessment

    If yes — you decide to use the service

    Continue with steps 7 to 9.

  7. 7

    Sign off the risk assessment at the right level

    See your organisation’s policies to know who is authorised to accept the risk level of your assessment.

    Check who can approve the risk level

  8. 8

    Send your risk documents to the GCDO

    To the Government Chief Digital Officer (GCDO), send your completed:

    • questions from the risk assessment tool
    • endorsement form.

    Send your risk documents to the GCDO

  9. 9

    Use your risk assessment

    Put your risk assessment to:

    • immediate use — add your information’s security controls to your organisation’s risk registers
    • ongoing use — work with your organisation’s security and information technology teams to schedule future reviews.

    Use your risk assessment

More information

Tips for right-sizing risk assessments

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated