Tips for right-sizing your risk assessment
Match your time and effort on risk assessments to the information’s risk and value — here’s why and how.
Use information in secure and respectful ways
Government organisations must responsibly use the information of the NZ government and New Zealanders. This involves:
- only storing data classified as RESTRICTED or below in a public cloud service
- setting up security controls to protect information in ways that match its risk level.
Common levels of information classification
Most information used by the NZ government in public cloud services is either:
Balance your resources — right-size risk assessments
Government organisations have a responsibility to use their financial and human resources wisely. For risk assessments, this means spending:
- more time and effort on high-value information
- less time and effort on low-value information.
This is often called right-sizing your response to risk.
What often happens when you do not right-size assessments
If you pour lots of resources into assessing the risks of all types of information, this can:
- stop you from or slow you down in using public cloud services that would otherwise help your people meet your organisation’s business needs
- divert resources from high-risk information to low-risk information — increasing the overall risk to your organisation.
At the other extreme, focusing too few resources on risk assessments can lead you to under-protect high-risk information.
Benefits of right-sizing your risk assessments
Right-sizing your risk assessments helps you to:
- use your information security resources in the right places — that is, most effectively
- take advantage of the benefits of using public cloud services.
Match your time and effort to the risk level
Use the risk discovery tool for public cloud services.
Using the tool helps you answer the risk and security questions that fit your situation. In other words, you can avoid wasting time on questions that do not match the risk and value of the information you’re looking to use in a public cloud service.
Always consider any additional questions and risk areas that are specific to your business and technical contexts.
Follow your organisation’s process for assessing risks.
Low information classifications with high values and risks
Classification levels, such as UNCLASSIFIED and IN-CONFIDENCE, are part of the Government Security Classification System. However, there are business impacts that you need to consider, too, because they might make information more valuable than their classification levels suggest.
Business impact levels can help you decide if the information is of greater value to your organisation, the NZ government and New Zealanders.