Send your risk documents to the GCDO

Collect: your answers to the risk discovery tool

These are the questions that you’ve answered and recorded in either:

• the Excel version — risk discovery tool for public cloud services
• your own document for recording them.

You do not need to include answers to the risk discovery, questions 28 to 105, if the person at the right level of reporting:

• approved the risk of incomplete information
• documented this decision in your risk assessment.

Collect: the approval of the risk assessment

A person at the right reporting level in your organisation needs to sign off on the risk assessment.

Check who can approve the risk level

Sign-offs can be done using either:

• your organisation’s document for sign-offs
• the ‘Cloud endorsement by agency’ form (PDF 97KB).

Classify your risk documents

Use the right classification level and make sure it’s visible for each document.

The risk assessment tool and endorsement form’s classifications might be different from the information being used in the public cloud service.

Send your documents to the GCDO

For reporting and sharing guidance about public cloud services, Cabinet requires government organisations to send their signed endorsement forms and completed questions from the risk assessment tool to gcdo@dia.govt.nz.

The GCDO does not endorse the sign-offs by government organisations.

Final step — use your risk assessment

Put your risk assessment to:

• immediate use — add your information’s security controls to your organisation’s risk registers
• ongoing use — work with your organisation’s security and information technology teams to schedule future reviews.

Final step — Use your risk assessment