Catalogue approved services
Set up or update your organisation’s catalogue of approved public cloud services.
Options for setting up a catalogue
Once approved, you can either:
- use a catalogue solution through Marketplace — Software as a Service
- set up a catalogue specifically for public cloud services
- add public cloud services to your organisation’s existing catalogues for application and software services.
Teams to help with setting up the catalogue
Your organisation’s information security and technology teams should already be involved — having done risk assessments for public cloud services.
For setting up the catalogue of approved public cloud services, make sure you work with your organisation’s teams for:
- procurement
- accounting
- policy.
How to handle the costs of public cloud services
You may need to set up billing and payment models for public cloud services being used in your organisation.
Decide which services:
- your people can buy individually — for example, using a purchase card from their business unit
- are better managed using formal commercial arrangements.
Cost and volume pricing are likely factors in this decision.
Make your catalogue easy for people to use
A well-chosen set of approved services that are easy to find and use helps you to manage shadow cloud. Tell people in your organisation:
- where to find the catalogue
- why it’s important — for example, needing to respectfully use information for NZ government and New Zealanders
- how it will help them do their work
- who they can ask for help — support for risk assessments
- ways they can help to keep it up to date with new public cloud services.
An easy-to-use catalogue shows that you respect people’s time, mahi and mana. If using or updating it is too difficult, your people might get around your processes altogether — shadow cloud.
Give people information about each service
For each public cloud service in your organisation’s catalogue, show its:
- current approval status
- approved uses — which business needs, processes and information classification levels it has been approved for using
- cost — including a margin, if any
- known risks — including what the service should not be used for
- recommended security controls that people need to use.
List information classification ranges
Risk assessments are for information and public cloud services together — they form an information system.
List the information classifications that are appropriate to use in each public cloud service. This helps your people to make strong decisions about which services they use with their information.
Properly classifying information should already be actively done in the day-to-day life of your organisation.
Show levels of assurance
When appropriate to your organisation’s context, show which public cloud services are:
- low in assurance
- high in assurance.
Giving this information to your people helps them make strong decisions about which services they use with their information.
You find each service’s level of assurance when you assess its risks.
Assess the risks of information in shadow cloud services
Low-assurance services
It might be best if low-assurance services are only used for UNCLASSIFIED information.
Meet the requirements of NZ legislation
Even in low-assurance services, government organisations must keep public records and meet requirements in the:
High-assurance services
It might be best if high-assurance services are only used for information that is either:
- IN-CONFIDENCE
- SENSITIVE
- RESTRICTED.
Keep your catalogue up to date
This is crucial for success in:
- managing shadow cloud — it’s not a static, one-off event
- digitally transforming NZ government to better serve New Zealanders.
Strategy for a Digital Public Service
How to update your catalogue
You can update your catalogue by:
- actively managing shadow cloud
- making the process for assessing risks as quick as possible for people in your organisation — let people know how to start a risk assessment.
Match your effort to the information’s value and risks
The Government Chief Digital Officer (GCDO) has guidance to help you keep your effort in proportion to your information’s value and risks.
Next step — actively manage shadow cloud in your organisation
Make managing shadow cloud an opportunity to:
- keep your catalogue up to date — taking advantage of the benefits of public cloud services
- avoid the problems of extreme approaches to shadow cloud.
Actively manage shadow cloud in your organisation
Utility links and page information
Last updated