Skip to main content

Catalogue approved services

Set up or update your organisation’s catalogue of approved public cloud services.

Options for setting up a catalogue

Once approved, you can either:

Teams to help with setting up the catalogue

Your organisation’s information security and technology teams should already be involved — having done risk assessments for public cloud services.

For setting up the catalogue of approved public cloud services, make sure you work with your organisation’s teams for:

  • procurement
  • accounting
  • policy.

How to handle the costs of public cloud services

You may need to set up billing and payment models for public cloud services being used in your organisation.

Decide which services:

  • your people can buy individually — for example, using a purchase card from their business unit
  • are better managed using formal commercial arrangements.

Cost and volume pricing are likely factors in this decision.

Make your catalogue easy for people to use

A well-chosen set of approved services that are easy to find and use helps you to manage shadow cloud. Tell people in your organisation:

  • where to find the catalogue
  • why it’s important — for example, needing to respectfully use information for NZ government and New Zealanders
  • how it will help them do their work
  • who they can ask for help — support for risk assessments
  • ways they can help to keep it up to date with new public cloud services.

An easy-to-use catalogue shows that you respect people’s time, mahi and mana. If using or updating it is too difficult, your people might get around your processes altogether — shadow cloud.

Give people information about each service

For each public cloud service in your organisation’s catalogue, show its:

  • current approval status
  • approved uses — which business needs, processes and information classification levels it has been approved for using
  • cost — including a margin, if any
  • known risks — including what the service should not be used for
  • recommended security controls that people need to use.

List information classification ranges

Risk assessments are for information and public cloud services together — they form an information system.

List the information classifications that are appropriate to use in each public cloud service. This helps your people to make strong decisions about which services they use with their information.

Properly classifying information should already be actively done in the day-to-day life of your organisation.

Classify information

Show levels of assurance

When appropriate to your organisation’s context, show which public cloud services are:

  • low in assurance
  • high in assurance.

Giving this information to your people helps them make strong decisions about which services they use with their information.

You find each service’s level of assurance when you assess its risks.

Assess the risks of information in shadow cloud services

Low-assurance services

It might be best if low-assurance services are only used for UNCLASSIFIED information.

Example of information for services with low assurance

Common examples of this situation are services used for:

  • team collaboration
  • developing policies.

Meet the requirements of NZ legislation

Even in low-assurance services, government organisations must keep public records and meet requirements in the:

High-assurance services

It might be best if high-assurance services are only used for information that is either:

  • IN-CONFIDENCE
  • SENSITIVE
  • RESTRICTED.
Example of information for services with high assurance

Common examples of this situation are services used for:

  • critical or complex business needs and their processes
  • personal information — such as health information
  • official information that has national security or possible economic impacts.

Keep your catalogue up to date

This is crucial for success in:

  • managing shadow cloud — it’s not a static, one-off event
  • digitally transforming NZ government to better serve New Zealanders.

Strategy for a Digital Public Service

How to update your catalogue

You can update your catalogue by:

  • actively managing shadow cloud
  • making the process for assessing risks as quick as possible for people in your organisation — let people know how to start a risk assessment.

Match your effort to the information’s value and risks

The Government Chief Digital Officer (GCDO) has guidance to help you keep your effort in proportion to your information’s value and risks.

Tips for right-sizing your risk assessment

Next step — actively manage shadow cloud in your organisation

Make managing shadow cloud an opportunity to:

  • keep your catalogue up to date — taking advantage of the benefits of public cloud services
  • avoid the problems of extreme approaches to shadow cloud.

Actively manage shadow cloud in your organisation

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated