Cloud computing risk and assurance framework

Cabinet reference: CAB Min (13) 37/6B, copy number 56

This Cabinet minute was proactively released by the Minister of Internal Affairs. Originally IN-CONFIDENCE, it’s now UNCLASSIFIED.

The information could only be released, including under the Official Information Act 1982, by persons with the appropriate authority.

Portfolio: Internal Affairs

On 29 October 2013, following reference from the Cabinet Economic Growth and Infrastructure Committee, Cabinet:

Background

1. noted that in August 2012, Cabinet agreed to a ‘cloud first’ approach, where State Service agencies would be expected to adopt approved cloud services when faced with either new procurements or an upcoming contract extension decision [CAB Min (12) 29/8A];
2. noted that in June 2013, Cabinet adopted the ‘Government ICT Strategy and Action Plan 2017’ and an all-of-government ICT assurance framework [CAB Min (13) 20/13];
3. noted that the Government Chief Information Officer (GCIO), as part of the ICT functional leadership role, has responsibility for coordinated oversight and delivery of system-wide ICT assurance across the State Services;
4. noted that cloud computing carries risks and benefits for government, but that these can be respectively mitigated and maximised through appropriate assurance guidance and processes;
5. noted that cloud computing decisions are to be made in the context of a system-wide ICT assurance process developed by the GCIO and in the context of the New Zealand Protective Security Policy Framework (PSPF);

Proposed risk and assurance framework

6. agreed that decisions about cloud computing are to be made on a case-by-case basis after a proper risk assessment;
7. agreed that State Service agencies are to follow a mandatory uniform and robust information management process that will be issued by the GCIO;
8. noted that the ICT.govt site is being redeveloped into a service catalogue that will provide guidance and information to agencies on the risks and benefits associated with different cloud services and best practices to assess, deploy and use them;
9. agreed that no data above RESTRICTED be stored in a public cloud service (whether it is hosted offshore or onshore);
10. agreed that State Service agencies must contact the GCIO for advice and guidance when considering the use of any cloud service;
11. agreed that the guidance on security and risk considerations of cloud computing apply retrospectively to all cloud services currently in use by State Service agencies;
12. agreed that the GCIO will provide assurance on all-of-government and agency cloud solutions, explicitly targeting agency offshore cloud decisions and including assessments that the correct guidance and risk-based processes have been applied and followed;
13. agreed that the GCIO, where necessary, direct State Service agencies to amend, change or adapt their cloud service use;
14. agreed that there is an expectation that State Service agencies will join common ICT capability cloud solutions if they exist (for example OPaaS [Omnichannel Platform as a Service]), rather than sourcing individual cloud solutions;

[Redacted content]

Publicity

21. noted that the Department of Internal Affairs will integrate communications about cloud computing into publicity on the broader assurance framework;
22. noted that the Minister of Internal Affairs intends to proactively release the paper under EGI (13) 226 and its associated minute, subject to deletions that could have been made if this paper were released under the Official Information Act 1982.

Reference: CAB (13) 628; EGI Min (13) 25/15