Unsorted questions — risk discovery for public cloud

The risk discovery tool sorts risk and control questions — that’s its major benefit.

Cloud Risk Discovery Tool (ZIP, 1.1 MB)

However, you might want to see an unsorted list of the questions.

Business context

To help you understand where the public cloud service sits in your organisation, first list the:

• project
• vendor
• service.

Next, list the:

• business owner of the service
• business purpose for which the service will be used
• affected business processes
• data used by the service
• business owner of the data.

Will the service be used by 1 or a mix of:

• a single team or business group
• multiple groups or the whole organisation
• trusted third-parties
• members of the public?

Finish your business context by noting:

• who filled in the template for the business context
• their email address and phone number
• the date.

Stage 1 questions — security requirements

These are the screening questions. In the tool, your answers identify which questions you should answer in stage 2.

1. Has the business owner of the information been identified?
2. Have the business processes that are supported by the information been identified?
3. Could the information impact national security if disclosed without authorisation?
4. Is the information in the public interest or does it relate to national policy?
5. Does the data include any personal information?
6. Does the initiative involve Māori data or impact Māori interests?
7. Does the data need to be retained beyond immediate use of the cloud service?
8. Are there any other compliance obligations applying to the information?
9. Would the agency, its customers or other parties be impacted if the information was disclosed in an unauthorised manner?
10. Would the agency, its customers or other parties be impacted if people or systems could not access the service or information?
11. Would the agency, its customers or other parties be impacted if the integrity or accuracy of the information was compromised?
12. Does the agency need to maintain control of the information?
13. Does the service need ongoing access to information stored in another system — either cloud, on-premise or hybrid?
14. Is the service billed by time, resource usage or other variable, unpredictable measures?

The risk discovery tool sorts the questions in stage 2, which focuses on the security controls in place to lessen the identified risks.

General risks

• Privacy — privacy principles may be breached.
• Disclosure — information could be revealed to parties that should not have access.
• Service continuity — the service or information may not be accessible when needed.
• Integrity — information could become incomplete, inaccurate or invalid.
• Data retention — information may not be retained as necessary or may not be destroyed when required.
• Business strategy — carrying out your agency’s business strategy could be negatively impacted.
• Unauthorised access — somebody is able to access the information or service without authorisation.
• Uncontrolled cost — the cost of operating the service is not predictable or it’s not in the control of the agency.
• Control of information — your agency becomes unable to assert its control of the information.
• National interests — an incident involving this information could affect New Zealand’s national interests.
• Compliance — your agency is unable to meet its legislative, regulatory or contractual obligations.
• Governance — your agency does not have enough visibility or authority to effectively govern the service or information.
• Incident recovery — the service is unable to return to correct operation within the required time after an incident.

More information

• The business owner is a senior person who is accountable for the quality and protection of the information. They have the authority to decide policy and allocate budget.
• Classifications: national security — Protective Security Requirements (PSR)
• Classifications: policy and privacy — PSR
• What is personal information? — Privacy Commissioner
• Offshoring New Zealand Government Data report: Data and te ao Māori — data.govt.nz
• Public Records Act 2005: Key obligations and the standard — Archives New Zealand
• Guidance — risk discovery tool for public cloud: criticality of the information
• Automatic Programming Interface (API) guidelines

Stage 2 questions — residual risk

These are questions that relate to the controls implemented by either the:

• agency
• service provider
• or both.

The tool sorts them based on your answers in stage 1. Here, they are all listed. For example, in the tool, you would not get the repeated question about the business owner.

1 — Has the business owner of the information been identified?

Identify and engage the business owner.

In order to understand the risks relating to your information it’s important to understand the business context of the information. The business owner of the information is able to provide this context, and must make any decisions regarding the protection of the information.

2 — Have the business processes that are supported by the information been identified?

Identify all affected business processes.

Business processes that use the service or rely on information processed by the service can be impacted by any issues affecting the service. Understanding which business processes are affected will help you to determine the criticality of the service.

3 — Is the information classified RESTRICTED, SENSITIVE or lower, based on the NZ government guidelines for protection of official information?

Classify the information that will be stored or processed by the service

Information must be classified if its compromise could cause harm to a person or New Zealand’s national interests. Only information classified RESTRICTED, SENSITIVE or lower may be used or stored by a public cloud service.

4 — Has a Privacy Impact Assessment been completed?

Perform a Privacy Impact Assessment.

Whenever personal information is involved it’s important to understand how it could impact on the privacy of individuals, either positively or negatively. A Privacy Impact Assessment should be performed whenever:

• there’s any substantial change to the way personal information is stored, secured or managed
• personal information is transferred overseas or to a third party such as a cloud service provider.

The Office of the Privacy Commissioner provides guidance for performing a Privacy Impact Assessment and agencies can contact the Government Chief Privacy Officer for assistance.

5 — Have the users of the service been identified?

Identify users of the service and the role they perform, for example:

• all kaimahi will use the service
• branch administrators will create monthly reports
• people on the internet will read information on the website and submit support requests.

The impact of any disruption to the service may affect people or organisations beyond the commissioning agency. By identifying those other affected parties their interests can be taken into account.

6 — Have you considered the access each group of users requires to the information?

Access can include permissions for:

• read
• write
• modify
• delete
• or a mix of these.

Restrict users to the functions needed to perform their roles.

Understanding the access required by different groups of users allows permissions to enable effective use of the system without unnecessarily increasing risk — allowing more access than is necessary. It also helps to identify risks that user actions could pose to the service or information.

7 — Besides the legislation that always applies, is there any other legislation that is likely to apply to the information or service being assessed?

Legislation that always applies to official information is, for example the:

• Privacy Act 2020
• Public Records Act 2005
• Official Information Act 1982
• legislation that your agency is responsible for.

Identify all relevant legislation and regulations.

Legislation covering the type of information stored or processed by the service will affect the necessary terms of service. It’ll also affect how the agency and provider handle and protect the information.

8 — Does the agency have contractual obligations that apply to the information?

Identify the agency’s contractual obligations.

There may be compliance requirements the agency is contractually obliged to meet for different types of information. For example, if you take credit card payments, you’ll need to comply with the Payment Card Industry Digital Security Standard (PCI-DSS).

9 — Do you know what the impact would be to each affected party if the information was disclosed in an unauthorised manner?

Understand the impact that inappropriate information disclosure could have to the agency and its customers.

Consider the different users and owners of the information. The impact may vary for different affected parties.

10 — Do you know what the impact would be to each affected party if the integrity of the information was compromised?

Understand the impact of inaccurate or incomplete data.

Agencies and their customers rely on the integrity of information for:

• their own purposes
• use in the purposes of others — for example, court processes
• enabling accountability processes
• long-term research.

Losing confidence in the integrity of information, even when the information itself appears to have been preserved, affects the viability of those processes.

11 — Does the agency have incident response and management plans in place?

The agency’s incident response and management plans will minimise the impact of unauthorised disclosure.

Incident response and management plans that cover all relevant aspects of operational, security, and service problem incidents should be considered.

12 — Do you know what the impact would be to each affected party if the information were unavailable?

Understand the impact to the agency and its customers if the service or information cannot be accessed.

Consider the different users and owners of the information. The impact may vary for different affected parties.

13 — Do you know the maximum amount of data loss that could be tolerated after a disruption has occurred?

Identify the maximum amount of data loss that can be tolerated after an incident.

When recovering from a data-loss incident it’s common that not all data recovered is completely current. Consider how out-of-date the data is before the service is not recoverable or impact to the affected parties becomes unacceptable.

14 — Do you know the maximum period of time before which the minimum levels of services must be restored after a disruption has occurred?

Identify the maximum period of time before which the minimum levels of services must be restored after a disruption has occurred.

It’ll take time to recover the service after an incident. The longer the service is disrupted the more difficult it may be to return to normal operation. Consider the minimum level of service that must be restored to sufficiently support affected business processes, and the length of time the service can be disrupted before this minimum service level is restored.

15 — Do you know the maximum period of time before which the full service must be restored to avoid permanently compromising the business objectives?

Identify the maximum period of time before which the full service must be restored to avoid permanently compromising the business objectives.

If you have critical business processes relying on the cloud service then these will be affected by any interruption to the service. The longer a service is unavailable the more difficult it may become to return to business as usual.

16 — Is the registered head office of the service provider clear?

Select service providers registered in appropriate jurisdictions.

The jurisdiction in which the service provider’s head office is registered may affect how the provider treats customer data.

17 — Is it clear which countries are the cloud services delivered from?

Identify the countries are the cloud services delivered from.

It’s typical for cloud services to be delivered from countries different from the location of the provider’s head office. This might affect how the information is managed or agency control of its information.

18 — Is it clear in which legal jurisdictions will the agency’s data be stored and processed?

Assess the suitability of jurisdictions used to store and process information.

Information may be subject to the laws of the locations in which it’s stored and processed.

19 — Does the service provider allow its customers to specify the locations where their data can and cannot be stored and processed?

If there are identified jurisdictional risks, specify acceptable locations where data can be stored and processed.

By specifying locations where the data can and cannot be stored it’s possible to limit the risk that it’ll be accessed or copied without authorisation, particularly by an overseas government. This gives improved assurance that the agency retains control of its information.

20 — Have the laws of the country or countries where the data will be stored and processed been reviewed to assess how they could affect the security and privacy of the information?

The jurisdictions where the data will be stored or processed may have laws that affect agency data, for example, by:

• requiring the provider to disclose customer information if requested by the government or law enforcement
• having privacy laws in that jurisdiction may not meet the standard required by the Privacy Act 2020.

21 — Are customers able to negotiate with the service provider to ensure that sufficient privacy protections are specified in the contract to meet the requirements of the Privacy Act 2020?

Ensure that contracts enforce sufficient privacy protections to meet the requirements of the Privacy Act 2020.

You’re responsible for the privacy of personal information even when it’s being held or managed by service providers. You must ensure that your service provider will manage and protect personal information in a manner consistent with the Privacy Act 2020, even when the information or service provider is overseas. The Privacy Commissioner provides model contract clauses you can use.

22 — Does the contract specify that the provider will only disclose information in response to a valid court order, or another lawful access request?

Ensure that contracts specify that the provider will only disclose information in response to a valid court order, or another lawful access request.

Lawful access is where a third party, usually a law enforcement or national security agency, has a legal right to access the agency’s data through the service provider in the performance of their responsibilities. This may or may not require a court order, and the provider may not be allowed to notify the agency if this occurs.

23 — Does the provider inform their customers if they have to disclose information in response to a lawful access request?

Where possible the provider should notify the agency if its data is subject to a lawful access request.

Agencies may wish to know that their information has been subject to a lawful access request. In addition agencies have obligations for information they have in their control. This may include obligations to notify others about use and access of information. In some cases the provider may be prevented from notifying the agency that a request has been made.

24 — Is the service provider’s use of personal information clearly set out in its privacy policy?

The provider must either agree through contract to make no use of personal information or clearly indicate what uses it intends so that the agency can decide if this meets agency obligations and needs.

25 — Does the service provider notify its customers if their data is accessed by, or disclosed to, an unauthorised party?

Agencies have obligations for data in their control. These may include requirements to act or notify when information is accessed by an unauthorised party. These obligation may arise through different mechanisms including legislation (for example, the Privacy Act) or contract.

26 — Is there a clear contact for the agency, its staff and customers to complain to if there’s a privacy breach?

Agencies and affected parties must be able to contact the provider if they become concerned about a potential or actual privacy breach.

27 — Does the service provider’s terms of service and service level agreement (SLA) clearly define how the service protects the confidentiality, integrity and availability of all customer information entrusted to them — especially official information and the privacy of all personally identifiable information?

Contracts and SLAs should clearly define how the service protects the confidentiality, integrity and availability of all customer information entrusted to them — especially official information and the privacy of all personally identifiable information.

Contracts and agreements should include a requirement for service providers to meet the confidentiality (including privacy), integrity and availability needs of all the data.

28 — Does the service provider’s terms of service specify that the agency will retain ownership of its data?

Contracts should include terms that specify that the agency will retain ownership of its data.

Agencies are obliged to maintain Crown ownership of data. The provider must comply with this obligation or the agency must ensure that it can meet its obligation through another mechanism.

29 — Will the service provider use the data for any purpose other than the delivery of the service?

Contract terms should prevent the service provider from using data for any purpose other than the delivery of the service.

Agencies have obligations for data in their control. These may include limits on what the information can be used for and who it can be used by. These obligations may arise through different mechanisms including legislation (for example, the Privacy Act), contract, agreements made at the point of collection, or through reasonable expectations of behaviour by the Public Service.

30 — Is the service provider’s service dependent on any third-party services?

Ensure that subcontractors and third-party services used by the provider meet the same expectations as the provider.

When a provider is dependent on another third party the agency and its customers become dependent on that third-party. It’s necessary to understand what that level of dependency is and what risks it poses to the agency, its customers and others.

31 — Does the service provider undergo regular assessment by an independent third-party against an internationally recognised information security standard or framework?

The provider and service undergo regular assessment by an independent third-party against an internationally recognised information security standard or framework.

Independent reports and certifications give assurance that the provider meets a minimum security standard. The reports will describe the security controls and practices the provider has in place. Widely accepted standards include:

• ISO 27001
• NIST Cybersecurity Framework (CSF)
• Cloud Security Alliance (CSA) STAR certification.

An ISAE 3402 SOC 2 Type II report will describe how the provider’s security controls have performed over time.

32 — Can the agency review recent audit and certification reports, including the Statement of Applicability, before signing up for service?

Agencies can reasonably expect that when they choose to rely on independent third party assurance activities, they will be provided with sufficient information to understand the full scope and findings of those activities.

If the provider does not make independent certification and compliance documents available for review, then you should consider requiring an independent audit.

33 — Does the service provider’s terms of service allow the agency to directly audit the implementation and management of the security measures that are in place to protect the service and the data held within it?

For higher risk services, or services where the agency has reason to have less confidence in the provider, the agency may need to direct audit the measures being used to keep the information it has in its control secure.

34 — Will the service provider enable potential customers to perform reference checks by providing the contact details of two or more of its current customers?

This is something that will need to be handled on a case by case basis, for example it’ll depend if the current customer will allow the direct contact.

35 — Is the service provider signatory to the Cloud Computing Code of Practice?

The Cloud Computing Code of Practice provides a set of foundational expectations about what cloud providers will disclose to agencies and includes a complaints process. It allows agencies to have clarity about what information the provider will disclose to them. Agencies may still choose to request or perform independent assurance on any matters, including those which the providers has signed up to as part of the Code of Practice.

36 — Does the agency have an identity management strategy that supports the adoption of cloud services?

When using cloud services the identification of users and administrators accessing the services are instrumental for enforcing security policy. It’s important that the agency’s identity records are accurate and timely, and that cloud services are able to rely on these records for security enforcement.

37 — Does the cloud service support the agency’s identity management strategy?

The service should support identity federation, authorisation and single sign-on that can integrate with the agency’s directory and identity services.

38 — Does the agency have an effective and audited internal process that ensures that identities are managed and protected throughout their lifecycle?

Have an effective and audited internal process that ensures that identities are managed and protected throughout their lifecycle.

Cloud services rely on the agency’s identity records when enforcing authorisation and access to services and information, and for maintaining accurate records of user activity within the service. It’s important that identity record maintenance is timely and accurate as users join, leave or change roles within the service. Identity records must be protected to ensure their integrity.

39 — Are all passwords encrypted, especially system and service administrators, in accordance with the complexity requirements of the New Zealand Information Security Manual (NZISM)?

Passwords must be complex enough to resist discovery and must be appropriately hashed or encrypted when stored so they are not exposed in case of an incident. The NZISM sets minimum standards for encryption and complexity.

40 — Does the service allow use of multi-factor authentication?

Consider use of multi-factor authentication, especially for privileged accounts.

It’s good practice to require multi-factor authentication whenever accessing the service or information. This is especially important when authenticating privileged and administration users.

41 — Does the independent audit and certification include assessment of the security controls and practices related to separation of tenant data?

Check that the independent audit and certification include the assessment of the security controls and practices related to separation of tenant data.

Agencies need to assure themselves that their data is not mixed with the data of other customers of the same service and through that available to or at risk of damage by unauthorised third parties. Independent audit and certification commissioned by the provider may provide that assurance.

42 — Will the service provider permit customers to undertake security testing (including penetration tests) to assess the efficacy of the access controls used to enforce separation of customer’s data?

If the provider does not provide access to independent audit reports and certifications then the agency should ensure that the provider will permit customers to undertake their own security testing (including penetration tests). This should assess the efficacy of the access controls used to enforce separation of customer’s data.

Agencies may choose to assure themselves that access controls which separate their data from that of other customers are adequate. Even where an agency does not choose to at this point it may wish to retain the ability to do so at some future point. Where more than one public sector agency has data held in the same service it may be financially prudent for them to work together so that a single assurance activity is undertaken which meets all their needs.

43 — Does the service provider perform regular tests of its security processes and controls, including penetration testing?

Regular testing provides assurance that security controls and processes are operating effectively.

44 — Does the provider supply customers with a copy of security testing reports?

Reviewing security testing reports provides the agency with an understanding of what has been tested and where risks may exist that require management.

45 — Is the service provider responsible for patching all components that make up the cloud service?

A service provider may rely on a contracted third party for patching of some components on which the agency’s service is dependent. The provider needs to provide the agency with this information so that the agency can assess whether that results in any additional risk or exposure.

46 — Does the service provider’s terms of service or SLA include service levels for patch and vulnerability management that includes a defined maximum exposure window?

Agencies need to be confident that vulnerabilities exposing their service or data to risk will be resolved promptly. This should include clear service expectations outlining how quickly a vulnerability will be addressed from first identification and how quickly a patch will be applied from first availability.

47 — Does the service provider allow its customers to perform regular vulnerability assessments?

Agencies may choose to assure themselves of the security of the system delivering their service and holding their information by performing vulnerability assessments. Agencies may also choose to rely on vulnerability assessments undertaken by trusted third parties or work with other public service agencies to undertake assurance that meets all their needs.

48 — Do the terms of service or SLA include a compensation clause for breaches caused by vulnerabilities in the service?

Breaches can result in significant costs to agencies. It’s financially prudent for agencies to ensure that costs caused by the provider are borne by the provider.

49 — Does the cloud service enable the agency’s service to be delivered using only approved encryption protocols and algorithms (as defined in the NZISM)?

NZISM defined a list of encryption approaches which are adequate for NZ Public Service services. The provider should either by default or through configuration allow for the agency’s service to be delivered using approved approaches.

50 — Is it clear which party is responsible for managing the cryptographic keys?

Responsibility for managing the cryptographic keys should be clearly defined and documented.

When relying on encryption of data in the cloud service the cryptographic keys used for the encryption are a critical asset. If cryptographic keys are lost or corrupted then all the data encrypted with those keys may be unrecoverable. It’s imperative that all parties understand their roles and responsibilities for management of those keys to prevent this from occurring.

51 — Does the party responsible for managing the cryptographic keys have a key management plan that meets the requirements defined in the NZISM?

The party responsible for managing the cryptographic keys have a key management plan that meets the requirements defined in the NZISM.

Cryptographic keys are a critical asset and must be treated as such. It’s essential to have a formal key management plan that is well understood by all parties.

52 — Does the service provider and its subcontractors undertake appropriate pre-employment vetting for all staff that have access to customer data?

The service provider and its subcontractors should undertake appropriate pre-employment vetting for all staff that have access to customer data. Vetting should be repeated at regular intervals.

Many agencies require vetting for their own staff or contractors who have access to their information. Providers should be expected to have a process which is no less rigorous.

53 — Does the service provide logging that allows the agency to monitor user activity in the service?

Activity logging gives the agency visibility into what users are doing with the service. This is important for identifying and investigating unusual or suspicious activity, such as fraud or data breach.

54 — Does the service provider implement controls that ensure that audit logs are protected against unauthorised modification and deletion?

The service provider implements controls that ensure that audit logs are protected against unauthorised modification and deletion.

Audit logs are relied on for detection, investigation and prosecution of fraud and other inappropriate activity. It’s important that audit logs are protected so that they can be trusted to contain an accurate and complete record.

55 — Does the agency have a log aggregation and Security Information and Event Management (SIEM) service that logs and monitors access and actions taken by users of the service, and identifies and alerts unusual or inappropriate activity?

The agency should have a log aggregation and SIEM service that logs and monitors access and actions taken by users of the service, and identifies and alerts unusual or inappropriate activity. This service can be cloud-based or outsourced as best suits the agency.

If the agency uses more than one cloud service, it can become difficult to monitor and retain records of activity in those services. This can be addressed by having a log aggregation service that collects logs from all the agency’s services and allows a single point for monitoring, investigating and retaining those logs. A SIEM additionally provides the ability to automatically identify potential security incidents, and assist with investigating incidents.

56 — Does the service provider have a SIEM service that logs and monitors activity within their environment and alerts unusual or inappropriate activity?

The service provider should have a SIEM service that logs and monitors activity within their environment and alerts unusual or inappropriate activity.

A SIEM provides the ability to automatically identify potential security incidents, and assist with investigating incidents.

57 — Do the terms of service or SLA require the service provider to report unauthorised access to customer data by its employees?

Contract terms should require the service provider to report all identified unauthorised access to customer data.

Agencies have obligations for data in their control. These may include requirements to act or notify when information is accessed by an unauthorised party. These obligation may arise through different mechanisms including legislation (for example, the Privacy Act) or contract.

58 — In case of unauthorised access to customer data is the service provider required to provide details about the incident to affected customers to enable them to assess and manage the associated impact?

When unauthorised access is identified the service provider should provide details about the incident to affected customers to enable them to assess and manage the associated impact.

Agencies have obligations for data in their control. These may include requirements to act or notify when information is accessed by an unauthorised party. These obligations may arise through different mechanisms including legislation (for example, the Privacy Act) or contract.

59 — Does the service provider have an auditable process for the secure sanitisation of storage media before it’s made available to another customer?

The service provider has an auditable process for the secure sanitisation of storage media before it’s made available to another customer.

For particularly high classification or sensitivity services or information agencies may require that when storage media is repurposed from holding that information the storage media is sanitised. Where this is a requirement the agency will need to be able to assure itself that sanitisation is occurring.

60 — Does the service provider have an auditable process for secure disposal or destruction of information and communications technology (ICT) equipment and storage media (for example, hard disk drives, backup tapes, etcetera) that contain customer data?

If storage media cannot be sanitised the service provider must have an auditable process for secure disposal or destruction of ICT equipment and storage media (for example, hard disk drives, backup tapes, etcetera) that contain customer data.

For particularly high classification or sensitivity of services or information, agencies may require that when ICT equipment or storage media that has held that information is removed from use, it’s securely disposed or destroyed. Where this is a requirement, the agency will need to be able to assure itself that sanitisation is occurring.

61 — Will the service provider allow the agency to review of a recent third party audit report (for example, ISO 27001 or ISAE 3402 SOC 2 Type II) that includes an assessment of their physical security controls?

Agencies can reasonably expect that when they choose to rely on independent third party assurance activities, they will be provided with sufficient information to understand the full scope and findings of those activities.

62 — If it’s practical to do so (that is, the data centre is within New Zealand), can the service provider’s physical security controls be directly reviewed or assessed by the agency?

Agencies may choose to assure themselves that physical security controls on access to data centres is adequate. Even if an agency does not want to do it now, they may want to retain the ability to do get assurance in the future.

Where more than one public sector agency has data held in the same data centre, it may be financially prudent for them to work together so that a single assurance activity is undertaken which meets all their needs.

63 — Does the service provider provide data backup or archiving services as part of their standard service offering to protect against data loss or corruption?

In some cases the agency should consider having the service provider provide data backup or archiving service.

While providers may have in place many mechanisms to reduce the likelihood of data loss or corruption a separate backup would provide another level of mitigation. If the agency does not maintain a separate backup or archive, or if restoring data from a separate backup would take too long to meet the agency’s needs then the agency should consider procuring a backup or archival service from the provider.

64 — If a backup or archiving service is not included as part of their standard service offering, is it available as an additional service offering to protect against data loss and corruption?

This service can be expected to incur an additional cost so agencies may choose to weigh up whether other mechanisms are sufficient for the particular needs of the service and its data.

65 — Is it clear how data backup and archiving services are provided?

The agency should assess whether provided data backup and archiving services meet its needs.

If the agency chooses to purchase backup and archiving services the provider should be clear how those services are provided so that the agency can assure itself that its needs are met and that the method introduces no additional risks (for example, another third party holding a copy of personally identifiable information).

66 — Does the SLA specify the data backup schedule?

Where backups are performed by the provider the agency should agree an acceptable backup schedule with the provider.

If the agency chooses to purchase backup and archiving services the provider should be clear about the schedule of backups so that the agency can assure itself that its needs are met.

67 — Are the backups (whether performed by the service provider or the agency) encrypted using an NZISM approved encryption algorithm and appropriate key length?

Backups (whether performed by the service provider or the agency) encrypted using an NZISM approved encryption algorithm and appropriate key length.

Encryption of backups prevents them from inadvertently or deliberately exposing sensitive information.

68 — Is the level of granularity offered by the service provider for data restoration adequate?

The agency should consider whether it might need to recover parts of a backup or whether a complete restoration of the full backup is sufficient.

Under some circumstances an agency may wish to recover a small amount of data or a single item — a deleted client record, a document which has been overwritten. If this is a necessary use case the agency should confirm that the ability is supported by the cloud service.

69 — Is the service provider’s process for initiating a restore clear?

The process for initiating a data restore should be clear and understood by all parties.

If the agency chooses to purchase backup and archiving services the provider should be clear about how the agency can initiate a restore of data. While some methods may be self service and generate no additional cost, no outage, and no risk to services, others may result in the provider undertaking chargeable work and require a service outage. The agency should ensure that the process meets its needs and is adequately controlled.

70 — Does the service provider regularly perform test restores to ensure that data can be recovered from backup media?

The service provider should regularly perform test restores to ensure that data can be recovered from backup media

By regularly performing test restores the provider can provide assurance that the backup and restore process is effective.

71 — Does the SLA include an expected and minimum availability performance percentage over a clearly defined period?

Contract terms or schedules should include an expected and minimum availability performance percentage over a clearly defined period.

Availability may be affected by multiple factors, such as technical issues, faulty vendor hardware or software, facility issues (power loss) and deliberate attacks.

72 — Does the SLA include defined, scheduled outage windows?

Contract terms or schedules should include defined, scheduled outage windows.

Many agencies will prefer that they can notify their own staff and customers of a regularly scheduled outage window.

73 — Has the service provider implemented technologies that enable them to perform maintenance activities without the need for an outage?

If the service provider has implemented technologies that enable them to perform maintenance activities without the need for an outage then a defined, schedules outage window may not be necessary.

Some agency services require high availability and allowing for outages to enable the provider to perform maintenance may reduce the effectiveness and usefulness to the agency or its customers. Providers can implement solutions which decrease or eliminate these outages. This additional feature may be reflected in the price of the service, so for other agency services this may not be a driver.

74 — Does the SLA include a compensation clause for a breach of the guaranteed availability percentages?

The agency should include a compensation clause for a breach of the guaranteed availability percentages.

Failure to provide adequate availability of a service can result in significant costs to agencies. It’s financially prudent for agencies to ensure that costs caused by the provider are borne by the provider.

75 — Does the service provider utilise protocols and technologies that can protect against Distributed Denial of Service (DDoS) attacks?

The service provider should utilise protocols and technologies that can protect against DDoS attacks.

Denial of service attacks are increasingly common and can affect the performance and availability of the service. The provider may have options for preventing or limiting the impact of these attacks.

76 — Can the agency specify or configure resource usage limits to protect against bill shock?

The agency should be able to specify or configure resource usage limits.

If the service is billed according to resource usage then unexpected levels of use or malicious activity can escalate the cost of the service. Setting usage limits allows the agency to control the maximum acceptable cost.

77 — Does the service provider have business continuity (BCPs) and disaster recovery (DCPs) plans?

The service provider should have business continuity and disaster recovery plans.

The existence of appropriate business continuity and disaster recovery plans can provide some level of confidence that the provider is ready to respond to an incident. A provider without a plan is less likely to respond adequately. That said, the presence of a plan does not guarantee that the provider will execute the plan in a timely or effective manner.

78 — Does the service provider permit the agency to review of its business continuity and disaster recovery plans?

The agency should consider reviewing the provider’s business continuity and disaster recovery plans.

Agencies need to be confident that the providers business continuity and disaster recovery plans are adequate for the agency’s need and its service and information. The plan needs to align with the agency’s priorities, allow it to meet its obligation (including notification and communication with internal and external stakeholders) and allow the agency to be involved in decision-making when the decisions would be critical to the agency.

79 — Do the service provider’s plans cover the recovery of the agency data or only the restoration of the service?

The service provider’s incident recovery plans will ideally cover the recovery of the agency data. In many cases the plans will only cover restoration of the service.

Agencies need to be clear whether the provider will recover both the service and the agency’s data, or recover only the service and expect the agency to have itself kept a separate backup copy which can be copied into the provider’s system.

80 — If the service provider’s plans cover the restoration of agency data, does the prioritisation of agency data compared to other customers meet the agency’s expectations?

If the service provider’s plans cover the restoration of agency data, contract terms should define how the agency’s data is prioritised in relation to other customers using the service.

After an incident affecting multiple customers of the cloud service the priority given the agency’s data compared to the data of other customers will affect how quickly the service can be restored.

81 — Does the service provider formally test its business continuity and disaster recovery plans on a regular basis?

The service provider should formally test its business continuity and disaster recovery plans on a regular basis.

By testing and refining its business continuity and disaster recovery plans the provider can increase the likelihood that in an incident its response will be timely and effective.

82 — Does the provider supply customers with a copy of the reports associated with the testing of business continuity and disaster recovery plans?

The agency may choose to require that the provider supply a copy of the reports associated with the testing of business continuity and disaster recovery plans.

Agencies may wish to assure themselves by understanding the findings and recommendations of business continuity and disaster recovery plan tests. If they choose to request this they should also request subsequent reports tracking the implementation of recommendations.

83 — Does the service provider have a formal incident response and management process and plans that clearly define how they detect and respond to information security incidents?

The service provider should have a formal incident response and management process and plans that clearly define how they detect and respond to information security incidents.

The existence of an appropriate incident response and management process can provide some level of confidence that the provider is ready to respond to an incident. A provider without a plan is less likely to respond adequately. That said, the presence of a plan does not guarantee that the provider will execute the plan in a timely or effective manner.

84 — Is the agency able to review their incident management and response processes and plans to enable it to determine if they are sufficient?

For more critical services the agency may wish to review the provider’s incident management and response processes and plans to enable it to determine if they will meet availability expectations.

Agencies need to be confident that the providers incident management and response plans are adequate for the agency’s need and its service and information. The plan needs to align with the agency’s priorities, allow it to meet its obligations (including notification and communication with internal and external stakeholders) and allow the agency to be involved in decision-making when the decisions would be critical to the agency.

85 — Does the service provider test and refine its incident response and management process and plans on a regular basis?

The service provider should test and refine its incident response and management process and plans on a regular basis.

By testing and refining its incident management and response plans the provider can increase the likelihood that in an incident its response will be timely and effective.

86 — Does the service provider engage its customers when testing its incident response and management processes and plans?

The agency may wish to be engaged by the provider when testing its incident response and management processes and plans.

Agencies may wish to be involved in the testing of incident response and management plans where their service of information is highly critical or where they have concerns that the plan may not meet their specific needs.

87 — Does the service provider provide its staff with appropriate training on incident response and management processes and plans?

The service provider should provide its staff with appropriate training on incident response and management processes and plans to ensure that they respond to incidents in an effective and efficient manner.

By training its staff on incident management and response plans the provider can increase the likelihood that in an incident its response will be timely and effective.

88 — Does the service provider’s terms of service or SLA clearly define the support they will provide to the agency should an information security incident arise?

Contract terms should clearly define the support the agency will receive should an information security incident arise.

The agency’s ability to recover the service after an incident may benefit from support from the service provider. This could increase the cost of the service so the agency should consider its own incident recovery capability.

89 — Does the contract require the provider to notify customers when an incident that may affect the security of their information or interconnected systems is detected or reported?

The contract must require the provider to notify customers when an incident that may affect the security of their information or systems is detected or reported.

Agencies have obligations for data in their control. These may include requirements to act or notify when an incident affecting the security of their information occurs. These obligations may arise through different mechanisms including legislation (for example, the Privacy Act) or contract.

90 — Does the contract specify a point of contact and channel for customers to report suspected information security incidents?

The contract must specify a point of contact and channel for customers to report suspected information security incidents.

Agencies and affected parties must be able to contact the provider if they become concerned about a potential or actual security incident.

91 — Does the contract define the roles and responsibilities of each party during an information security incident?

The contract should define the roles and responsibilities of each party during an information security incident.

Clarity of roles and responsibilities serves two purposes. First it improves the likelihood that the incident will be handled appropriately and effectively. Secondly it allows the agency to be confident that it’ll be able to discharge its own obligations and expectations.

The defined roles and responsibilities should cover the full breadth of incident response, for example:

• who will brief the media or respond to media inquiries
• who will brief the Minister
• where an incident impacts more than one public service agency, the agencies should be able to work together to discharge their individual and collective obligations.

92 — Does the contract require that the provider provide customers with access to evidence (for example, time-stamped audit logs and/or forensic snapshots of virtual machines, etcetera) to enable them to perform their own investigation of the incident?

The contract should require the provider to supply customers with access to evidence (for example, time-stamped audit logs and/or forensic snapshots of virtual machines, etcetera) to enable them to perform their own investigation of the incident.

Agencies may be required to or choose to perform their own investigation. To do so they will need access to information held by the provider or its own third party providers. Where an incident impacts more than one public service agency, the agencies may work together to undertake a single investigation.

93 — Does the provider share post incident reports with affected customers to enable them to understand the cause of the incident and make an informed decision about whether to continue using the cloud service?

Does the provider share post incident reports with affected customers to enable them to understand the cause of the incident and make an informed decision about whether to continue using the cloud service?

Agencies should be able to access post incident reports to inform their own decision-making or to inform regulators or other third parties. It can be expected that where an incident affected more than one customer and a single post-incident report was prepared, that the agency will receive a copy which has been redacted to remove details of other customers’ use or impacts.

94 — Does the contract and accompanying documentation provide sufficient information to enable the agency to cooperate effectively with an investigation by a regulatory body, such as the Privacy Commissioner or the Payment Card Industry Security Standards Council (PCI SSC)?

Agencies may be required to or choose to enable a regulator or other third party to undertake an investigation. To do so they will need access to information held by the provider or its own third party providers. Where an incident impacts more than one public service agency, a single regulator or other third party investigation may be undertaken.

95 — Does the contract specify in the contract limits and provisions for insurance, liability and indemnity for information security incidents?

The agency should consider whether the contract should specify limits and provisions for insurance, liability and indemnity for information security incidents.

Security incidents can result in significant costs to agencies. It’s financially prudent for agencies to ensure that costs caused by the provider are borne by the provider or their insurer. The agency should carefully review liability and indemnity clauses for exclusions.

More information

Guidance — risk discovery tool for public cloud