Security ownership in all service models
Government organisations always own the risks of their information in a service model — assess the risks before using one and set up proper security configurations.
Ownership of the information’s risks
Responsibilities for managing security in public cloud services are different for government organisations and service providers. However, government organisations are answerable for any impacts of security controls failing, regardless of the type of service model.
Who can accept or invest in reducing risks
Within your organisation, there should be a risk owner for the information. This is someone, or a person who can act on their behalf, who is responsible for accepting risk or investing in ways to lessen the risks. Risk owners often match your organisation’s way of categorising risk importance, sorted into zones.
How to manage security ownership
Since government organisations own the risks of the information they’re using in a public cloud service, always:
- find out which level of assurance they need for the information they’re looking to use in a public cloud service
- assess the risks of using the public cloud service
- set up proper security configurations — consult the information system’s technical experts
- monitor and review the risks to information.
Set up proper security configurations
Configurations that government organisations need to properly set can cover areas that are otherwise described as being service providers’ responsibilities. You’ll need someone with technical expertise to set these up or make sure they’re already in place.
Consult the information’s technical experts
Depending on the roles in your organisation, people who can help to properly set security configurations are either:
- technical owners
- subject matter experts
- development and operations (DevOps) teams.
Consult them when you:
- assess the risks of using a public cloud service
- start to use a public cloud service that you’ve decided to adopt for your information
- monitor and review the risks — checking if risks have changed or security controls need to be updated.