Ownership of the information’s risks

Responsibilities for managing security in public cloud services are different for government organisations and service providers. However, government organisations are answerable for any impacts of security controls failing, regardless of the type of service model.

Who can accept or invest in reducing risks

Within your organisation, there should be a risk owner for the information. This is someone, or a person who can act on their behalf, who is responsible for accepting risk or investing in ways to lessen the risks. Risk owners often match your organisation’s way of categorising risk importance, sorted into zones.

Evaluate the risks: Who can accept risks in each zone

How to manage security ownership

Since government organisations own the risks of the information they’re using in a public cloud service, always:

• find out which level of assurance they need for the information they’re looking to use in a public cloud service
• assess the risks of using the public cloud service
• set up proper security configurations — consult the information system’s technical experts
• monitor and review the risks to information.

Set up proper security configurations

Configurations that government organisations need to properly set can cover areas that are otherwise described as being service providers’ responsibilities. You’ll need someone with technical expertise to set these up or make sure they’re already in place.

Consult the information’s technical experts

Depending on the roles in your organisation, people who can help to properly set security configurations are either:

• technical owners
• subject matter experts
• development and operations (DevOps) teams.

Consult them when you:

• assess the risks of using a public cloud service
• start to use a public cloud service that you’ve decided to adopt for your information
• monitor and review the risks — checking if risks have changed or security controls need to be updated.

Technical context of an information system