Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It's easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Assess the risks of information in shadow cloud services

Assess the risks so you can decide whether to bring the shadow cloud service into your organisation’s catalogue of approved public cloud services.

How to do a risk assessment

Check your organisation’s process for doing risk assessments. The Government Chief Digital Officer (GCDO) has guidance for how to consistently assess the risks of information systems.

Create or improve your organisation’s process for assessing risks

Use the tool for public cloud services to help with your risk assessment

Use the GCDO’s risk discovery tool for public cloud services to help you:

discover and record information needed to do a risk assessment
keep your time and effort in proportion to the information’s risk.

Risk discovery tool for public cloud services

Risk discovery — security controls

When discovering the risks of using a public cloud service, you might find that it’s not possible to directly assess the service provider’s security controls. Instead, you’re relying on third-party audits.

The New Zealand Information Security Manual (NZISM) has guidance on using independent assurance schemes.

Independent assurance reports — NZISM

Service provider outsourcing to other providers

The service provider might also outsource parts of its service to other service providers. Make sure you also consider third-party suppliers in your risk assessment.

Guidance — risk discovery tool: Governance of the information

Assess the risks of using a public cloud service

It’s important to get to the final step of putting each risk assessment to immediate and ongoing use. If you stop short of the final step, your organisation’s use of a public cloud service will actually stay as shadow cloud.

Assess the risks of using a public cloud service

Risk assessment sign-offs are not complete certification and accreditation processes

See the New Zealand Information Security Manual (NZISM) for the complete certification and accreditation process.

System certification and accreditation — NZISM

Exceptions to certification and accreditation

For public cloud services that are not tightly integrated with other information and communications technology (ICT) systems in your organisation, certifications and accreditation may not be:

useful
affordable
possible.

Find out which services can or cannot be made compatible with your ICT network. This is part of managing shadow cloud services.

Fit approved services compatible with your network

Next step — make decisions based on your priorities and risk assessments

See if it makes sense for your organisation to stop using, replace or keep a shadow cloud service — adding it to your approved public cloud services.

Make decisions based on your priorities and risk assessments

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It's easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you're unable to turn on JavaScript — email your feedback to govt.nz@dia.govt.nz .

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 03 August 2023

Assess the risks of information in shadow cloud services

How to do a risk assessment

Use the tool for public cloud services to help with your risk assessment

Risk discovery — security controls

Service provider outsourcing to other providers

Assess the risks of using a public cloud service

Risk assessment sign-offs are not complete certification and accreditation processes

Exceptions to certification and accreditation

Next step — make decisions based on your priorities and risk assessments

Utility links and page information