Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It's easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Catalogue approved services

Set up or update your organisation’s catalogue of approved public cloud services.

Options for setting up a catalogue

Once approved, you can either:

use a catalogue solution through Marketplace — Software as a Service
set up a catalogue specifically for public cloud services
add public cloud services to your organisation’s existing catalogues for application and software services.

Teams to help with setting up the catalogue

Your organisation’s information security and technology teams should already be involved — having done risk assessments for public cloud services.

For setting up the catalogue of approved public cloud services, make sure you work with your organisation’s teams for:

procurement
accounting
policy.

How to handle the costs of public cloud services

You may need to set up billing and payment models for public cloud services being used in your organisation.

Decide which services:

your people can buy individually — for example, using a purchase card from their business unit
are better managed using formal commercial arrangements.

Cost and volume pricing are likely factors in this decision.

Make your catalogue easy for people to use

A well-chosen set of approved services that are easy to find and use helps you to manage shadow cloud. Tell people in your organisation:

where to find the catalogue
why it’s important — for example, needing to respectfully use information for NZ government and New Zealanders
how it will help them do their work
who they can ask for help — support for risk assessments
ways they can help to keep it up to date with new public cloud services.

An easy-to-use catalogue shows that you respect people’s time, mahi and mana. If using or updating it is too difficult, your people might get around your processes altogether — shadow cloud.

Give people information about each service

For each public cloud service in your organisation’s catalogue, show its:

current approval status
approved uses — which business needs, processes and information classification levels it has been approved for using
cost — including a margin, if any
known risks — including what the service should not be used for
recommended security controls that people need to use.

List information classification ranges

Risk assessments are for information and public cloud services together — they form an information system.

List the information classifications that are appropriate to use in each public cloud service. This helps your people to make strong decisions about which services they use with their information.

Properly classifying information should already be actively done in the day-to-day life of your organisation.

Classify information

Show levels of assurance

When appropriate to your organisation’s context, show which public cloud services are:

low in assurance
high in assurance.

Giving this information to your people helps them make strong decisions about which services they use with their information.

You find each service’s level of assurance when you assess its risks.

Assess the risks of information in shadow cloud services

Low-assurance services

It might be best if low-assurance services are only used for UNCLASSIFIED information.

Example of information for services with low assurance

Common examples of this situation are services used for:

team collaboration
developing policies.

Meet the requirements of NZ legislation

Even in low-assurance services, government organisations must keep public records and meet requirements in the:

High-assurance services

It might be best if high-assurance services are only used for information that is either:

IN-CONFIDENCE
SENSITIVE
RESTRICTED.

Example of information for services with high assurance

Common examples of this situation are services used for:

critical or complex business needs and their processes
personal information — such as health information
official information that has national security or possible economic impacts.

Keep your catalogue up to date

This is crucial for success in:

managing shadow cloud — it’s not a static, one-off event
digitally transforming NZ government to better serve New Zealanders.

Strategy for a Digital Public Service

How to update your catalogue

You can update your catalogue by:

actively managing shadow cloud
making the process for assessing risks as quick as possible for people in your organisation — let people know how to start a risk assessment.

Match your effort to the information’s value and risks

The Government Chief Digital Officer (GCDO) has guidance to help you keep your effort in proportion to your information’s value and risks.

Tips for right-sizing your risk assessment

Next step — actively manage shadow cloud in your organisation

Make managing shadow cloud an opportunity to:

keep your catalogue up to date — taking advantage of the benefits of public cloud services
avoid the problems of extreme approaches to shadow cloud.

Actively manage shadow cloud in your organisation

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It's easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you're unable to turn on JavaScript — email your feedback to govt.nz@dia.govt.nz .

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 10 October 2022