Prioritise the most important services
Put shadow cloud services in an order of importance for risk assessments.
Factors in your risk assessment process
You need to know the factors for sorting out the importance of each shadow cloud service. For your organisation’s preferred factors, check its:
- cloud plan
- approved process for assessing risks
- existing public cloud services that have been approved for use
- feedback from people in your organisation about whether the existing public cloud services meet their needs or not.
These may not mention shadow cloud services directly, but they must list factors to consider when using public cloud services.
Why you need factors to help with sorting
You will not know the risk to your information in shadow cloud services yet. Finding and thinking about the following factors helps you to get a sense of:
- how important each shadow cloud service is
- the order in which you need to assess them for their risks.
Examples of factors to help with sorting
For each shadow cloud service, find and think about the:
- business needs — how much these needs and their processes rely on the service
- information value — how important it is to the NZ government and New Zealanders
- number of users — how important the service is to your people
- data usage — the demand on your network, though this is rarely an issue with shadow cloud services
- costs — if it’s expensive, this might factor into your decision-making in the step where you sort shadow cloud services using your reference taxonomy for application and software services.
Define the resources you need to manage shadow cloud
At this point, you should have an idea of the work involved. Now is a good time to plan and commit the resources you’ll need to manage shadow cloud properly.
Next step — assess the risks of information in shadow cloud services
Once you have your order, assess the risks to shadow cloud services. Start with those that are the highest priorities.