Business and technical contexts of the information
Questions 1 and 2 — identify the business owner of the information to work out the business context and find the stakeholders for the information’s technical context.
Questions 1 and 2 — business context
Table 1 lists who is responsible for answering each question.
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Who is the business owner of the information?
- What are the business processes that are supported by the information?
|Entity||Questions to answer|
|Government organisation||1, 2|
Context and help for questions 1 and 2
The following guidance helps you to:
- answer the questions about the information’s business context
- understand the information’s technical context — consulting the technical owner, subject matter experts or development and operations (DevOps) team helps you to answer the other questions in the risk assessment tool.
Before checking the value of the information, it’s important to know the business context of the information.
The Government Chief Digital Officer’s guidance on risk assessments shows the most common areas of concern for information when using public cloud services.
You might have other risks in your context or choice of public cloud service that you need to consider.
Check for approved public cloud services
See if your organisation or Marketplace has already approved your public cloud service, or its equivalent, for use. You’ll still need to do a risk assessment for it to account for factors that are unique to your:
- business context.
Check for certification documents you can use
For NZ government agreements and contracts, you can use certification documents to help with your risk assessment. To get these, contact the security team at the Department of Internal Affairs at email@example.com.
Help from professional services for risk assessments
Your organisation might not have the expertise for carrying out its own risk assessment. The business and technical owners can decide to get an industry expert listed on Marketplace to do the risk assessment for them.
Risk assessments are a professional service in information security. Contact an industry expert if you need their services.
Next step — technical owner and context
The business owner should check with the technical owner of the information.
They will know the answers to many of the questions in the risk assessment tool — or may know who can answer them in your organisation.