Questions 3 to 9 — classify the information accurately, so you can properly assess its value and risks.
Questions 3 to 9 — information classification
Table 1 lists who is responsible for answering each question.
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- What is the security classification of the information based on the NZ government guidelines for protection of official information?
- Are there any specific concerns related to the confidentiality of the information that will be stored or processed by the public cloud service?
- Does the data include any personal information?
- Who are the users of the information?
- What permissions to the information do the users need?
- For example — do they require permissions to read, write, modify, delete or a combination of these?
- What legislation applies to the information — for example, the Privacy Act 2020, Official Information Act 1982, Public Records Act 2005 or a combination of these or others?
- What contractual obligations apply to the information?
|Entity||Questions to answer|
|Government organisation||3, 4, 5, 6, 7, 8, 9|
Context and help for questions 3 to 9
The following guidance gives you context and help for answering questions about information classification.
Why government organisations must classify information
If you do not classify data that will be stored, processed and sent in a public cloud service, there may be a mismatch between the information’s classification level and a public cloud service’s:
- security controls
- availability to help in achieving your organisation’s business objectives.
Work out the classification level for the information
To do a risk assessment, the business owner and stakeholders need to classify the information they’re planning to use with a public cloud service.
How to avoid mistakes in classifying information
The business owner leads the classification of the information and should make sure to:
- consult the right stakeholders
- use 2-way communication to learn the details needed for classifying the information.
Classification levels that can use public cloud services
Government organisations are encouraged, with appropriate security controls, to use public cloud services for information that is:
Classification levels that cannot use public cloud services
Government organisations, as decided by Cabinet, cannot use public cloud services for information that is:
If you wrongly classify information at a lower level than it is in reality, the public cloud service might:
- not have the needed security controls
- be used insecurely — the proper security controls exists, but you do not set them up because you think the information has less value and risk than it does in reality.
Be careful — confidential, secret and top-secret
Information with these levels of classification should never be used in public cloud services, regardless of the security controls in place.
If under-classifying information that’s actually confidential, secret or top-secret, you might end up using a public cloud service when it’s inappropriate to do so.
Example of under-classifying information
The business owner assesses information as being ‘RESTRICTED’, but it’s actually ‘CONFIDENTIAL’ in reality.
If you wrongly classify information at a higher level than it is in reality, the public cloud service might:
- have unnecessary security controls, increasing its cost for no reason
- be rejected.
Be careful — unclassified, in-confidence, sensitive and restricted
If over-classifying information that’s actually unclassified, in-confidence, sensitive or restricted, you might end up turning down public cloud services that could actually help your organisation to achieve its business objectives.
Example of over-classifying information
The business owner assesses information as being ‘SECRET’, but it’s actually ‘RESTRICTED’ in reality.