Criticality of the information
Questions 10 to 13 — understand how important the information is to your organisation, the NZ government and New Zealanders.
Questions 10 to 13 — criticality of the information
Table 1 lists who is responsible for answering each question.
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- What would the impact on the business be if the information were disclosed in an unauthorised manner?
- Consider disclosures that would adversely affect government credibility and citizen trust.
- Think about any impacts on financing, operations and intellectual property rights.
- What would the impact on the business be if the integrity of the information were compromised?
- Does the agency have incident response and management plans in place to minimise the impact of an unauthorised disclosure?
- Consider incident response and management plans that cover the relevant aspects of operational, security and service incidents.
- What would the impact on the business be if the information were unavailable?
- Recovery point objective — what is the maximum amount of data loss that can be tolerated after a disruption has occurred?
- Recovery time objective — what is the maximum period of time before which the minimum levels of services must be restored after a disruption has occurred?
- Acceptable interruption window — what is the maximum period of time before which the full service must be restored to avoid permanently compromising the business objectives?
|Entity||Questions to answer|
|Government organisation||10, 11, 12, 13, 13a, 13b, 13c|
Context and help for questions 10 to 13
The following guidance gives you context and help for answering questions about the criticality of your information.
Why government organisations must check the criticality of the information
The business owner and stakeholders need to know the importance of the information being used in a public cloud service.
Thinking through the worst-case scenarios is essential for assessing this importance and knowing what controls are in place — such as incident response and management plans.
Identify and analyse risks
How you do this depends on if you do or do not know the risks and controls.
You know the risks and controls
The business owner should already know the risks to and controls for their information by using their organisation’s approved processes, scales and matrices for assessing risks.
You do not know the risks and controls
If the business owner and organisation do not have complete information about the risks to and controls for their information, the Government Chief Digital Officer (GCDO) has guidance to help them to:
Using the risk matrix approved by your organisation, find out how severe or not these risks are to your organisation, the NZ government and New Zealanders.
The GCDO has an example of a risk matrix and how to use it.
Where to get information about criticality
You should be able to source much of the information about criticality from the designers of the current information system — also called architects.