Skip to main content

Decide if you need a risk discovery before using a public cloud service

Make sure the time and effort spent on assessing risks are in proportion to the information’s risk and value to your organisation, the NZ government and New Zealanders.

NZ government responsibilities

Balance the responsibilities of NZ government organisations to use:

  • information in secure and respectful ways
  • its resources well — human, financial and technological.

Tips for right-sizing your risk assessment

Complete the following steps

Decide if the risk of incomplete information is acceptable or if you need to discover the risks by answering questions 28 to 105.

  1. 1

    Work out the risk level of your information system

    Use your:

    • organisation’s policies for assessing risks
    • answers to questions 1 to 27 to help with your risk assessment.

    If your senior management is improving or developing your organisation’s policies, the Government Chief Digital Officer (GCDO) has guidance about assessing risks.

    Create or improve your organisation’s process for assessing risks

  2. 2

    Check who can approve the risk level

    It’s not practical for chief executives to directly approve all risk assessments.

    Following your organisation’s risk framework, make sure you sign off risk assessments at the right level for reporting risks. The GCDO has an example of these levels, or zones, of reporting.

    Evaluate the risks: Who can accept risks in each zone

  3. 3

    Is the risk of incomplete information acceptable?

    Government organisations can decide to accept the risk of having incomplete information in certain risk areas if the information:

    • does not contain personal information
    • has the risks to its integrity and availability accepted by a person at the appropriate level.

    Accepting the risk

    The decision to accept this risk must be:

    • signed off by someone at the appropriate level of reporting
    • documented in your risk assessment.

    Send your risk documents to the GCDO

  4. 4

    Not accepting the risk of incomplete information

    If the information is highly valuable to your organisation, the NZ government and New Zealanders, discover the risks of using it with the public cloud service you’re considering.

    Questions 28 to 105 — risk discovery for public cloud services

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated