Decide if you need a risk discovery before using a public cloud service
Make sure the time and effort spent on assessing risks are in proportion to the information’s risk and value to your organisation, the NZ government and New Zealanders.
NZ government responsibilities
Balance the responsibilities of NZ government organisations to use:
- information in secure and respectful ways
- its resources well — human, financial and technological.
Tips for right-sizing your risk assessment
Complete the following steps
Decide if the risk of incomplete information is acceptable or if you need to discover the risks by answering questions 28 to 105.
Work out the risk level of your information system
- organisation’s policies for assessing risks
- answers to questions 1 to 27 to help with your risk assessment.
If your senior management is improving or developing your organisation’s policies, the Government Chief Digital Officer (GCDO) has guidance about assessing risks.
Create or improve your organisation’s process for assessing risks
Check who can approve the risk level
It’s not practical for chief executives to directly approve all risk assessments.
Following your organisation’s risk framework, make sure you sign off risk assessments at the right level for reporting risks. The GCDO has an example of these levels, or zones, of reporting.
Is the risk of incomplete information acceptable?
Government organisations can decide to accept the risk of having incomplete information in certain risk areas if the information:
- is UNCLASSIFIED
- does not contain personal information
- has the risks to its integrity and availability accepted by a person at the appropriate level.
Accepting the risk
The decision to accept this risk must be:
- signed off by someone at the appropriate level of reporting
- documented in your risk assessment.
Not accepting the risk of incomplete information
If the information is highly valuable to your organisation, the NZ government and New Zealanders, discover the risks of using it with the public cloud service you’re considering.
Questions 28 to 105 — risk discovery for public cloud services
Utility links and page information