Decide if you need a risk discovery before using a public cloud service

Work out the risk level of your information system

Use your:

• organisation’s policies for assessing risks
• answers to questions 1 to 27 to help with your risk assessment.

If your senior management is improving or developing your organisation’s policies, the Government Chief Digital Officer (GCDO) has guidance about assessing risks.

Create or improve your organisation’s process for assessing risks

Check who can approve the risk level

It’s not practical for chief executives to directly approve all risk assessments.

Following your organisation’s risk framework, make sure you sign off risk assessments at the right level for reporting risks. The GCDO has an example of these levels, or zones, of reporting.

Evaluate the risks: Who can accept risks in each zone

Is the risk of incomplete information acceptable?

Government organisations can decide to accept the risk of having incomplete information in certain risk areas if the information:

• is UNCLASSIFIED
• does not contain personal information
• has the risks to its integrity and availability accepted by a person at the appropriate level.

Accepting the risk

The decision to accept this risk must be:

• signed off by someone at the appropriate level of reporting
• documented in your risk assessment.

Send your risk documents to the GCDO

Not accepting the risk of incomplete information

If the information is highly valuable to your organisation, the NZ government and New Zealanders, discover the risks of using it with the public cloud service you’re considering.

Questions 28 to 105 — risk discovery for public cloud services