Skip to main content

Tips for right-sizing your risk assessment

Match your time and effort on risk assessments to the information’s risk and value — here’s why and how.

Use information in secure and respectful ways

Government organisations must responsibly use the information of the NZ government and New Zealanders. This involves:

  • only storing data classified as RESTRICTED or below in a public cloud service
  • setting up security controls to protect that information in ways that match its risk level.

Cabinet minutes for public cloud services

Common levels of information classification

Most information used by the NZ government in public cloud services is either:

  • UNCLASSIFIED
  • IN-CONFIDENCE.

Classify information

Balance your resources — right-size risk assessments

Government organisations have a responsibility to use their financial and human resources wisely. For risk assessments, this means spending:

  • more time and effort on high-value information
  • less time and effort on low-value information.

This is often called right-sizing your response to risk.

What often happens when you do not right-size assessments

If you pour lots of resources into assessing the risks of all types of information, this can:

  • stop you from or slow you down in using public cloud services that would otherwise help your people meet your organisation’s business needs
  • divert resources from high-risk information to low-risk information — increasing the overall risk to your organisation.

At the other extreme, focusing too few resources on risk assessments can lead you to underprotect high-risk information.

Benefits of right-sizing your risk assessments

Right-sizing your risk assessments helps you to:

  • use your information security resources in the right places — that is, most effectively
  • take advantage of the benefits of using public cloud services.

Benefits of using public cloud services

Match your time and effort to the risk level

For information in a public cloud service, you usually do not need to do a risk discovery if the risk of incomplete information is found to be acceptable by both your:

Low information classifications with high values and risks

Classification levels, such as UNCLASSIFIED and IN-CONFIDENCE, are part of the Government Security Classification System. However, there are business impacts that you need to consider, too, because they might make information more valuable than their classification levels suggest.

Business impact levels can help you decide if the information is of greater value to your organisation, the NZ government and New Zealanders.

Applying Business Impact Levels — Protective Security Requirements

Always consider any additional questions and risk areas that are specific to your business and technical contexts.

Follow your organisation’s process for assessing risks.

Next step — make a decision

Decide if the risk of incomplete information is acceptable or if you need to discover the risks by answering questions 28 to 105.

Decide if you need to discover the risks of using a public cloud service

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated