Tips for right-sizing your risk assessment
Match your time and effort on risk assessments to the information’s risk and value — here’s why and how.
Use information in secure and respectful ways
Government organisations must responsibly use the information of the NZ government and New Zealanders. This involves:
- only storing data classified as RESTRICTED or below in a public cloud service
- setting up security controls to protect that information in ways that match its risk level.
Common levels of information classification
Most information used by the NZ government in public cloud services is either:
Balance your resources — right-size risk assessments
Government organisations have a responsibility to use their financial and human resources wisely. For risk assessments, this means spending:
- more time and effort on high-value information
- less time and effort on low-value information.
This is often called right-sizing your response to risk.
What often happens when you do not right-size assessments
If you pour lots of resources into assessing the risks of all types of information, this can:
- stop you from or slow you down in using public cloud services that would otherwise help your people meet your organisation’s business needs
- divert resources from high-risk information to low-risk information — increasing the overall risk to your organisation.
At the other extreme, focusing too few resources on risk assessments can lead you to underprotect high-risk information.
Benefits of right-sizing your risk assessments
Right-sizing your risk assessments helps you to:
- use your information security resources in the right places — that is, most effectively
- take advantage of the benefits of using public cloud services.
Match your time and effort to the risk level
For information in a public cloud service, you usually do not need to do a risk discovery if the risk of incomplete information is found to be acceptable by both your:
- decision from checking the information value — questions 1 to 27 of the risk assessment tool
- organisation’s risk assessment process.
Low information classifications with high values and risks
Classification levels, such as UNCLASSIFIED and IN-CONFIDENCE, are part of the Government Security Classification System. However, there are business impacts that you need to consider, too, because they might make information more valuable than their classification levels suggest.
Business impact levels can help you decide if the information is of greater value to your organisation, the NZ government and New Zealanders.
Always consider any additional questions and risk areas that are specific to your business and technical contexts.
Follow your organisation’s process for assessing risks.
Next step — make a decision
Decide if the risk of incomplete information is acceptable or if you need to discover the risks by answering questions 28 to 105.