Risk discovery for public cloud services
Questions 28 to 105 of the risk assessment tool — discover the risks to information security and privacy in a public cloud service, and identify the controls to manage them.
-
How to discover the risks
If checking the information value showed the need to discover the risks, answer questions 28 to 105 to help with your risk assessment of a public cloud service.
-
Governance of the information
Questions 28 to 39 — check how much control you will have over the information — review the terms of service and compliance with NZ security requirements.
-
Confidentiality of the information
Questions 40 to 72 — as with other information technology systems, see how secure information is in a public cloud service.
- Authentication and access control
- Multi-tenancy — multiple customers sharing a pool of computing resources
- Standard operating environments
- Patch and vulnerability management
- Encryption
- Insider threat from the cloud service provider
- Data persistence — are you able to delete information?
- Physical security
-
Integrity of the information
Questions 73 to 81 — there are different levels of protection against data loss and corruption — find out if a service provider meets your organisation’s requirements.
-
Availability of the information
Questions 82 to 99 — see if the provider meets your organisation’s requirements for keeping its service and your information online.
-
Incident response and management of the information
Questions 100 to 105 — find out what you can see and control in security incidents — get the right level of assurance from the service provider.
-
Make a decision from the risk discovery
Being valuable to your organisation, the NZ government and New Zealanders, assess the risks of using the public cloud service.
