Questions 71 and 72 — physical security

Table 1 lists who is responsible for answering each question.

Context and help for questions 71 and 72

Questions to answer

71. Can the service provider’s physical security controls be directly reviewed or assessed by the government organisation?
    
    • If yes — it needs to be practical to do so, such as the data centre being located in New Zealand
    1. If no — will the service provider allow the government organisation to review a recent third-party audit report that includes an assessment of their physical security controls?
    • Example — ISO/IEC 27001 certification — International Organization for Standardization
    • Example — ISAE 3402 SOC 2 Type II — External Reporting Board
72. Do the service provider’s physical security controls meet the minimum requirements as defined in the NZ government’s security guidelines to protect the information stored in the public cloud service?
    
    • Physical security — New Zealand Information Security Manual (NZISM)
    • Physical security — Protective Security Requirements (PSR)

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

• direct communication with the provider
• the provider’s policies and audit reports on their website
• previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

• the provider does not give you their answers or other information you need for your risk assessment
• you cannot get acceptable third-party assurance
• there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — NZISM

Context and help for questions 71 and 72

The following guidance gives you context and help for answering questions about physical security.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

• joining the Cloud Capabilities Network (CCN), if you’re not already a member
• searching the CCN’s chart of risk assessments for public cloud services.

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

• an all-of-government agreement
• a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

What physical security protects against

Physical security controls are needed to make sure that information is protected from unauthorised access by any malicious service provider:

• personnel
• third parties.

Information security and physical controls

Information security depends on how well physical controls work to protect the service provider’s:

• offices
• datacentres
• physical assets.

NZ requirements for physical security

Physical security controls must be in place to adequately protect the information of the NZ government and New Zealanders.

Physical security — PSR

Depending on your information’s classification, see which security controls you need in place.

Physical security — NZISM

When to use third-party audit reports

It’s not always possible or practical to directly assess the physical controls of a service provider. To see if the provider is adequately protecting its customers’ data, you should review recent third-party audit reports that include assessments of their physical security controls.

You should not use a public cloud service if:

• third-party audit reports from credible sources are not available
• the provider does not let you review the reports.