Compliance with NZ security requirements
Questions 33 to 39 — see if the public cloud service meets NZ security requirements for protecting the information of the NZ government and New Zealanders.
Questions 33 to 39 — compliance with NZ security requirements
Table 1 lists who is responsible for answering each question.
Context and help for questions 33 to 39
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Does the service provider’s terms of service allow your government organisation to directly audit the implementation and management of the security measures that are in place to protect the service and data held with it?
- If yes — does this include performing vulnerability scans and penetration testing of the service and supporting infrastructure?
- If no — does the service provider undergo formal and regular assessment against an internationally recognised information security standard or framework by an independent third-party?
- Will the service provider allow your government organisation to thoroughly review recent audit reports before signing up for the service?
- Example — will the service provider give your organisation the Statement of Applicability, a copy of the full audit reports from their external auditor, and the results of any recent internal audits?
- Will the service provider enable your organisation to perform reference checks before you commit to their services?
- Example — the service provider gives you the contact details of 2 or more of its current customers.
- Is there a completed Consensus Assessments Initiative Questionnaire (CAIQ) or Cloud Controls Matrix (CMM) report for the service provider in the Cloud Security Alliance’s Security, Trust, Assurance and Risk (CSA STAR) registry?
- Has the service provider undergone a CSA STAR certification or attestation, or both?
- If yes — have they published the outcome of the audit?
- Has the service provider published a completed Cloud Computing Code of Practice?
- What additional assurance activities must be performed to complete the certification and accreditation of the cloud service?
|Entity||Questions to answer|
|Service provider||33, 33a, 33b, 34, 35, 36, 37, 37a, 38|
Where to find the service provider’s answers
You can get the answers to the service provider’s questions from a combination of:
- direct communication with the provider
- the provider’s policies and audit reports on their website
- previous assessments by other government organisations.
If you do not have the service provider’s answers
If you need higher assurance for the information, consider a different public cloud service if:
- the provider does not give you their answers or other information you need for your risk assessment
- you cannot get acceptable third-party assurance
- there are no ways to lessen the risk of this incomplete information.
Independent assurance reports — New Zealand Information Security Manual
Context and help for questions 33 to 39
The following guidance gives you context and help for answering questions about compliance with NZ security requirements.
Direct contracts — check for information you can use
Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:
NZ government agreements and contracts — check for certification documents you can use
You can use certification documents to help with your risk assessment of using either:
- an all-of-government agreement
- a Marketplace contract.
To get these, contact the security team at the Department of Internal Affairs at firstname.lastname@example.org.
Government responsibilities for information
When using a public cloud service, government organisations must responsibly and respectfully use the information of the NZ government and New Zealanders.
This means government organisations must be sure that security controls are in place to protect, within your organisation’s risk tolerance, the information’s:
Using available certifications
Since government organisations often cannot negotiate the terms of a contract with a service provider, they likely cannot:
- specify security controls to protect their data
- directly verify that a service provider has proper controls in place to protect the information.
Even if it’s possible to directly verify a service provider’s controls, it may not be practical to do this if the public cloud service is hosted in a data centre outside New Zealand.
As a result, government organisations must often rely on the service provider setting up third-party audits of its security practices and controls. There are different certifications to show this has been done and they all have different criteria.
Understand the limits of each certification
Government organisations need to sort out which certifications are useful and whether or not they increase their confidence in the service provider’s ability to protect their information.
Even internationally recognised standards and frameworks have limits. You’ll need to check these to see if certifications to these standards and frameworks provide assurance that the provider of a public cloud service meets your organisation’s security requirements.
Example — SOC 2+
The System and Organization Controls (SOC) 2+ of the Statement on Standards for Attestation Engagements (SSAE) 18 allows the service provider to limit the scope of the audit.
Example — ISO/IEC 27001
ISO/IEC 27001 allows the service provider to limit the scope of the audit by using a Statement of Applicability that defines those limits.
Openness to sharing audit information
Some service providers are more willing to give current and potential customers full audit reports under a non-disclosure and confidentiality agreement.
Others only provide the certificate to show they have passed the audit.
The more transparent the service provider is, the easier it is for government organisations to assess if the provider has proper security practices and controls in place to meet NZ security requirements.
Cloud Security Alliance (CSA) certifications
There are 3 different levels of assurance that service providers can achieve using the CSA’s Security, Trust, Assurance and Risk (STAR) registry.
CSA STAR certifications are another option for government organisations looking to gather information about a public cloud service’s security.
Level 1 — CSA STAR self-assessment reports
Service providers submit either a completed:
- Consensus Assessments Initiative Questionnaire, or
- Cloud Controls Matrix.
Level 1 STAR: Self-Assessment — CSA
Use Level 1 reports for insight, not assurance
These reports can give insight into the service provider’s security controls and practices. However, the CSA does not guarantee the accuracy of any entries. For submissions, the CSA only:
- verifies their authenticity
- does a basic check of their accuracy.
Level 1 CSA STAR registry
Being listed on the CSA’s Level 1 STAR registry means the service provider has done some level of diligence with a registration body. However, it does not give any assurance that they have proper security practices or controls in place.
Level 2 — CSA STAR certification and attestation
Service providers go through auditing by a third party — one of the CSA’s approved certification bodies. The audits provide either:
Level 2 STAR: Third-Party Audit — CSA
CSA STAR certification is based on ISO/IEC 27001 and the service provider’s security controls listed in their Cloud Controls Matrix.
ISO/IEC 27001:2013 — International Organization for Standardization
The CSA assesses the service provider’s information security management system. If they have proper security controls in place, the CSA certifies the provider’s security processes.
CSA STAR attestation is based on System and Organization Controls (SOC) 2+ and the criteria defined in their Cloud Controls Matrix.
SOC 2+ is part of the Statement on Standards for Attestation Engagements (SSAE) 18.
SOC 2+ for CSA STAR Attestation — SSAE 18
The CSA regularly assesses the service providers to see if their specified controls are in place and fit their description of the service.
Level 2 CSA STAR registry
See which service providers have Level 2 CSA STAR certification or attestation.
Level 3 — CSA STAR continuous auditing certification
Level 3 STAR is not yet available. It will offer real-time transparency about the effectiveness of the service provider’s security management practices and controls.
Service providers at Level 3 STAR would work with the CSA using the:
- Cloud Controls Matrix
- Cloud Trust Protocol.
The Evolution of STAR: Introducing Continuous Auditing — CSA
More information — CloudTrust Protocol
CloudCode — Cloud Computing Code of Practice
Government organisations should only use CloudCode documents for additional information because CloudCode does not have the needed security practices or controls in place.
CloudCode is designed to help New Zealand-based service providers to be transparent about the security of their services.
Cloud Computing Code of Practice — Information Technology Professionals NZ
Any gaps or further certification needed?
Government organisations need to understand the scope and any limitations of certifications that have come from:
- a third party
- another government organisation.
Government organisations might need to perform more assurance steps before using the public cloud service.
Example of needing more assurance steps
A government organisation is planning to deploy a service on 1 of the Infrastructure-as-a-Service models approved by the NZ government.
Before deploying, the government organisation must do a certification and accreditation review of the components they implement as part of their project — such as guest operating systems and applications.
Risk assessment sign-offs are not complete certification and accreditation processes
See the New Zealand Information Security Manual (NZISM) for the complete certification and accreditation process.
Utility links and page information