Terms of service

Questions 28 to 32 — public cloud services are a way of outsourcing — make sure the contract’s terms clearly define ownership of the information and the control you have over it.

Questions 28 to 32 — terms of service

Table 1 lists who is responsible for answering each question.

Context and help for questions 28 to 32

Record your answers to these questions in either:

Questions to answer

  1. Does the service provider negotiate contracts with their customers or must they accept standard terms of service?
  2. Does the service provider’s terms of service and service level agreement clearly define how the service protects the confidentiality, integrity and availability of official information, and the privacy of all personally identifiable information?
  3. Does the service provider’s terms of service specify that the government organisation will keep ownership of its data?
  4. Will the service provider use the data for any purpose other than the delivery of the service?
  5. Is the provider’s service dependent on any third-party services?

Table 1: Who answers each question
Entity Questions to answer
Government organisation None
Service provider 28, 29, 30, 31, 32

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 28 to 32

The following guidance gives you context and help for answering the questions about terms of service.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

Public cloud services as outsourcing

Cloud computing is a way to outsource parts of traditional systems of information technology. Which parts are outsourced depends on the service model you’re using.

Service models for public cloud

Governance controls for public cloud services

For public cloud services, it’s not always possible to fully negotiate all terms in your contract with a service provider.

Help with negotiating contracts for public cloud services

This lack of control is a risk to governance. The main way government organisations can assert control in governance is by carefully reviewing the service provider’s:

  • terms in the contract — also called ‘terms of service’
  • service level agreement
  • key performance indicators
  • other metrics that specify the service performance.

Review the contract

Review those areas of the contract to make sure the public cloud service can meet your organisation’s need to protect the information’s:

  • confidentiality — including the privacy of all personally identifiable information that will be used in the public cloud service
  • integrity
  • availability.

Ownership of the information

Government organisations must keep ownership of their information and know how the service provider will use this data when delivering the service.

Use of customer data is usually limited to consumer rather than enterprise contracts. Regardless, government organisations need to know if the service provider will use information for any purpose other than delivering the service.

Example — using information for more than service delivery

Service providers might use your information to create more revenue for themselves by:

  • setting up targeted advertising to users
  • selling statistical data to other organisations.

Review the contract

Make sure the contract’s terms of service:

  • clearly define the ownership of data
  • state how the information will be used in delivering the service
  • say whether or not the service provider will use the data for any purpose other than the delivery of the service.

Service provider outsourcing some of its services

It’s common for service providers to rely on components from other service providers. When assessing the risks of using your information in a public cloud service, identify any dependencies that the service provider has on third-party services.

Knowing who is involved in the service provider’s supply chain will give you a clearer understanding of the risks involved in using information with their public cloud service.

Example — service provider outsourcing part of its service

A public cloud service that uses a Software-as-a-Service model might be hosted on a public cloud service that uses an Infrastructure-as-a-Service model.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated