How to discover the risks

If checking the information value showed the need to discover the risks, answer questions 28 to 105 to help with your risk assessment of a public cloud service.

Risk discovery informs your risk assessment

Answering questions 28 to 105 helps you with your risk assessment — making you aware of the:

  • risks to information security and privacy
  • security controls to manage these risks.

Assess the risks of using a public cloud service

Number of questions — risk discovery

There are 78 questions that make up this part of the risk assessment tool for public cloud services.

Always consider any additional areas that are specific to your business and technical contexts.

Complete the following steps

The questions in each step match those in the Excel version of the risk assessment tool for public cloud services.

Excel version — risk assessment tool for public cloud services

  1. 1

    Governance — questions 28 to 39

    Answer questions about how the information will fit with the service provider’s:

    • terms of service
    • compliance.

    Governance of the information

  2. 2

    Confidentiality — questions 40 to 72

    NZ government organisations have a strong responsibility to respect and protect New Zealanders’ information. For privacy concerns, you’ll need to answer questions about:

    • authentication and access control
    • multi-tenancy — multiple customers sharing a pool of computing resources
    • standard operating environments
    • patch and vulnerability management
    • encryption
    • insider threats from the cloud service provider
    • data persistence — whether you’re able to delete information
    • physical security.

    Confidentiality of the information

  3. 3

    Integrity — questions 73 to 81

    Find out how the service provider protects against loss and corruption of data. This includes questions about:

    • the level of restoration — a single file or email versus an entire mailbox or database
    • whether each user can restore their data or an authorised person needs to log a call with the service provider
    • your organisation’s risk of not meeting their requirements under NZ legislation.

    Integrity of the information

  4. 4

    Availability — questions 82 to 99

    For making sure your information stays available, you’ll need to answer questions about:

    • service level agreement
    • denial-of-service attacks
    • network availability and performance
    • business continuity and disaster recovery.

    Availability of the information

  5. 5

    Incident response and management — questions 100 to 105

    Understand what the service provider offers when a risk happens. See if and how they report and control risks when they happen.

    Consider how their approach fits with your organisation’s own incident response and management.

    Incident response and management of the information

  6. 6

    Make a decision from the risk discovery

    Check if the risks are too much or within your organisation’s risk tolerance.

    Make a decision from the risk discovery

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated