How to discover the risks
If checking the information value showed the need to discover the risks, answer questions 28 to 105 to help with your risk assessment of a public cloud service.
Risk discovery informs your risk assessment
Answering questions 28 to 105 helps you with your risk assessment — making you aware of the:
- risks to information security and privacy
- security controls to manage these risks.
Assess the risks of using a public cloud service
Number of questions — risk discovery
There are 78 questions that make up this part of the risk assessment tool for public cloud services.
Always consider any additional areas that are specific to your business and technical contexts.
Complete the following steps
The questions in each step match those in the Excel version of the risk assessment tool for public cloud services.
Excel version — risk assessment tool for public cloud services
Governance — questions 28 to 39
Answer questions about how the information will fit with the service provider’s:
- terms of service
Confidentiality — questions 40 to 72
NZ government organisations have a strong responsibility to respect and protect New Zealanders’ information. For privacy concerns, you’ll need to answer questions about:
- authentication and access control
- multi-tenancy — multiple customers sharing a pool of computing resources
- standard operating environments
- patch and vulnerability management
- insider threats from the cloud service provider
- data persistence — whether you’re able to delete information
- physical security.
Integrity — questions 73 to 81
Find out how the service provider protects against loss and corruption of data. This includes questions about:
- the level of restoration — a single file or email versus an entire mailbox or database
- whether each user can restore their data or an authorised person needs to log a call with the service provider
- your organisation’s risk of not meeting their requirements under NZ legislation.
Availability — questions 82 to 99
For making sure your information stays available, you’ll need to answer questions about:
- service level agreement
- denial-of-service attacks
- network availability and performance
- business continuity and disaster recovery.
Incident response and management — questions 100 to 105
Understand what the service provider offers when a risk happens. See if and how they report and control risks when they happen.
Consider how their approach fits with your organisation’s own incident response and management.
Make a decision from the risk discovery
Check if the risks are too much or within your organisation’s risk tolerance.
Utility links and page information