Skip to main content

Incident response and management of the information

Questions 100 to 105 — find out what you can see and control in security incidents — get the right level of assurance from the service provider.

Questions 100 to 105 — incident response and management of the information

Table 1 lists who is responsible for answering each question.

Context and help for questions 100 to 105

Record your answers to these questions in either:

Questions to answer

  1. Does the service provider have a formal incident response and management process and plans that clearly define how they detect and respond to information security incidents?
    1. If yes — will they provide the government organisation with a copy of their process and plans to enable it to determine if they are sufficient?
  2. Does the service provider test and refine its incident response and management process and plans on a regular basis?
  3. Does the service provider engage its customers when testing its incident response and management processes and plans?
  4. Does the service provider appropriately train its staff on incident response and management processes and plans to ensure that they respond to incidents in an effective and efficient manner?
  5. Do the service provider’s terms of service or service level agreement define the support they will provide to the government organisation if an information security incident happens? For example, does the service provider:
    1. notify customers when an incident that may affect the security of their information or interconnected systems is detected or reported
    2. specify a point of contact and channel for customers to report suspected information security incidents
    3. define the roles and responsibilities of each party during an information security incident
    4. allow customers to access evidence to enable them to perform their own investigation of an incident — evidence such as time-stamped audit logs or forensic snapshots of virtual machines
    5. make sufficient information available to enable the government organisation to cooperate effectively with an investigation by a regulatory body — such as the Privacy Commissioner or the Payment Card Industry Security Standards Council
    6. define which party is responsible for the recovery of data and services after an information security incident has occurred
    7. share post-incident reports with affected customers to enable them to understand the cause of the incident and make an informed decision about whether to continue using the public cloud service
    8. specify in the contract limits and provisions for insurance, liability and indemnity for information security incidents?
  6. Does the service provider’s incident response and management procedures map to, or fit with, the government organisation’s internal policy and procedures — meaning that they will not hinder or delay the government organisation’s ability to manage incidents in a timely and effective manner?

Table 1: Who answers each question

Entity Questions to answer
Government organisation 105
Service provider 100, 100a, 101, 102, 103, 104, 104a, 104b, 104c, 104d, 104e, 104f, 104g, 104h

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 100 to 105

The following guidance gives you context and help for answering questions about incident response and management of the information.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at

Factors affecting visibility and control of security incidents

What you can see and control in security incidents is different depending on the:

Incidents occur — find your level of assurance

Even the most carefully planned, used and managed preventative controls can fail to stop a risk from happening. This is why it’s important to get the right level of assurance for your information. It shows that the service provider is capable of effectively and efficiently responding to an information security incident.

Review the service provider’s contract

It’s rare for government organisations to be able to negotiate contracts directly with providers of public cloud services.

When to negotiate direct contracts for public cloud services

Review the contract — either the:

  • terms of service
  • service level agreement.

See what, if any, support the service provider gives to their customers during an information security incident.

See or develop your incident response and management

Government organisations need to have their own processes and plans for incident response and management. They define how the government organisation will handle its responsibilities during an information security incident.

Topics to cover in plans and processes

For your organisation’s incident and response management, make sure your plans and processes cover, for example:

  • roles
  • responsibilities
  • contacts
  • incident definitions
  • notification criteria
  • escalation channels
  • evidence collection and preservation
  • post-incident activities.

More information

Information security incidents — New Zealand Information Security Manual

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated