Integrity of the information
Questions 73 to 81 — there are different levels of protection against data loss and corruption — find out if a service provider meets your organisation’s requirements.
Questions 73 to 81 — integrity of the information
Table 1 lists who is responsible for answering each question. Both your government organisation and the service provider need to answer question 77.
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Does the service provider have data backup or archiving services as part of their standard service offering to protect against data loss or corruption?
- If no — does the service provider offer data backup or archiving services as an additional service offering to protect against data loss and corruption?
- How are data backup and archiving services provided?
- Does the service level agreement specify the data backup schedule?
- Does the data backup or archiving service ensure that business requirements related to protection against data loss are met?
- Example — does the service support your organisation’s recovery point objective?
- What level of detail does the service provider offer for data restoration?
- What is the service provider’s process for initiating a restore?
- Does the service provider regularly perform test restores to ensure that data can be recovered from backup media?
- Does the government organisation need to implement a data backup strategy to ensure that it can recover from an incident that leads to data loss or corruption?
- Does the proposed data backup and archiving strategy support the government organisation in meeting its obligations under the New Zealand:
|Entity||Questions to answer|
|Government organisation||76, 77, 80, 81|
|Service provider||73, 74, 75, 77, 78, 79|
Where to find the service provider’s answers
You can get the answers to the service provider’s questions from a combination of:
- direct communication with the provider
- the provider’s policies and audit reports on their website
- previous assessments by other government organisations.
If you do not have the service provider’s answers
If you need higher assurance for the information, consider a different public cloud service if:
- the provider does not give you their answers or other information you need for your risk assessment
- you cannot get acceptable third-party assurance
- there are no ways to lessen the risk of this incomplete information.
Context and help for questions 73 to 81
The following guidance gives you context and help for answering questions about the integrity of the information.
Direct contracts — check for information you can use
Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:
NZ government agreements and contracts — check for certification documents you can use
You can use certification documents to help with your risk assessment of using either:
- an all-of-government agreement
- a Marketplace contract.
To get these, contact the security team at the Department of Internal Affairs at firstname.lastname@example.org.
No protection against data loss and corruption
Some service providers do not offer protection against data loss or corruption. Do not use their public cloud services.
Meet the requirements of NZ legislation
Government organisations in New Zealand must meet their obligations under the:
If your organisation lacks the specialised knowledge of these Acts, seek advice from either, or both:
Protection against data loss and corruption
When service providers have data backup, they offer it as either:
- part of the base service
- an additional cost service.
Example of subscription-based data backup
A service provider does not provide any backup services without a subscription to an additional service.
Analyse how the provider protects data
Looking into how the service provider protects data from loss or corruption helps you understand if it can meet your requirements.
Example — data corruption
The service provider replicates customer data to another data centre in near real-time — for example, every 5 minutes.
The data corruption could be replicated before it is detected.
Example — recovery time objective
The service provider backs up data to tape on a daily basis.
This makes a recovery time objective of less than 24 hours unlikely.
Example — recovery point objective and detail options
Can a single file or an email be restored?
Or, are you limited to restoring an entire mailbox or database?
Example — how to start a restore
Can a user restore a file or an email they have accidentally deleted?
Or, does an authorised person need to log a call with the service provider to start a restore?
Develop and use your strategy for data backups
Government organisations need to have their own strategy for backing up data. Use and test your strategy so you can recover from an incident that results in data loss or corruption. Make sure it can restore to a point that meets your requirements.