Integrity of the information

Questions 73 to 81 — there are different levels of protection against data loss and corruption — find out if a service provider meets your organisation’s requirements.

Questions 73 to 81 — integrity of the information

Table 1 lists who is responsible for answering each question. Both your government organisation and the service provider need to answer question 77.

Context and help for questions 73 to 81

Record your answers to these questions in either:

Questions to answer

  1. Does the service provider have data backup or archiving services as part of their standard service offering to protect against data loss or corruption?
    • If no — does the service provider offer data backup or archiving services as an additional service offering to protect against data loss and corruption?
  2. How are data backup and archiving services provided?
  3. Does the service level agreement specify the data backup schedule?
  4. Does the data backup or archiving service ensure that business requirements related to protection against data loss are met?
    • Example — does the service support your organisation’s recovery point objective?
  5. What level of detail does the service provider offer for data restoration?
  6. What is the service provider’s process for initiating a restore?
  7. Does the service provider regularly perform test restores to ensure that data can be recovered from backup media?
  8. Does the government organisation need to implement a data backup strategy to ensure that it can recover from an incident that leads to data loss or corruption?
  9. Does the proposed data backup and archiving strategy support the government organisation in meeting its obligations under the New Zealand:

Table 1: Who answers each question
Entity Questions to answer
Government organisation 76, 77, 80, 81
Service provider 73, 74, 75, 77, 78, 79

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 73 to 81

The following guidance gives you context and help for answering questions about the integrity of the information.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

No protection against data loss and corruption

Some service providers do not offer protection against data loss or corruption. Do not use their public cloud services.

Meet the requirements of NZ legislation

Government organisations in New Zealand must meet their obligations under the:

If your organisation lacks the specialised knowledge of these Acts, seek advice from either, or both:

Protection against data loss and corruption

When service providers have data backup, they offer it as either:

  • part of the base service
  • an additional cost service.

Example of subscription-based data backup

A service provider does not provide any backup services without a subscription to an additional service.

Analyse how the provider protects data

Looking into how the service provider protects data from loss or corruption helps you understand if it can meet your requirements.

Example — data corruption

The service provider replicates customer data to another data centre in near real-time — for example, every 5 minutes.

The data corruption could be replicated before it is detected.

Example — recovery time objective

The service provider backs up data to tape on a daily basis.

This makes a recovery time objective of less than 24 hours unlikely.

Example — recovery point objective and detail options

Can a single file or an email be restored?

Or, are you limited to restoring an entire mailbox or database?

Example — how to start a restore

Can a user restore a file or an email they have accidentally deleted?

Or, does an authorised person need to log a call with the service provider to start a restore?

Develop and use your strategy for data backups

Government organisations need to have their own strategy for backing up data. Use and test your strategy so you can recover from an incident that results in data loss or corruption. Make sure it can restore to a point that meets your requirements.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated