Cloud computing risk and assurance framework - Background to Government’s approach
Along with great benefits, using cloud services also has risk. In October 2013, Cabinet agreed to a Cloud Computing Risk and Assurance Framework [CAB Min (13) 37/6B - pdf 277KB] for government agencies. All State Service agencies are expected to follow the process in line with Cabinet direction.
The key points from this framework are:
Decisions on all cloud computing services, including continuation of existing services and decisions to renew contracts, require case-by-case consideration by agency chief executives with GCIO oversight. Refer to the Cloud Service Requirements chart (Word 115KB) for further guidance. This chart summarises the process for completing the requirements for cloud computing as detailed on these pages.
Agency chief executives are ultimately responsible for decisions to use cloud services, and are accountable for their risk exposure.
No data above RESTRICTED should be held in a public cloud, whether it is hosted onshore or offshore.
Agencies in the State Services are expected to follow a uniform and robust information risk management process that includes:
Following the guidelines in the publication Cloud Computing: Information Security and Privacy Considerations (pdf 196KB) to ensure appropriate and consistent consideration of cloud computing issues (including privacy and security).
Undertaking a risk assessment using the agency’s own processes, if they have them, or those supplied by the GCIO in the Risk Assessment Process: Information Security guide (pdf 295KB).
When agencies are taking up ICT Common Capability cloud services developed for All-of-Government by the GCIO, the lead agency developing the cloud ICT Common Capability will undertake the initial cloud assessment and other agencies may be able to place reliance on some of the assessment results. However, even with ICT Common Capabilities there are always agency-specific risks and considerations.
Cloud computing and ICT Assurance – What agencies must do when adopting cloud services
Requirements
All cloud computing decisions need to be made on a case-by-case basis after a proper risk assessment. State Service agencies are expected to follow the process issued by the GCIO.
For decisions on all cloud computing services, including Government ICT Common Capabilities, continuation of existing services and decisions to renew contracts, mandated agencies must:
Use Government ICT Common Capability cloud solutions where they exist, rather than source an individual cloud solution [CAB Min (12) 29/8A].
Conduct an initial cloud services information risk assessment of each cloud solution. The parent document is the Cloud Computing: Information Security and Privacy Considerations (pdf 196KB). However, the GCIO has developed an easy to use spreadsheet based on this document called the Cloud Risk Assessment Tool (Excel 77KB). Start by completing the first three sections (questions 1-27) of the Cloud Risk Assessment Tool (Excel 77KB). If you are using a Government ICT Common Capability, you can leverage the initial analysis undertaken by the lead agency, however, you may be required to complete additional fields based on your agency’s profile.
Questions 1-27 of the Cloud Risk Assessment Tool (Excel 77KB) enables agencies to understand:
The classification of the information,
The presence of Personally Identifiable Information (PII).
Any sovereignty and reputational issues.
Complete the relevant remaining sections of the Cloud Risk Assessment Tool (Excel 77KB) as needed, based on the results of the initial information risk assessment in the first three sections. Agencies may need to collect information directly from the cloud vendor. Several cloud vendors have developed standard answer sets for some of the questions in the Cloud Risk Assessment Tool (Excel 77KB). See the section Vendor answer sets below for a current list of products with answer sets.
Apply appropriate expertise in completing the Cloud Risk Assessment Tool (Excel 77KB). If there is insufficient in-house expertise, agencies should obtain assistance from an All-of-Government Security and Related Services Panel provider.
Evaluate the information collected.
Perform any required testing and follow-up queries in order to understand and assess the risks, existing mitigations (controls), and residual risk to the agency.
Obtain sign-off from their agency’s Chief Executive or formal delegate attesting to the completeness and adequacy of the risk assessment, including the acceptance of any residual risk. A Cloud Endorsement by Agency (Word 97KB) is provided as a sample template for this endorsement.
Submit both the Cloud Risk Assessment Tool (Excel 77KB) and the Cloud Endorsement by Agency (Word 97KB) (or similar) to the GCIO ICTAssurance@dia.govt.nz
The GCIO will use the results of agencies’ cloud risk review activities to assess on an ongoing basis whether the correct guidance and risk-based processes (Cloud Computing: Information Security and Privacy Considerations guide pdf 197KB) are being applied and followed. The GCIO will not assess the underlying risk assessments as this is the responsibility of each agency CE. Endorsement of the cloud solution will not be required from the GCIO in advance of an agency adopting the cloud service.
The GCIO Government Enterprise Architecture team can provide limited guidance on the application of this framework. Refer to the Cloud Service Requirements chart (Word 115KB) for further guidance or email ICTAssurance@dia.govt.nz.
Information sharing
To further assist agencies and promote efficiency, the GCIO encourages and facilitates the sharing and re-use of existing cloud assessment materials among agencies.
All cloud documents submitted by agencies are logged in a register. We can put agencies who are beginning to assess a cloud solution in touch with other agencies that have completed a Cloud Risk Assessment Tool (Excel 77KB) for that particular service.
Agencies must apply their own agency specific answers to relevant questions and ensure vendor information received in this manner is current and applicable to their own risk assessment.
Agencies should also ensure that third-party contracts related to cloud solutions (including those relating to assistance completing the Cloud Risk Assessment Tool (Excel 77KB) contain clauses allowing the sharing of Cloud Risk Assessment Tool (Excel 77KB) results within the State Services.
Please contact the ICT Assurance team ICTAssurance@dia.govt.nz for more information.
Documents
Cloud Service Requirements chart –for further information (Word 115KB)
Cloud computing: Information Security and Privacy Considerations – for further information (pdf 196KB)
Cloud Risk Assessment Tool - to be filled out by each agency and sent to the GCIO (Excel 77KB)
Cloud Endorsement by Agency – example of a CE sign off form to be filled in, endorsed and sent in to GCIO (Word 97KB)