GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool

Cloud Risk Assessment Tool - Index

Further information : Cloud Computing: Information Security and Privacy Considerations document
Further information: Requirements for Cloud Computing webpages

Purpose of this tool

This spreadsheet is a companion tool to the Cloud Computing: Information Security and Privacy Considerations document (see link
above) provided as guidance for ALL agencies to help them determine the applicability and selection of cloud-based solutions for ICT
projects and business requirements. It should be used in conjunction with that document and the guidance provided on
www.digital.govt.nz (see link above). All agencies MUST adhere to these guidelines .

Assessement Tool Index and Navigation Aid

Section Question Category Agency to Vendor to

complete complete
3.1 3.1 Value, Criticality and Sensitivity of Information Y N
3.2 3.2 Data Sovereignty Y Y
3.3 3.3 Privacy Y Y
3.4 3.4 Governance Y Y
3.4.1 3.4.1 Terms of Service N Y
3.4.2 3.4.2 Compliance Y Y
3.5 3.5 Confidentiality Y Y
3.5.1 3.5.1 Authentication and Access Control Y Y
3.5.2 3.5.2 Multi-Tenancy Y Y
3.5.3 3.5.3 Standard Operating Environments Y Y
3.5.4 3.5.4 Patch and Vulnerability Management Y Y
3.5.5 3.5.5 Encryption Y Y
3.5.6 3.5.6 Cloud Service Provider Insider Threat N Y
3.5.7 3.5.7 Data Persistence N Y
3.5.8 3.5.8 Physical Security Y Y
3.6 3.6 Data Integrity Y Y
3.7 3.7 Availability Y Y
3.7.1 3.7.1 Service Level Agreement Y Y
3.7.2 3.7.2 Denial of Service Attacks N Y
3.7.3 3.7.3 Network Availability and Performance Y N
3.7.4 3.7.4 Business Continuity and Disaster Recovery Y Y
3.8 3.8 Incident Response and Management N Y

Description of Master Cloud Assessment Tool Fields

Agency / Customer Name: Mandatory field for the name of the agency or other public sector entity sponsoring completion of the
Assessment Tool.

Project / Task Ref ID: Optional field for agency or other public sector entity use to record against a formal project or document
management schema. Can be quoted as a reference to source the original copy of the Assessment Tool at a later
date. This reference may be used multiple times, where a project assesses more than one provider for a
requirement.

Vendor / Provider Name: Mandatory field for the name of the company or service/application provider for the specific solution being
assessed. This should be the official (trading) name as listed in the Companies Register or equivalent.

Cloud Application / Service Mandatory field for the name of the cloud service/application being assessed (eg. SurveyMonkey, YouTube,
Concerned: Microsoft Azure, etc).

Section The section of the Assessement Tool, grouped into subject matter areas. Not grouped into vendor or agency
specific questions.

Question No Question number matches those in the source document Cloud Computing: Information Security and Privacy
Considerations. Though a number of the original multi-part questions have been separated into sub-questions to
allow vendor or agency specific answering, (ie. reduce duplicate responsibilities for answers).

Question Textual description of considerations to be assessed for the cloud service, phrased as questions. Aimed at
informing agency awareness, information risk assessment and decision making.

Agency/System or Response to the issue/consideration raised. Note due diligence should be applied where appropriate (ie.
Vendor/Provider Response Providing vendor website links as answers without evidence/testing the information may not be sufficient).

Question References / Sources The source of official references are provided here. Where appropriate, links to Internet sources are provided.

AGENCY to complete Matrix selection value for those questions for agency or system/project manager consideration and answer based
on agency experiences and GCDO recommendation, though both agency and vendor question matrix can be user
customised as required.

VENDOR to complete Matrix selection value for those questions for the vendor, or service provider consideration and answer.

Clarification points Additional information that aims to clarify or aid readers/assessors with understanding the context and scope of
the question/consideration.

Agency Questions / Comments / Optional. For agency, vendor, or system / service providers to feedback to GCDO any issues or queries concerning
Requests the document (either this tool or the original Cloud Computing: Information Security and Privacy Considerations
document). Outstanding items may be left until a suitable answer is provided.

Crown copyright ©. This work is licensed under a 'Creative Commons Attribution 4.0 International License'. In essence, you are free to copy, distribute and
adapt the work, as long as you attribute the work to the Department of Internal Affairs, New Zealand Government, and abide by the other licence terms. Please
note that neither the Department of Internal Affairs emblem nor the New Zealand Government logo may be used in any way which infringes any provision of
the "Flags, Emblems, and Names Protection Act 1981" or would infringe such provision if the relevant use occurred within New Zealand. Attribution to the
Department of Internal Affairs should be in written form and not by reproduction of the Department of Internal Affairs emblem or New Zealand Government
logo. To view a copy of this licence, visit: http://creativecommons.org/licenses/by/4.0/

Uncontrolled copy as at 12/31/2021 when printed

GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool

Cloud Risk Assessment Tool - Instructions

Further information : Cloud Computing: Information Security and Privacy Considerations document
Further information: Requirements for Cloud Computing webpages

All public cloud computing decisions need to be made in the context of an enterprise-wide ICT assurance view. In the
first instance, agencies are expected to adopt Government ICT Common Capabilities if they exist.

This guidance must be followed for all cloud services including new services, Government ICT Common Capabilities,
continuation of services and contract renewals. Read the guidance on www.ict.govt.nz (see the link above) regarding
the Cloud Computing: Information Security and Privacy Considerations (see the link above) prior to using this tool.

This Cloud Risk Assessment Tool is a replication of the questions in the Cloud Computing: Information Security and
Privacy Considerations document (see link above). It is intended to be used in support of the Cloud Service
Requirements process chart, though agencies can also use it in support of their own project requirements and
processes as appropriate. This tool is designed to assist agencies in collecting the relevant information that will
subsequently inform the risk assessment stage of any cloud services selection.

Agencies are to inform GCDO when they use this tool to assess cloud services. The GCDO Government Enterprise
Architecture team can provide guidance on the tools application. Refer also to the Cloud Service Requirements chart
 for further guidance.

It is expected that agencies will conduct an initial information valuation by completing the first three sections
(Questions 1-27) of this Cloud Risk Assessment Tool. This information will assist agencies in understanding the
'information value' to be invested in the target service, notably:

Ø  The classification of the information concerned.

Ø  The confidentiality, integrity and availability of the information concerned.
Ø  The presence of Personally Identifiable Information (PII) - to identify if a Privacy Information Assessment (PIA) is
required.
Ø  Sovereignty, commercial, financial or reputational risks.

Dependent upon analysis of the results of the initial agency questions (Questions 1-27) concerning the information/data
to be stored, handled and transiting the proposed cloud-based solution, complete the remaining sections of this Cloud
Risk Assessment Tool appropriately (ie. no questions should be ignored, though a number may not be relevant to a
particular set of requirements).

Several cloud service vendors have developed standard response documents for the Cloud Computing: Information
Security and Privacy Considerations, which can be provided to government agencies upon request. Agencies should
approach potential cloud vendors when conducting this assesment.

The GCDO will review the contents of this tool and associated guidance on an ongoing basis, using the results of
agencies cloud assessments and direct feedback. Please submit comments and change requests to GCDO.

Version: v1.1.1 (15 Sep 15). Corrections and minor amendments from v1.1.

Author: Phil Cutforth MBE MSc, AoG Enterprise Architect, DIA SST

Contributors / GCDO thanks Industry suppliers and agencies who have contributed to the development and review of this tool.
Reviewers:

Contact Us: For any questions and suggestions for amendments or improvements, email the GCDO team at:
[email protected]

Master Cloud Computing: Information Security and Privacy Considerations document

Document:

Licence: Crown copyright ©. This work is licensed under a Creative Commons Attribution 4.0 International License. In essence, you are free
to copy, distribute and adapt the work, as long as you attribute the work to the Department of Internal Affairs, New Zealand
Government, and abide by the other licence terms. Please note that neither the Department of Internal Affairs emblem nor the
New Zealand Government logo may be used in any way which infringes any provision of the "Flags, Emblems, and Names
Protection Act 1981" or would infringe such provision if the relevant use occurred within New Zealand. Attribution to the
Department of Internal Affairs should be in written form and not by reproduction of the Department of Internal Affairs emblem or
New Zealand Government logo. To view a copy of this licence, visit: http://creativecommons.org/licenses/by/4.0/

2 of 8 Uncontrolled copy as at 12/31/2021 when printed

GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool

(Complete and submit to [email protected])

Agency / Customer Return to Index

Name: Project / Task Ref ID:

Vendor / Provider
Cloud Application / Service: Instructions for Use of Tool
Name:
Section Question Question Agency/Project or Question References / AGENCY to VENDOR to Clarification points Agency Questions / Comments / Requests
No Vendor/Provider Response Sources complete complete
3.1 3.1 Value, Criticality and Sensitivity of Information
3.1 1 Who is the business owner of the information? Y N
3.1 2 What are the business processes that are supported by the information? Y N
3.1 3 What is the security classification of the information based on the NZ government 1. Protective Security Requirements Y N http://protectivesecurity.govt.nz/home/what-you-need-
guidelines for protection of official information? (PSR), to-know/
2. NZ Information Security Manual
(ISM), http://www.gcsb.govt.nz/news/the-nz-information-
3. DPMC - Treatment of information security-manual/
classified as "Sensitive" or endorsed http://www.dpmc.govt.nz/cabinet/circulars/co08/1
"Special Handling Required"

3.1 4 Are there any specific concerns related to the confidentiality of the information that Y N
will be stored or processed by the cloud service?
3.1 5 Does the data include any personal information? Privacy Act 2020 Y N
Public Records Act 2005
3.1 6 Who are the users of the information? Y N
3.1 7 What permissions do the users require to the information? (i.e. read, write, modify Y N
and/or delete)
3.1 8 What legislation applies to the information? (e.g. Privacy Act 2020, Official Privacy Act 2020 Y N
Information Act 1982, Public Records Act 2005) Public Records Act 2005
Official Information Act 1982

3.1 9 What contractual obligations apply to the information? (e.g. Payment Card Industry Y N
Data Security Standard (PCI DSS))
3.1 10 What would the impact on the business be if the information was disclosed in an Y N Consider disclosures that would adversely affect
unauthorised manner? government credibility and citizen trust. Also consider the
financial, operational and IPR impact.

3.1 11 What would the impact on the business be if the integrity of the information was Y N
compromised?
3.1 12 Does the agency have incident response and management plans in place to Y N Incident Response and Management plans that cover all
minimise the impact of an unauthorised disclosure? relevant aspects of operational, security, and service
problem incidents should be considered.

3.1 13 What would the impact on the business be if the information were unavailable? Y N See also Q92.

3.1 13.a What is the maximum amount of data loss that can be tolerated after a Y N This can be used to define the 'Recovery Point Objective'.
disruption has occurred?
3.1 13.b What is the maximum period of time before which the minimum levels of Y N This can be used to define the 'Recovery Time Objective'.
services must be restored after a disruption has occurred?
3.1 13.c What is the maximum period of time before which the full service must be Y N This can be used to define the 'Acceptable Interruption
restored to avoid permanently compromising the business objectives? Window'.

3.2 3.2 Data Sovereignty

3.2 14 Where is the registered head office of the service provider? N Y
3.2 15 Which countries are the cloud services delivered from? N Y
3.2 16 In which legal jurisdictions will the agency’s data be stored and processed? N Y

3.2 17 Does the service provider allow its customers to specify the locations where their N Y
data can and cannot be stored and processed?
3.2 18 Does the service have any dependency on any third parties (e.g. outsourcers, N Y
subcontractors or another service provider) that introduce additional jurisdictional
risks?
If yes, ask the service provider to provide the following details for each third party
involved in the delivery of the service:

3.2 18.a The registered head office of the third party; N Y

3.2 18.b The country or countries that their services are delivered from; and N Y
3.2 18.c The access that they have to client data stored, processed and transmitted by N Y
the cloud service.
3.2 19 Have the laws of the country or countries where the data will be stored and Y Y
processed been reviewed to assess how they could affect the security and/or
privacy of the information?

3.2 20 Do the laws actually apply to the service provider and/or its customer’s information? Y N
(e.g. some privacy laws exempt certain types of businesses or do not apply to the
personal information of foreigners.)

3.2 21 Do the applicable privacy laws provide an equivalent, or stronger, level of protection Privacy Act 2020 Y N
than the Privacy Act 2020?
3.2 21.a If no, are customers able to negotiate with the service provider to ensure that N Y
the equivalent privacy protections are specified in the contract?

3.2 22 How does the service provider deal with requests from government agencies to N Y
access customer information?

3 of 8 Uncontrolled copy as at 12/31/2021 when printed

GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool

Agency / Customer
Project / Task Ref ID: Return to Index
Name:

Vendor / Provider
Name: Cloud Application / Service: Instructions for Use of Tool

Section Question Question Agency/Project or Question References / AGENCY to VENDOR to Clarification points Agency Questions / Comments / Requests
No Vendor/Provider Response Sources complete complete
3.2 22.a Do they only disclose information in response to a valid court order? N Y
3.2 22.b Do they inform their customers if they have to disclose information in N Y
response to such a request?
3.2 22.c Are they prevented from informing customers that they have received a court N Y
order requesting access to their information?
3.3 3.3 Privacy
3.3 23 Does the data that will be stored and processed by the cloud service include Privacy Act 2020 Y N
personal information as defined in the Privacy Act 2020?
If no, skip to question 28.

3.3 24 Has a PIA been completed that identifies the privacy risks associated with the use of Y N
the cloud service together with the controls required to effectively manage them?

3.3 25 Is the service provider’s use of personal information clearly set out in its privacy N Y
policy?
3.3 25.a Is the service provider's privacy policy consistent with the agency’s business Y N
requirements?
3.3 26 Does the service provider notify its customers if their data is accessed by, or N Y
disclosed to, an unauthorised party?
3.3 26.a Does service provider notification of unauthorised customer data access or Y N GCPO can provide advice on what constitutes 'sufficient
disclosure include providing sufficient information to support cooperation with information' on a case-by-case (project specific) basis.
an investigation by the Privacy Commissioner?

3.3 27 Who can the agency, its staff and/or customers complain to if there is a privacy N Y
breach?
3.4 3.4 Governance
3.4.1 3.4.1 Terms of Service
3.4.1 28 Does the service provider negotiate contracts with their customers or must they N Y Depending on the information risk assessment for this
accept a standard Terms of Service? Cloud Service, generic or non-contractual Terms of
Service should be avoided where they cannot be tested,
proved or assured by the agency.

3.4.1 29 Does the service provider’s Terms of Service and SLA clearly define how the service N Y Wording amended slightly to emphasise the requirement
protects the confidentiality, integrity and availability of all customer information for Service Providers to adequately provide for the
entrusted to them; especially official information; and the privacy of all personally confidentiality (including privacy), integrity and
identifiable information? availability of all information that government agencies
entrust to it.

3.4.1 30 Does the service provider’s Terms of Service specify that the agency will retain N Y
ownership of its data?
3.4.1 31 Will the service provider use the data for any purpose other than the delivery of the N Y
service?
3.4.1 32 Is the service provider’s service dependent on any third-party services? N Y
3.4.2 3.4.2 Compliance
3.4.2 33 Does the service provider’s Terms of Service allow the agency to directly audit the N Y
implementation and management of the security measures that are in place to
protect the service and the data held within it?

3.4.2 33.a If yes, does this include performing vulnerability scans and penetration testing N Y
of the service and the supporting infrastructure?
3.4.2 33.b If no, does the service provider undergo formal regular assessment against an N Y
internationally recognised information security standard or framework by an
independent third-party? (E.g. are they certified as being compliant with
ISO/IEC 27001? Have they undergone an ISAE 3402 SOC 2 Type II assessment?)

3.4.2 34 Will the service provider allow the agency to thoroughly review recent audit reports N Y
before signing up for service? (E.g. will the service provider provide the Statement of
Applicability together with a copy of the full audit reports from their external
auditor, and the results of any recent internal audits?)

3.4.2 35 Will the service provider enable potential customers to perform reference checks by N Y This is something that will need to be handled on a case
providing the contact details of two or more of its current customers? by case basis, for example it will depend if the current
customer will allow the direct contact.

3.4.2 36 Is there a completed CAIQ or CMM report for the service provider in the CSA STAR? N Y

3.4.2 37 Has the service provider undergone a CSA STAR Certification and/or Attestation? N Y

3.4.3 37.a Have they published the outcome of the audit? N Y

3.4.2 38 Has the service provider published a completed Cloud Computing Code of Practice? N Y

3.4.2 39 What additional assurance activities must be performed to complete the Y N Although there may be some activities required of the
certification and accreditation of the cloud service? vendor, the agency has the lead responsibility for defining
actions required to achieve C&A, in line with the agencies
own C&A Process and policies.

4 of 8 Uncontrolled copy as at 12/31/2021 when printed

GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool

Agency / Customer
Project / Task Ref ID: Return to Index
Name:

Vendor / Provider
Name: Cloud Application / Service: Instructions for Use of Tool

Section Question Question Agency/Project or Question References / AGENCY to VENDOR to Clarification points Agency Questions / Comments / Requests
No Vendor/Provider Response Sources complete complete
3.5 3.5 Confidentiality
3.5.1 3.5.1 Authentication and Access Control
3.5.1 40 Does the agency have an identity management strategy that supports the adoption Y N
of cloud services?
3.5.1 40.a If yes, does the cloud service support the agency’s identity management N Y
strategy?
3.5.1 41 Is there an effective internal process that ensures that identities are managed and Y Y These questions concern the agency's ability to control
protected throughout their lifecycle? exposure of their internal identity registries and only
expose those users and credentials to a Cloud Service
required for that service. If not, then the impact should
be included in the agency's risk assessment.

3.5.1 42 Is there an effective audit process that is actioned at regular intervals to ensure that Y Y
user accounts are appropriately managed and protected?
3.5.1 43 Have the controls required to manage the risks associated with the ubiquitous NZISM Y Y
access provided by the cloud been identified? PSR
CSA

3.5.1 43.a Does the cloud service meet those control requirements? Y N
3.5.1 44 Are all passwords encrypted, especially system/service administrators, in NZISM Y Y
accordance with NZISM complexity requirements?
3.5.1 45 Is there a higher level of assurance required that the party asserting an identity is Y Y
the authorised user of the account when authenticating to the service? (I.e. is multi-
factor authentication necessary?)

3.5.2 3.5.2 Multi-Tenancy

3.5.2 46 Will the service provider allow the agency to review a recent third-party audit report N Y
(e.g. ISO 27001 or ISAE 3402 SOC 2 Type II) that includes an assessment of the
security controls and practices related to virtualisation and separation of customer’s
data?

3.5.2 47 Will the service provider permit customers to undertake security testing (including N Y
penetration tests) to assess the efficacy of the access controls used to enforce
separation of customer’s data?

3.5.2 48 Does the service provider’s customer registration processes provide an appropriate Y Y As part of their risk assessment, an agency should
level of assurance in line with the value, criticality and sensitivity of the information consider what other customers share a multi-tenancy
to be placed in the cloud service? service and the level of assurance for separation or
partitioning the provider will provide.

3.5.3 3.5.3 Standard Operating Environments

3.5.3 49 Are there appropriate build and hardening standards defined and documented for NZISM Y N
the service components the agency is responsible for managing?

3.5.3 50 Can the agency deploy operating systems and applications in accordance with NZISM Y N
internal build or hardening standards?
3.5.3 50.a If no, does the service provider have appropriate build and hardening NZISM N Y
standards that meet the agency’s security requirements?
3.5.3 50.b Does the virtual image include a host-based firewall configured to only allow NZISM N Y
the ingress and egress (inbound and outbound) traffic necessary to support
the service?

3.5.3 50.c Does the service provider allow host-based intrusion detection and prevention NZISM N Y
service (IDS/IDP) agents to be installed within the virtual machines?

3.5.3 51 Does the service provider perform regular tests of its security processes and NZISM N Y Includes Penetration Testing, operational (process)
controls? controls testing, as well as other forms of testing.

3.5.3 51.a Will they provide customers with a copy of the associated reports? N Y
3.5.3 52 Can a penetration test of the service be performed to ensure that it has been NZISM N Y Refers to the agency/customer performing (or
securely deployed? comissioning a third-party to perform) a penetration test
of the providers environment. This should cover the
transit, transport, storage and processing of customer
data/information involved.

3.5.4 3.5.4 Patch and Vulnerability Management

3.5.4 53 Is the service provider responsible for patching all components that make up the N Y
cloud service?
3.5.4 53.a If the service provider is NOT responsible for patching all components that Y N
make up the cloud service, has the agency identified which components the
service provider is responsible for and which it is responsible for?

3.5.4 54 Does the service provider’s Terms of Service or SLA include service levels for patch N Y
and vulnerability management that includes a defined the maximum exposure
window?

5 of 8 Uncontrolled copy as at 12/31/2021 when printed

GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool

Agency / Customer
Project / Task Ref ID: Return to Index
Name:

Vendor / Provider
Name: Cloud Application / Service: Instructions for Use of Tool

Section Question Question Agency/Project or Question References / AGENCY to VENDOR to Clarification points Agency Questions / Comments / Requests
No Vendor/Provider Response Sources complete complete
3.5.4 55 Does the agency currently have an effective patch and vulnerability management Y N
process?
3.5.4 56 Has the agency ensured that all of the components that it is responsible for have Y N
been incorporated into its patch and vulnerability management process?

3.5.4 57 Is the agency subscribed to, or monitoring, appropriate sources for vulnerability and Y N
patch alerts for the components that it is are responsible for?

3.5.4 58 Does the service provider allow its customers to perform regular vulnerability N Y
assessments?
3.5.4 59 Do the Terms of Service or SLA include a compensation clause for breaches caused N Y
by vulnerabilities in the service?
3.5.4 59.a If the Terms of Service or SLA includes compensation clause for breaches Y N Publicly available data on the cost of various data
caused by vulnerabilities in the service, does it provide an adequate level of compromise scenarios can be used to estimate the cost
compensation should a breach occur? of potential breach.

3.5.5 3.5.5 Encryption

3.5.5 60 Have requirements for the encryption of the information that will be placed in the Y N
cloud service been determined?
3.5.5 61 Does the cloud service use only approved encryption protocols and algorithms (as NZISM Y Y
defined in the NZISM)?
3.5.5 62 Which party is responsible for managing the cryptographic keys? Y Y
3.5.5 63 Does the party responsible for managing the cryptographic keys have a key NZISM Y Y
management plan that meets the requirements defined in the NZISM?
3.5.6 3.5.6 Cloud Service Provider Insider Threat
3.5.6 64 Does the service provider undertake appropriate pre-employment vetting for all N Y
staff that have access to customer data?
3.5.6 64.a Does the service provider perform on-going checks during the period of N Y
employment?
3.5.6 65 If the service provider is dependent on a third-party to deliver any part of their N Y
service, does the third-party undertake appropriate pre-employment vetting for all
staff that have access to customer data?

3.5.6 66 Does the service provider have a SIEM service that logs and monitors all logical N Y
access to customer data?
3.5.6 67 Does the service provider enforce separation of duties to ensure that audit logs are N Y
protected against unauthorised modification and deletion?
3.5.6 68 Do the Terms of Service or SLA require the service provider to report unauthorised N Y
access to customer data by its employees?
3.5.6 68.a If yes, is the service provider required to provide details about the incident to N Y
affected customers to enable them to assess and manage the associated
impact?

3.5.7 3.5.7 Data Persistence

3.5.7 69 Does the service provider have an auditable process for the secure sanitisation of N Y
storage media before it is made available to another customer?

3.5.7 70 Does the service provider have an auditable process for secure disposal or N Y
destruction of ICT equipment and storage media (e.g. hard disk drives, backup tapes
etc.) that contain customer data?

3.5.8 3.5.8 Physical Security

3.5.8 71 If it is practical to do so (i.e. the datacentre is within New Zealand), can the service N Y
provider’s physical security controls be directly reviewed or assessed by the agency?
If no, will the service provider allow the agency to review of a recent third party
audit report (e.g. ISO 27001 or ISAE 3402 SOC 2 Type II) that includes an assessment
of their physical security controls?

3.5.8 71.a If no, will the service provider allow the agency to review of a recent third N Y
party audit report (e.g. ISO 27001 or ISAE 3402 SOC 2 Type II) that includes an
assessment of their physical security controls?

3.5.8 72 Do the service provider’s physical security controls meet the minimum requirements Y N
as defined in the New Zealand government’s security guidelines to protect the
information stored in the cloud service?

3.6 3.6 Data Integrity

3.6 73 Does the service provider provide data backup or archiving services as part of their N Y
standard service offering to protect against data loss or corruption? If not, do they
offer data backup or archiving services as an additional service offering to protect
against data loss and corruption?

3.6 74 How are data backup and archiving services provided? N Y

3.6 75 Does the SLA specify the data backup schedule? N Y

6 of 8 Uncontrolled copy as at 12/31/2021 when printed

GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool

Agency / Customer
Project / Task Ref ID: Return to Index
Name:

Vendor / Provider
Name: Cloud Application / Service: Instructions for Use of Tool

Section Question Question Agency/Project or Question References / AGENCY to VENDOR to Clarification points Agency Questions / Comments / Requests
No Vendor/Provider Response Sources complete complete
3.6 76 Does the data back-up or archiving service ensure that business requirements Y N
related to protection against data loss are met? (I.e. does the service support the
business Recovery Point Objective?)

3.6 77 What level of granularity does the service provider offer for data restoration? Y Y

3.6 78 What is the service provider’s process for initiating a restore? N Y

3.6 79 Does the service provider regularly perform test restores to ensure that data can be N Y
recovered from backup media?
3.6 80 Does the agency need to implement a data backup strategy to ensure that it can Y N This is potentially a hidden additional cost. Is the data
recover from an incident that leads to data loss or corruption? backup stored within agency resources, or with a second
vendor that has no common points of failure with the
cloud vendor.

3.6 81 Does the proposed data backup and archiving strategy support the agency in Public Records Act 2005, Official Y N
meeting its obligations under the Public Records Act and Official Information Act? Information Act 1982,

3.7 3.7 Availability

3.7.1 3.7.1 Service Level Agreement
3.7.1 82 Does the SLA include an expected and minimum availability performance N Y Availability may be affected by multiple factors, such as
percentage over a clearly defined period? technical issues, faulty vendor hardware/software, facility
issues (power loss) and deliberate attacks.

3.7.1 82.a If the SLA include an expected and minimum availability performance Y N
percentage over a clearly defined period, are the agency's business
requirements for availability met?
(I.e. does the service support the business’s Recovery Time Objective and
Acceptable Interruption Window?)

3.7.1 83 Does the SLA include defined, scheduled outage windows? N Y

3.7.1 83.a If the SLA includes defined, scheduled outage windows, do the specified Y N Thinking about the agency business operating hours and
outage windows affect New Zealand business operations? criticality of systems support 24/7.

3.7.1 83.b If the SLA does NOT include defined, scheduled outage windows, has the N Y
service provider implemented technologies that enable them to perform
maintenance activities without the need for an outage?

3.7.1 84 Does the SLA include a compensation clause for a breach of the guaranteed N Y
availability percentages?
3.7.1 84.a If the SLA include a compensation clause for a breach of the guaranteed Y N
availability percentages, does this provide an adequate level of compensation
should the service provider breach the SLA?

3.7.2 3.7.2 Denial of Service Attacks

3.7.2 85 Does the service provider utilise protocols and technologies that can protect against N Y
DDoS attacks?
3.7.2 85.a If yes, does enabling the service provider’s DDoS protection services affect the N Y
answer to questions 15, 16 and 17?
3.7.2 86 Can the agency specify or configure resource usage limits to protect against N Y
DDoS/bill shock?
3.7.3 3.7.3 Network Availability and Performance
3.7.3 87 Do the network services directly managed, or subscribed to by the agency provide Y N These questions concern the network connectivity (local
an adequate level of availability? network and telecommunications circuits/cables)
between agency users and the cloud vendor's facilities.
This should be considered in an end-to-end scenario.

3.7.3 88 Do the network services directly managed, or subscribed to by the agency provide Y N
an adequate level of redundancy/fault tolerance?
3.7.3 89 Do the network services directly managed, or subscribed to by the agency provide Y N
an adequate level of bandwidth (network throughput)?
3.7.3 90 Is the latency between the agency network(s) and the service provider’s service at Y N
levels acceptable to achieve the desired user experience?
3.7.3 90.a If no, is the latency occurring on the network services directly managed, or Y N
subscribed to by the agency?
3.7.3 90.b Can the issue be resolved either by the network service provider or the Y N
agency?
3.7.3 91 Is the packet loss between the agency network(s) and the service provider’s service Y N
at levels acceptable to achieve the desired user experience?

3.7.3 91.a If no, is the packet loss occurring on a network services directly managed, or Y N
subscribed to by the agency?
3.7.3 91.b Can the issue be resolved either by the network service provider or the Y N
agency?
3.7.4 3.7.4 Business Continuity and Disaster Recovery

7 of 8 Uncontrolled copy as at 12/31/2021 when printed

GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool

Agency / Customer
Project / Task Ref ID: Return to Index
Name:

Vendor / Provider
Name: Cloud Application / Service: Instructions for Use of Tool

Section Question Question Agency/Project or Question References / AGENCY to VENDOR to Clarification points Agency Questions / Comments / Requests
No Vendor/Provider Response Sources complete complete
3.7.4 92 Does the service provider have business continuity and disaster recovery plans? N Y

3.7.4 93 Will the service provider permit the agency to review of its business continuity and N Y
disaster recovery plans?
3.7.4 94 Do the service provider’s plans cover the recovery of the agency data or only the N Y
restoration of the service?
3.7.4 95 If the service provider’s plans cover the restoration of agency data, is the recovery of N Y
customer data prioritised?
3.7.4 95.a If so, how? Are customers prioritised based on size and contract value? N Y
3.7.4 96 Does the service provider formally test its business continuity and disaster recovery N Y
plans on a regular basis?
3.7.4 96.a If yes, how regularly are such tests performed? N Y
3.7.5 96.b Will they provide customers with a copy of the associated reports? N Y
3.7.4 97 Does the agency have its own business continuity and disaster recovery plan in place Y N
to ensure that it can recover from a service outage, the service provider going out of
business or withdrawing the service?

3.7.4 98 Does the agency require its own data backup strategy to ensure that it can recover Y N
from a service outage, the service provider going out of business or withdrawing the
service?

3.7.4 99 Are the backups (whether performed by the service provider or the agency) Y Y
encrypted using an approved encryption algorithm and appropriate key length?

3.8 3.8 Incident Response and Management

3.8 100 Does the service provider have a formal incident response and management process N Y
and plans that clearly define how they detect and respond to information security
incidents?

3.8 100.a If yes, will they provide the agency with a copy of their process and plans to N Y
enable it to determine if they are sufficient?
3.8 101 Does the service provider test and refine its incident response and management N Y
process and plans on a regular basis?
3.8 102 Does the service provider engage its customers when testing its incident response N Y
and management processes and plans?
3.8 103 Does the service provider provide its staff with appropriate training on incident N Y
response and management processes and plans to ensure that they respond to
incidents in an effective and efficient manner?

3.8 104 Does the service provider’s Terms of Service or SLA clearly define the support they N Y
will provide to the agency should an information security incident arise?
For example, does the service provider:

3.8 104.a Notify customers when an incident that may affect the security of their N Y
information or interconnected systems is detected or reported?
3.8 104.b Specify a point of contact and channel for customers to report suspected N Y
information security incidents?
3.8 104.c Define the roles and responsibilities of each party during an information N Y
security incident?
3.8 104.d Provide customers with access to evidence (e.g. time stamped audit logs N Y
and/or forensic snapshots of virtual machines etc.) to enable them to perform
their own investigation of the incident?

3.8 104.e Provide sufficient information to enable the agency to cooperate effectively N Y
with an investigation by a regulatory body, such as the Privacy Commissioner
or the Payment Card Industry Security Standards Council (PCI SSC)?

3.8 104.f Define which party is responsible for the recovery of data and services after an N Y
information security incident has occurred?
3.8 104.g Share post incident reports with affected customers to enable them to N Y
understand the cause of the incident and make an informed decision about
whether to continue using the cloud service?

3.8 104.h Specify in the contract limits and provisions for insurance, liability and N Y
indemnity for information security incidents? (Note: it is recommended that
agencies carefully review liability and indemnity clauses for exclusions.)

3.8 105 Does the service providers incident response and management procedures map to Y N
(or fit with) the agency internal policy and procedures; that does not hinder or delay
the agency's ability to manage incidents in a timely and effective manner?

8 of 8 Uncontrolled copy as at 12/31/2021 when printed