New Zealand Government Cloud Computing Security and Privacy Considerations
In October 2015, the New Zealand Government endorsed a revised all-government ICT strategy that reaffirmed its “cloud first” policy on using information technology across the public sector. The revised strategy retains the “Cloud Computing Risk and Assurance Framework” that was developed and implemented under the authority of the NZ Government Chief Information Officer (GCIO).
The government expects all New Zealand State Service agencies to work within this framework when assessing and adopting cloud services. “Requirements for Cloud Computing” outlines what agencies must do when adopting cloud services along with an overview of the history of the government’s cloud policy.
To assist NZ government agencies in conducting consistent and robust due diligence on potential cloud solutions, the GCIO has published “Cloud Computing: Information Security and Privacy Considerations” (the “Cloud Computing ISPC”). This document contains more than 100 questions focused on data sovereignty, privacy, security, governance, confidentiality, data integrity, availability, and incident response and management. Note that “Cloud Computing IPSC” does not define a NZ government standard against which cloud service providers must demonstrate formal compliance. Many of the questions set out in the document do, however, point toward the importance of understanding how cloud service providers comply with a wide array of relevant standards.
To help agencies undertake their analysis and evaluation of Microsoft enterprise cloud services, Microsoft New Zealand has produced a series of documents showing how its enterprise cloud services address the questions set out in the “Cloud Computing ISPC” by linking them to the standards against which Microsoft cloud services are certified. These certifications are central to how Microsoft assures both public and private sector customers that its cloud services are designed, built, and operated to effectively mitigate privacy and security risks and address data sovereignty concerns.
Frequently asked questions
Organizations that fall under the GCIO mandate—the public and non-public service departments, the 20 district health boards, and seven Crown entities—must adhere to the framework when they are deciding on the use of a cloud service. The complete list of agencies mandated to follow the framework is available on the ICT Assurance Scope page. The government expects other State Service Agencies to follow this framework as well.
If your agency is required to undertake certification and accreditation of its ICT system under the New Zealand Information Security Manual, then you can use these responses as part of your analysis.
Microsoft in-scope cloud services
Covered services include:
Virtual Machines, Cloud Services, Batch, Web Apps (formerly Web Sites), Mobile Apps (formerly Mobile Services), Notification Hub, Storage, SQL Database, HDInsight, Virtual Network, Traffic Manager, ExpressRoute, Service Bus, BizTalk Services, Active Directory, Multi-Factor Authentication, Rights Management Service, Media Services, Scheduler
- Dynamics 365 detailed list
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
Exchange Online, SharePoint Online, and Skype for Business Online. (Note that Microsoft NZ has worked with the GCIO team to develop a reference architecture for integrating Exchange Online and SEEMail described in the white paper Office 365: SEEMail Integration and Reference Architecture
- Security requirements for offshore hosted Office productivity services: conformance guide for Office 365
- Microsoft Azure compliance in the context of New Zealand security and privacy requirements
- NZ Government ICT Strategy 2015
- NZ Government requirements for cloud computing
- Cloud Computing: Information Security and Privacy Considerations (ISPC)
- Microsoft Online Services Terms
- Office 365: SEEMail Integration and Reference Architecture (additional Microsoft NZ guidance on cloud service adoption)