New Zealand Government Cloud Computing Security and Privacy Considerations

New Zealand Government Cloud Computing Security and Privacy overview

In October 2015, the New Zealand Government endorsed a revised all-government ICT strategy that reaffirmed its “cloud first” policy on using information technology across the public sector. The revised strategy retains the “Cloud Computing Risk and Assurance Framework” that was developed and implemented under the authority of the NZ Government Chief Information Officer (GCIO).

The government expects all New Zealand State Service agencies to work within this framework when assessing and adopting cloud services. “Requirements for Cloud Computing” outlines what agencies must do when adopting cloud services along with an overview of the history of the government’s cloud policy.

To assist NZ government agencies in conducting consistent and robust due diligence on potential cloud solutions, the GCIO has published “Cloud Computing: Information Security and Privacy Considerations” (the “Cloud Computing ISPC”). This document contains more than 100 questions focused on data sovereignty, privacy, security, governance, confidentiality, data integrity, availability, and incident response and management. Note that “Cloud Computing IPSC” does not define a NZ government standard against which cloud service providers must demonstrate formal compliance. Many of the questions set out in the document do, however, point toward the importance of understanding how cloud service providers comply with a wide array of relevant standards.

Microsoft and New Zealand Government Cloud Computing Security and Privacy Considerations

To help agencies undertake their analysis and evaluation of Microsoft enterprise cloud services, Microsoft New Zealand has produced a series of documents showing how its enterprise cloud services address the questions set out in the “Cloud Computing ISPC” by linking them to the standards against which Microsoft cloud services are certified. These certifications are central to how Microsoft assures both public and private sector customers that its cloud services are designed, built, and operated to effectively mitigate privacy and security risks and address data sovereignty concerns.

Learn about the benefits of NZ CC Framework on the Microsoft Cloud: Download the NZ CC framework backgrounder

Learn how to accelerate your NZ CC Framework deployment with our Azure Security and Compliance Blueprint: Download Azure response to the NZ CC Framework

Microsoft in-scope cloud services

Frequently asked questions

To whom does the framework apply?

Organizations that fall under the GCIO mandate — the public and non-public service departments, the 20 district health boards, and seven Crown entities — must adhere to the framework when they are deciding on the use of a cloud service.

Can my agency use Microsoft’s responses to this framework in the certification process of our ICT systems?

If your agency is required to undertake certification and accreditation of its ICT system under the New Zealand Information Security Manual, then you can use these responses as part of your analysis.

Resources

Microsoft responses to “Cloud Computing IPSC”

Download the offering backgrounder

Do you need the backgrounder document for this offering? Download the PDF.