New Zealand Government Cloud Computing Security and Privacy Considerations
New Zealand Government Cloud Computing Security and Privacy overview
In October 2015, the New Zealand Government endorsed a revised all-government ICT strategy that reaffirmed its “cloud first” policy on using information technology across the public sector. The revised strategy retains the “Cloud Computing Risk and Assurance Framework” that was developed and implemented under the authority of the NZ Government Chief Information Officer (GCIO).
The government expects all New Zealand State Service agencies to work within this framework when assessing and adopting cloud services. “Requirements for Cloud Computing” outlines what agencies must do when adopting cloud services along with an overview of the history of the government’s cloud policy.
To assist NZ government agencies in conducting consistent and robust due diligence on potential cloud solutions, the GCIO has published “Cloud Computing: Information Security and Privacy Considerations” (the “Cloud Computing ISPC”). This document contains more than 100 questions focused on data sovereignty, privacy, security, governance, confidentiality, data integrity, availability, and incident response and management. Note that “Cloud Computing IPSC” does not define a NZ government standard against which cloud service providers must demonstrate formal compliance. Many of the questions set out in the document do, however, point toward the importance of understanding how cloud service providers comply with a wide array of relevant standards.
Microsoft and New Zealand Government Cloud Computing Security and Privacy Considerations
To help agencies undertake their analysis and evaluation of Microsoft enterprise cloud services, Microsoft New Zealand has produced a series of documents showing how its enterprise cloud services address the questions set out in the “Cloud Computing ISPC” by linking them to the standards against which Microsoft cloud services are certified. These certifications are central to how Microsoft assures both public and private sector customers that its cloud services are designed, built, and operated to effectively mitigate privacy and security risks and address data sovereignty concerns.
Learn about the benefits of NZ CC Framework on the Microsoft Cloud: Download the NZ CC framework backgrounder
Learn how to accelerate your NZ CC Framework deployment with our Azure Security and Compliance Blueprint: Download Azure response to the NZ CC Framework
Microsoft in-scope cloud services
- Azure and Azure Government
- Dynamics 365
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- Office 365
- Exchange Online, SharePoint Online, and Skype for Business Online. Microsoft NZ has worked with the GCIO team to develop a reference architecture for integrating Exchange Online and SEEMail described in the white paper Office 365: SEEMail Integration and Reference Architecture
Frequently asked questions
To whom does the framework apply?
Organizations that fall under the GCIO mandate — the public and non-public service departments, the 20 district health boards, and seven Crown entities — must adhere to the framework when they are deciding on the use of a cloud service.
Can my agency use Microsoft’s responses to this framework in the certification process of our ICT systems?
If your agency is required to undertake certification and accreditation of its ICT system under the New Zealand Information Security Manual, then you can use these responses as part of your analysis.
- Security requirements for offshore hosted Office productivity services: conformance guide for Office 365
- Microsoft Azure compliance in the context of New Zealand security and privacy requirements
- NZ Government ICT Strategy 2015
- NZ Government requirements for cloud computing
- Cloud Computing: Information Security and Privacy Considerations (ISPC)
- Microsoft Online Services Terms
- Office 365: SEEMail Integration and Reference Architecture (additional Microsoft NZ guidance on cloud service adoption)
- Compliance on the Microsoft Trust Center
Microsoft responses to “Cloud Computing IPSC”
Download the offering backgrounder
Do you need the backgrounder document for this offering? Download the PDF.