Cognise Allfields Cloud Risk Assessment+Tool

GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool
and don
Further information : Cloud Computing: Information Security and Privacy Considerations document
Further information: Requirements for Cloud Computing webpages
Purpose of this tool

This spreadsheet is a companion tool to the Cloud Computing: Information Security and Privacy Considerations document (see link
above) provided as guidance for ALL agencies to help them determine the applicability and selection of cloud-based solutions for ICT
projects and business requirements. It should be used in conjunction with that document and the guidance provided on
www.ict.govt.nz (see link above). All agencies MUST adhere to these guidelines .
Assessement Tool Index and Navigation Aid
Section Question Category Agency to Vendor to

complete complete
3.1 3.1 Value, Criticality and Sensitivity of Information Y N
3.2 3.2 Data Sovereignty Y Y
3.3 3.3 Privacy Y Y
3.4 3.4 Governance Y Y
3.4.1 3.4.1 Terms of Service N Y
3.4.2 3.4.2 Compliance Y Y
3.5 3.5 Confidentiality Y Y
3.5.1 3.5.1 Authentication and Access Control Y Y
3.5.2 3.5.2 Multi-Tenancy Y Y
3.5.3 3.5.3 Standard Operating Environments Y Y
3.5.4 3.5.4 Patch and Vulnerability Management Y Y
3.5.5 3.5.5 Encryption Y Y
3.5.6 3.5.6 Cloud Service Provider Insider Threat N Y
3.5.7 3.5.7 Data Persistence N Y
3.5.8 3.5.8 Physical Security Y Y
3.6 3.6 Data Integrity Y Y
3.7 3.7 Availability Y Y
3.7.1 3.7.1 Service Level Agreement Y Y
3.7.2 3.7.2 Denial of Service Attacks N Y
3.7.3 3.7.3 Network Availability and Performance Y N
3.7.4 3.7.4 Business Continuity and Disaster Recovery Y Y
3.8 3.8 Incident Response and Management N Y
Description of Master Cloud Assessment Tool Fields

Agency / Customer Name: Mandatory field for the name of the agency or other public sector entity sponsoring completion of the
Assessment Tool.
Project / Task Ref ID: Optional field for agency or other public sector entity use to record against a formal project or document
management schema. Can be quoted as a reference to source the original copy of the Assessment Tool at a later
date. This reference may be used multiple times, where a project assesses more than one provider for a
requirement.
Vendor / Provider Name: Mandatory field for the name of the company or service/application provider for the specific solution being
assessed. This should be the official (trading) name as listed in the Companies Register or equivalent.
Cloud Application / Service Mandatory field for the name of the cloud service/application being assessed (eg. SurveyMonkey, YouTube,
Concerned: Microsoft Azure, etc).
Section The section of the Assessement Tool, grouped into subject matter areas. Not grouped into vendor or agency
specific questions.
Question No Question number matches those in the source document Cloud Computing: Information Security and Privacy
Considerations. Though a number of the original multi-part questions have been separated into sub-questions to
allow vendor or agency specific answering, (ie. reduce duplicate responsibilities for answers).
Question Textual description of considerations to be assessed for the cloud service, phrased as questions. Aimed at
informing agency awareness, information risk assessment and decision making.
Agency/System or Response to the issue/consideration raised. Note due diligence should be applied where appropriate (ie.
Vendor/Provider Response Providing vendor website links as answers without evidence/testing the information may not be sufficient).
Question References / Sources The source of official references are provided here. Where appropriate, links to Internet sources are provided.
AGENCY to complete Matrix selection value for those questions for agency or system/project manager consideration and answer based
on agency experiences and GCIO recommendation, though both agency and vendor question matrix can be user
customised as required.
VENDOR to complete Matrix selection value for those questions for the vendor, or service provider consideration and answer.
Clarification points Additional information that aims to clarify or aid readers/assessors with understanding the context and scope of
the question/consideration.
Agency Questions / Comments / Optional. For agency, vendor, or system / service providers to feedback to GCIO any issues or queries concerning
Requests the document (either this tool or the original Cloud Computing: Information Security and Privacy Considerations
document). Outstanding items may be left until a suitable answer is provided.
Crown copyright ©. This work is licensed under a 'Creative Commons Attribution 4.0 International License'. In essence, you are free to copy, distribute and
adapt the work, as long as you attribute the work to the Department of Internal Affairs, New Zealand Government, and abide by the other licence terms. Please
note that neither the Department of Internal Affairs emblem nor the New Zealand Government logo may be used in any way which infringes any provision of
the "Flags, Emblems, and Names Protection Act 1981" or would infringe such provision if the relevant use occurred within New Zealand. Attribution to the
Department of Internal Affairs should be in written form and not by reproduction of the Department of Internal Affairs emblem or New Zealand Government
logo. To view a copy of this licence, visit: http://creativecommons.org/licenses/by/4.0/
Uncontrolled copy as at 01/04/2021 when printed

Cloud Risk Assessment Tool - Instructions

Further information: Requirements for Cloud Computing webpages
Further information : Cloud Computing: Information Security and Privacy Considerations document
All public cloud computing decisions need to be made in the context of an enterprise-wide ICT assurance view. In the
first instance, agencies are expected to adopt Government ICT Common Capabilities if they exist.
This guidance must be followed for all cloud services including new services, Government ICT Common Capabilities,
continuation of services and contract renewals. Read the guidance on www.ict.govt.nz (see the link above) regarding
the Cloud Computing: Information Security and Privacy Considerations (see the link above) prior to using this tool.
This Cloud Risk Assessment Tool is a replication of the questions in the Cloud Computing: Information Security and
Privacy Considerations document (see link above). It is intended to be used in support of the Cloud Service
Requirements process chart, though agencies can also use it in support of their own project requirements and
processes as appropriate. This tool is designed to assist agencies in collecting the relevant information that will
subsequently inform the risk assessment stage of any cloud services selection.
Agencies are to inform GCIO when they use this tool to assess cloud services. The GCIO Government Enterprise
Architecture team can provide guidance on the tools application. Refer also to the Cloud Service Requirements chart
for further guidance.
It is expected that agencies will conduct an initial information valuation by completing the first three sections
(Questions 1-27) of this Cloud Risk Assessment Tool. This information will assist agencies in understanding the
'information value' to be invested in the target service, notably:
Ø The classification of the information concerned.

Ø The confidentiality, integrity and availability of the information concerned.
Ø The presence of Personally Identifiable Information (PII) - to identify if a Privacy Information Assessment (PIA) is required.
Ø Sovereignty, commercial, financial or reputational risks.
Dependent upon analysis of the results of the initial agency questions (Questions 1-27) concerning the information/data
to be stored, handled and transiting the proposed cloud-based solution, complete the remaining sections of this Cloud
Risk Assessment Tool appropriately (ie. no questions should be ignored, though a number may not be relevant to a
particular set of requirements).
Several cloud service vendors have developed standard response documents for the Cloud Computing: Information
Security and Privacy Considerations, which can be provided to government agencies upon request. Agencies should
approach potential cloud vendors when conducting this assesment.
The GCIO will review the contents of this tool and associated guidance on an ongoing basis, using the results of agencies
cloud assessments and direct feedback. Please submit comments and change requests to GCIO.
Version: v1.1.1 (15 Sep 15). Corrections and minor amendments from v1.1.
Author: Phil Cutforth MBE MSc, AoG Enterprise Architect, DIA SST
Contributors / GCIO thanks Industry suppliers and agencies who have contributed to the development and review of this tool.
Reviewers:
Contact Us: For any questions and suggestions for amendments or improvements, email the GCIO team at:
GCIO@dia.govt.nz
Master Cloud Computing: Information Security and Privacy Considerations document [http://www.ict.govt.nz/assets/ICT-System-Assurance/Cloud-Computing-Information-Security-and-Privacy-Considerations-FINAL2.pdf]
Document:
Licence: Crown copyright ©. This work is licensed under a Creative Commons Attribution 4.0 International License. In essence, you are free
to copy, distribute and adapt the work, as long as you attribute the work to the Department of Internal Affairs, New Zealand
Government, and abide by the other licence terms. Please note that neither the Department of Internal Affairs emblem nor the
New Zealand Government logo may be used in any way which infringes any provision of the "Flags, Emblems, and Names
Protection Act 1981" or would infringe such provision if the relevant use occurred within New Zealand. Attribution to the
Department of Internal Affairs should be in written form and not by reproduction of the Department of Internal Affairs emblem or
New Zealand Government logo. To view a copy of this licence, visit: http://creativecommons.org/licenses/by/4.0/
2 of Uncontrolled copy as at 01/04/2021 when printed

COMMERCIAL IN CONFIDENCE
Cloud Risk Assessment Tool
(Complete and submit to ICTAssurance@dia.govt.nz)
Agency / Customer Project / Task Ref ID:

Name:
Vendor / Provider
Allfields Cloud Application / Service: Cognise
Name:
Section Question Question Agency/Project or Question References / AGENCY to VENDOR to
No Vendor/Provider Response Sources complete complete
3.1 3.1 Value, Criticality and Sensitivity of Information
3.1 1 Who is the business owner of the information? Y N
3.1 2 What are the business processes that are supported by the information? Y N
3.1 3 What is the security classification of the information based on the NZ government 1. Protective Security Requirements Y N
guidelines for protection of official information? (PSR),
2. NZ Information Security Manual
(ISM),
3. DPMC - Treatment of information
classified as "Sensitive" or endorsed
"Special Handling Required"
3.1 4 4. Are there any specific concerns related to the confidentiality of the information Y N
that will be stored or processed by the cloud service?
3.1 5 5. Does the data include any personal information? Privacy Act 1993, Y N
Public Records Act 2005
3.1 6 6. Who are the users of the information? Y N

3.1 7 7. What permissions do the users require to the information? (i.e. read, write, Y N
modify and/or delete)
3.1 8 8. What legislation applies to the information? (e.g. Privacy Act 1993, Official Privacy Act 1993, Y N
Information Act 1982, Public Records Act 2005) Public Records Act 2005,
Official Information Act 1982,
3.1 9 9. What contractual obligations apply to the information? (e.g. Payment Card Y N
Industry Data Security Standard (PCI DSS))
3.1 10 10. What would the impact on the business be if the information was disclosed in an Y N
unauthorised manner?
3.1 11 11. What would the impact on the business be if the integrity of the information was Y N
compromised?
3.1 12 12. Does the agency have incident response and management plans in place to Y N
minimise the impact of an unauthorised disclosure?
3.1 13 13. What would the impact on the business be if the information were unavailable? Y N
3.1 13.a a. What is the maximum amount of data loss that can be tolerated after a disruption Y N
has occurred?
3.1 13.b b. What is the maximum period of time before which the minimum levels of services Y N
must be restored after a disruption has occurred?
3.1 13.c c. What is the maximum period of time before which the full service must be Y N
restored to avoid permanently compromising the business objectives?
3.2 3.2 Data Sovereignty
3.2 14 14. Where is the registered head office of the service provider? 245 Wakefield St Te Aro, Wellington 6011 N Y

3.2 15 15. Which countries are the cloud services delivered from? Sydney, Australia (Cloud servers and content), United States of America N Y
(Content Delivery and Backups)
3.2 16 16. In which legal jurisdictions will the agency’s data be stored and processed? Australia and the United States of America N Y
3.2 17 17. Does the service provider allow its customers to specify the locations where No N Y
their data can and cannot be stored and processed?
3.2 18 18. Does the service have any dependency on any third parties (e.g. outsourcers, Yes N Y
subcontractors or another service provider) that introduce additional jurisdictional
risks?
If yes, ask the service provider to provide the following details for each third party
involved in the delivery of the service:
3.2 18.a a. The registered head office of the third party; Amazon Web Services Inc. 1200 12th Avenue South, Suite 1200, Seattle, N Y
WA 98144
3.2 18.b b. The country or countries that their services are delivered from; and Australia and the United States of America N Y
3.2 18.c c. The access that they have to client data stored, processed and transmitted by the Full access to all data but only with consent from Cognise Staff. We have N Y
cloud service. had no reason to give this consent to date and don't foresee giving it in
the future either.
3.2 19 19. Have the laws of the country or countries where the data will be stored and No. Amazon States: "Customers using AWS maintain and do not release Y Y
processed been reviewed to assess how they could affect the security and/or effective control over their content within the AWS environment. They
privacy of the information? can:
1. Determine where their content will be located, for example the type
of storage they use on AWS and the geographic location (by Region) of
that storage. 2. Control the format, structure and security of their
content, including whether it is masked, anonymized or encrypted. AWS
offers customers options to implement strong encryption for their
customer content in transit or at rest, and also provides customers with
the option to manage their own encryption keys or use third party
encryption mechanisms of their choice. 3. Manage other access controls,
such as identity, access management, permissions and security
credentials. {1}
AWS is vigilant about customers' security and does not disclose or move
data in response to a request from the New Zealand, Australian, U.S. or
other government unless legally required to do so, in order to comply
with a legally valid and binding order, such as a subpoena or a court
order, or as is otherwise required by applicable law. Non-U.S.
governmental or regulatory bodies typically must use recognized
international processes, such as Mutual Legal Assistance Treaties with
the U.S. government, to obtain valid and binding orders. Additionally,
our practice is to notify customers where practicable before disclosing
their content so they can seek protection from disclosure, unless we are
legally prevented from doing so or there is clear indication of illegal
conduct in connection with the use of AWS services. {2}"
3.2 20 20. Do the laws actually apply to the service provider and/or its customer’s Y N
information? (e.g. some privacy laws exempt certain types of businesses or do not
apply to the personal information of foreigners.)
3.2 21 21. Do the applicable privacy laws provide an equivalent, or stronger, level of Privacy Act 1993 Y N
protection than the Privacy Act 1993?
3.2 21.a If no, are customers able to negotiate with the service provider to ensure that the Discussion between parties, and any negotiated outcome would be N Y
equivalent privacy protections are specified in the contract? based on reasonable expectation.
3.2 22 22. How does the service provider deal with requests from government agencies to The information must be requested from the Agency who owns the data. N Y
access customer information?

3.2 22.a a. Do they only disclose information in response to a valid court order? see above N Y
3.2 22.b b. Do they inform their customers if they have to disclose information in response to see above N Y
such a request?
3.2 22.c c. Are they prevented from informing customers that they have received a court see above N Y
order requesting access to their information?
3.3 3.3 Privacy
3.3 23 23. Does the data that will be stored and processed by the cloud service include Privacy Act 1993 Y N
personal information as defined in the Privacy Act 1993?
If no, skip to question 28.
3.3 24 24. Has a PIA been completed that identifies the privacy risks associated with the Y N
use of the cloud service together with the controls required to effectively manage
them?
3.3 25 25. Is the service provider’s use of personal information clearly set out in its privacy Yes. www.allfields.com/privacy N Y
policy?
3.3 25.a a. Is the service provider's privacy policy consistent with the agency’s business Y N
requirements?
3.3 26 26. Does the service provider notify its customers if their data is accessed by, or Yes, we strictly control access keys, and determine who is authorised to N Y
disclosed to, an unauthorised party? access our AWS account. We would notify prompty if deemed
neccessary. It is not currently a mandatory requirement of the Privacy
Act to notify individuals of unauthorised access to or disclosure of their
personal information. Notification may be appropriate having regard to
the Office of the New Zealand Privacy Commissioner’s guidance on
privacy breaches.
3.3 26.a a. Does service provider notification of unauthorised customer data access or Y N
disclosure include providing sufficient information to support cooperation with an
investigation by the Privacy Commissioner?
3.3 27 27. Who can the agency, its staff and/or customers complain to if there is a privacy support@cognise.help N Y
breach?
3.4 3.4 Governance
3.4.1 3.4.1 Terms of Service
3.4.1 28 28. Does the service provider negotiate contracts with their customers or must they Generally accept the standard Terms of Service. A higher level Enterprise N Y
accept a standard Terms of Service? agreement can be negotiated if this was deemed necessary.
3.4.1 29 29. Does the service provider’s Terms of Service and SLA clearly define how the Yes. Using AWS infrastructure, we design our security architecture to N Y
service protects the confidentiality, integrity and availability of all customer meet our compliance needs. This is a key difference from traditional
information entrusted to them; especially official information; and the privacy of all hosting solutions where the provider decides on the architecture. AWS
personally identifiable information? enables and empowers us to decide when and how security measures
will be implemented in the cloud, in accordance with business needs. For
example, if a higher availability architecture is required to protect
customer content, the we may add redundant systems, backups,
locations, network uplinks, etc. to create a more resilient, high
availability architecture. If restricted access to customer content is
required, AWS tools enable the us to implement access rights
management controls both on a systems level and through encryption
on a data level.
3.4.1 30 30. Does the service provider’s Terms of Service specify that the agency will retain Yes N Y
ownership of its data?
3.4.1 31 31. Will the service provider use the data for any purpose other than the delivery of No N Y
the service?

3.4.1 32 32. Is the service provider’s service dependent on any third-party services? Yes, Amazon Web Services N Y
3.4.2 3.4.2 Compliance
3.4.2 33 33. Does the service provider’s Terms of Service allow the agency to directly audit No, giving that kind of access might expose other clients information. N Y
the implementation and management of the security measures that are in place to Under specific conditions like we could allow a customer to conduct
protect the service and the data held within it? penetration testing.
3.4.2 33.a a. If yes, does this include performing vulnerability scans and penetration testing of Yes N Y
the service and the supporting infrastructure?
3.4.2 33.b b. If no, does the service provider undergo formal regular assessment against an No N Y
internationally recognised information security standard or framework by an
independent third-party? (E.g. are they certified as being compliant with ISO/IEC
27001? Have they undergone an ISAE 3402 SOC 2 Type II assessment?)
3.4.2 34 34. Will the service provider allow the agency to thoroughly review recent audit Not specifically. However, "AWS provides third-party attestations, AWS Risk and Compliance Whitepaper (January
N 2016) [Ref 1] - Y
reports before signing up for service? (E.g. will the service provider provide the certifications, Service Organization Controls (SOC) reports and other Appendix A: CSA Consensus Assessments Initiative Questionnaire v3.0.1 / Audit Assuran
Statement of Applicability together with a copy of the full audit reports from their relevant compliance reports directly to our customers under NDA.
external auditor, and the results of any recent internal audits?) The AWS ISO 27001 certification can be downloaded here:
http://d0.awsstatic.com/certifications/iso_27001_global_certification.pd
f
The AWS SOC 3 report can be downloaded here:
https://d0.awsstatic.com/whitepapers/compliance/soc3_amazon_web_s
ervices.pdf
The SOC 3 report scope covers the same services covered in the SOC 1
report. See the AWS Risk and Compliance Whitepaper, or the AWS SOC 3
report for the list."
3.4.2 35 35. Will the service provider enable potential customers to perform reference Yes - please notify us prior. N Y
checks by providing the contact details of two or more of its current customers?
3.4.2 36 36. Is there a completed CAIQ or CMM report for the service provider in the CSA No. "AWS is a CSA STAR registrant and has completed the Cloud Security N Y
STAR? Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ).
This CAIQ published by the CSA provides a way to reference and
document what security controls exist in AWS Infrastructure as Service
offerings. The CAIQ provides 298 questions a cloud consumer and cloud
auditor may wish to ask of a cloud provider.
The questions and AWS responses are included as Appendix A: CSA
Consensus Assessments Initiative Questionnaire v3.0.1 in the AWS Risk
and Compliance Whitepaper (January 2016)."
3.4.2 37 37. Has the service provider undergone a CSA STAR Certification and/or Attestation? Not ourselves. N Y
3.4.3 37.a a. Have they published the outcome of the audit? See above N Y

3.4.2 38 38. Has the service provider published a completed Cloud Computing Code of No. However, "ISO 27018 is the first International code of practice that N Y
Practice? focuses on protection of personal data in the cloud. It is based on ISO
information security standard 27002 and provides implementation
guidance on ISO 27002 controls applicable to public cloud Personally
Identifiable Information (PII). It also provides a set of additional controls
and associated guidance intended to address public cloud PII protection
requirements not addressed by the existing ISO 27002 control set. AWS
has achieved ISO 27018 certification of our Information Security
Management System (ISMS) covering AWS infrastructure, data centres,
and services (see certification document for scope). The AWS ISO 27018
certification can be downloaded at:
https://d0.awsstatic.com/certifications/iso_27018_certification.pdf . For
FAQs, see https://aws.amazon.com/compliance/iso-27018-faqs/ .
ISO 27017 is the newest code of practice released by the International
Organization for Standardization (ISO). It provides implementation
guidance on information security controls that specifically relate to cloud
services.
AWS has achieved ISO 27017 certification of our Information Security
Management System (ISMS) covering AWS infrastructure, data centres,
and services (see certification document for scope). The AWS ISO 27017
certification can be downloaded at:
https://d0.awsstatic.com/certifications/iso_27017_certification.pdf . For
FAQs, see https://aws.amazon.com/compliance/iso-27017-faqs/ ."
3.4.2 39 39. What additional assurance activities must be performed to complete the Y N
certification and accreditation of the cloud service?
3.5 3.5 Confidentiality

3.5.1 3.5.1 Authentication and Access Control
3.5.1 40 40. Does the agency have an identity management strategy that supports the Y N
adoption of cloud services?
3.5.1 40.a a. If yes, does the cloud service support the agency’s identity management We support SSO via Saml 2.0. N Y
3.5.1 41 strategy?
41. Is there an effective internal process that ensures that identities are managed Yes, the agency can only expose users what want to have access to the Y Y
and protected throughout their lifecycle? service via SSO
3.5.1 42 42. Is there an effective audit process that is actioned at regular intervals to ensure No, The agency is responsible for managing their users access to Cognise. Y Y
that user accounts are appropriately managed and protected? We have the option to offer and use an additional service AWS
CloudTrail. AWS CloudTrail provides a log of all requests for AWS
resources. For each event recorded, we can see what service was
accessed, what action was performed, any parameters for the action,
and who made the request. The log files are automatically encrypted
using Amazon S3's Server Side Encryption. We can add conditions to
control how users can use AWS, such as time of day, their originating IP
address, or whether they are using SSL.

3.5.1 43 43. Have the controls required to manage the risks associated with the ubiquitous Yes. To help ensure that only authorised users and processes access a NZISM Y Y
access provided by the cloud been identified? cour AWS Account and resources, AWS provides us with several types of PSR
CSA
credentials for authentication. These include passwords, cryptographic
keys, digital signatures, and certificates.
3.5.1 43.a a. Does the cloud service meet those control requirements? Y N
3.5.1 44 44. Are all passwords encrypted, especially system/service administrators, in Yes they are encrypted, No the complexity standard is not met. We NZISM Y Y
accordance with NZISM complexity requirements? currently only require a password of 8 characters or more NZISM
requires 10. We recommend Signing In using SSO to avoid using
passwords entirely. If needed we can increase to 10 characters.
3.5.1 45 45. Is there a higher level of assurance required that the party asserting an identity We do not support multi-factor authentication in our application. AWS Y Y
is the authorised user of the account when authenticating to the service? (I.e. is provides us the option of requiring multi-factor authentication (MFA) to
multi-factor authentication necessary?) log into our AWS Account or IAM user accounts .
3.5.2 3.5.2 Multi-Tenancy

3.5.2 46 46. Will the service provider allow the agency to review a recent third-party audit N Y
report (e.g. ISO 27001 or ISAE 3402 SOC 2 Type II) that includes an assessment of
the security controls and practices related to virtualisation and separation of
customer’s data?
3.5.2 47 47. Will the service provider permit customers to undertake security testing Yes. We can request permission to conduct scans of our cloud N Y
(including penetration tests) to assess the efficacy of the access controls used to infrastructure as long as they are limited to the our instances and do not
enforce separation of customer’s data? violate the AWS Acceptable Use Policy. Further, AWS Security regularly
scans all Internet facing service endpoint IP addresses for vulnerabilities
(these scans do not include customer instances). AWS Security notifies
the appropriate parties to remediate any identified vulnerabilities. AWS
provides third-party attestations, certifications, Service Organization
Controls (SOC) reports and other relevant compliance reports directly to
us under NDA. The AWS ISO 27001 certification can be downloaded
here:
f
ervices.pdf
3.5.2 48 48. Does the service provider’s customer registration processes provide an Yes Y Y
appropriate level of assurance in line with the value, criticality and sensitivity of the
information to be placed in the cloud service?
3.5.3 3.5.3 Standard Operating Environments

3.5.3 49 49. Are there appropriate build and hardening standards defined and documented NZISM Y N
for the service components the agency is responsible for managing?
3.5.3 50 50. Can the agency deploy operating systems and applications in accordance with NZISM Y N
internal build or hardening standards?
3.5.3 50.a a. If no, does the service provider have appropriate build and hardening standards Cannot answer without knowing the agencies standards NZISM N Y
that meet the agency’s security requirements?
3.5.3 50.b b. Does the virtual image include a host-based firewall configured to only allow the N/A NZISM N Y
ingress and egress (inbound and outbound) traffic necessary to support the service?
3.5.3 50.c c. Does the service provider allow host-based intrusion detection and prevention N/A NZISM N Y
service (IDS/IDP) agents to be installed within the virtual machines?

3.5.3 51 51. Does the service provider perform regular tests of its security processes and Yes. Further, AWS provides third-party attestations, certifications, NZISM N Y
controls? Service Organization Controls (SOC) reports and other relevant
compliance reports directly to us under NDA. The AWS ISO 27001
certification can be downloaded here:
f
https://d0.awsstatic.com/whitepapers/compliance/soc3_amazon_web
_services.pdf
AWS Security regularly scans all Internet facing service endpoint IP
addresses for vulnerabilities (these scans do not include customer
instances). AWS Security notifies the appropriate parties to remediate
any identified vulnerabilities. In addition, external vulnerability threat
assessments are performed regularly by independent security firms.
Findings and recommendations resulting from these assessments are
categorized and delivered to AWS leadership.
In addition, the AWS control environment is subject to regular internal
and external audits and risk assessments. AWS engages with external
certifying bodies and independent auditors to review and test the AWS
overall control environment.
3.5.3 51.a a. Will they provide customers with a copy of the associated reports? see above N Y
3.5.3 52 52. Can a penetration test of the service be performed to ensure that it has been Yes for our application. Further, we can request permission to conduct NZISM N Y
securely deployed? scans of our AWS cloud infrastructure as long as they are limited to our
instances and do not violate the AWS Acceptable Use Policy.
3.5.4 3.5.4 Patch and Vulnerability Management

3.5.4 53 53. Is the service provider responsible for patching all components that make up the Yes, we ensure our patches maintain a robust, stable, and secure N Y
cloud service? application for our custoemrs. Further, "AWS is responsible for patching
systems supporting the delivery of service to us, such as the hypervisor
and networking services. This is done as required per AWS policy and in
accordance with ISO 27001, NIST, and PCI requirements. AWS does not
require systems to be brought offline to perform regular maintenance
and system patching."
3.5.4 53.a a. If the service provider is NOT responsible for patching all components that make Y N
up the cloud service, has the agency identified which components the service
provider is responsible for and which it is responsible for?
3.5.4 54 54. Does the service provider’s Terms of Service or SLA include service levels for Yes. We can also request permission to conduct scans of our AWS cloud N Y
patch and vulnerability management that includes a defined the maximum exposure infrastructure as long as they are limited to the our instances and do not
window? violate the AWS Acceptable Use Policy. AWS Security regularly scans all
Internet-facing service endpoint IP addresses for vulnerabilities. AWS
Security notifies the appropriate parties to remediate any identified
vulnerabilities. AWS' own maintenance and system patching generally do
not impact customers.
3.5.4 55 55. Does the agency currently have an effective patch and vulnerability Y N
management process?

3.5.4 56 56. Has the agency ensured that all of the components that it is responsible for have Y N
been incorporated into its patch and vulnerability management process?
3.5.4 57 57. Is the agency subscribed to, or monitoring, appropriate sources for vulnerability Y N
and patch alerts for the components that it is are responsible for?
3.5.4 58 58. Does the service provider allow its customers to perform regular vulnerability Yes, Client is free to at any time N Y
assessments?
3.5.4 59 59. Do the Terms of Service or SLA include a compensation clause for breaches Yes N Y
caused by vulnerabilities in the service?
3.5.4 59.a a. If the Terms of Service or SLA includes compensation clause for breaches caused Y N
by vulnerabilities in the service, does it provide an adequate level of compensation
should a breach occur?
3.5.5 3.5.5 Encryption

3.5.5 60 60. Have requirements for the encryption of the information that will be placed in Y N
the cloud service been determined?
3.5.5 61 61. Does the cloud service use only approved encryption protocols and algorithms Yes. The AWS Information Security Registered Assessors Program (IRAP) NZISM Y Y
(as defined in the NZISM)? enables us to validate that appropriate controls are in place and
determine the appropriate responsibility model for addressing the needs
of the Australian Signals Directorate (ASD) Information Security Manual
(ISM).
AWS has completed an independent assessment (see
https://aws.amazon.com/compliance/irap/) that has determined all
applicable ASD ISM controls are in place relating to the processing,
storage and transmission of Unclassified DLM (UD) for the AWS Sydney
Region. {2}
The ASD ISM shares many similarities with the NZ ISM including the use
of approved cryptographic algorithms and protocols. Refer to the ASD
ISM [http://www.asd.gov.au/infosec/ism/] and NZ ISM for more details.
3.5.5 62 62. Which party is responsible for managing the cryptographic keys? Vendor Y Y
3.5.5 63 63. Does the party responsible for managing the cryptographic keys have a key Yes. AWS allows us to use our own encryption mechanisms for our NZISM Y Y
management plan that meets the requirements defined in the NZISM? services, including S3, EBS and EC2. In addition, we can leverage AWS
Key Management Systems (KMS) to create and control encryption keys
(refer to https://aws.amazon.com/kms/). Refer to AWS SOC reports for
more details on KMS
(https://d0.awsstatic.com/whitepapers/compliance/soc3_amazon_web_
services.pdf). AWS establishes and manages cryptographic keys for
required cryptography employed within the AWS infrastructure. AWS
produces, controls and distributes symmetric cryptographic keys using
NIST approved key management technology and processes in the AWS
information system. An AWS developed secure key and credential
manager is used to create, protect and distribute symmetric keys and is
used to secure and distribute: AWS credentials needed on hosts, RSA
public/private keys and X.509 Certifications. AWS cryptographic
processes are reviewed by independent third party auditors for our
continued compliance with SOC, PCI DSS, ISO 27001 and FedRAMP.
3.5.6 3.5.6 Cloud Service Provider Insider Threat

3.5.6 64 64. Does the service provider undertake appropriate pre-employment vetting for all Allfields conducts criminal background checks, as permitted by law, as N Y
staff that have access to customer data? part of pre-employment screening practices for employees and
commensurate with the employee’s position and level of access. The
policies also identify functional responsibilities for the administration of
logical access and security.
3.5.6 64.a a. Does the service provider perform on-going checks during the period of Accounts are reviewed every 120 days; explicit re-approval is required or N Y
employment? access to the resource is automatically revoked. Access is also
automatically revoked when an employee’s record is terminated in
Allfields Payroll system. Windows and UNIX accounts are disabled and
we remove the user from all systems.
3.5.6 65 65. If the service provider is dependent on a third-party to deliver any part of their Yes (Amazon does). "Personnel security requirements for third-party N Y
service, does the third-party undertake appropriate pre-employment vetting for all providers supporting AWS systems and devices are established in a
staff that have access to customer data? Mutual Non-Disclosure Agreement between AWS’ parent organization,
Amazon.com, and the respective third-party provider. The Amazon Legal
Counsel and the AWS Procurement team define AWS third party
provider personnel security requirements in contract agreements with
the third party provider. All persons working with AWS information must
at a minimum, meet the screening process for pre-employment
background checks and sign a Non-Disclosure Agreement (NDA) prior to
being granted access to AWS information. AWS does not generally
outsource development of AWS services to subcontractors."
3.5.6 66 66. Does the service provider have a SIEM service that logs and monitors all logical Yes. AWS' incident response program, plans and procedures have been N Y
access to customer data? developed in alignment with ISO 27001 standard. AWS has been
validated and certified by an independent auditor to confirm alignment
with ISO 27001 certification standard. The AWS SOC reports provides
details on the specific control activities executed by AWS. All data stored
by AWS on behalf of customers has strong tenant isolation security and
control capabilities. The AWS Cloud Security Whitepaper (available at
http://aws.amazon.com/security) provides additional details.
AWS has identified auditable event categories across systems and

devices within the AWS system. Service teams configure the auditing
features to record continuously the security-related events in
accordance with requirements. The log storage system is designed to
provide a highly scalable, highly available service that automatically
increases capacity as the ensuing need for log storage grows. Audit
records contain a set of data elements in order to support necessary
analysis requirements. In addition, audit records are available for AWS
Security team or other appropriate teams to perform inspection or
analysis on demand, and in response to security-related or business-
impacting events.
AWS CloudTrail if enabled provides a log of requests for AWS resources

within our account for supported services. For each event, we can see
what service was accessed, what action was performed, and who made
the request. CloudTrail captures information about every API call to
every supported AWS resource, including sign-in events.

3.5.6 67 67. Does the service provider enforce separation of duties to ensure that audit logs Yes. "AWS Incident response program (detection, investigation and N Y
are protected against unauthorised modification and deletion? response to incidents) has been developed in alignment with ISO 27001
standards, system utilities are appropriately restricted and monitored.
AWS SOC reports provides additional details on controls in place to
restrict system access. In alignment with ISO 27001 standards, AWS
information systems utilize internal system clocks synchronized via NTP
(Network Time Protocol). AWS has been validated and certified by an
independent auditor to confirm alignment with ISO 27001 certification
standard.
AWS utilizes automated monitoring systems to provide a high level of
service performance and availability. Proactive monitoring is available
through a variety of online tools both for internal and external use.
Systems within AWS are extensively instrumented to monitor key
operational metrics. Alarms are configured to notify operations and
management personnel when early warning thresholds are crossed on
key operational metrics. An on-call schedule is used such that personnel
are always available to respond to operational issues. This includes a
pager system so alarms are quickly and reliably communicated to
operations personnel.
Refer to AWS Overview of Security Processes for additional details -
available at http://aws.amazon.com/security."
3.5.6 68 68. Do the Terms of Service or SLA require the service provider to report No N Y
unauthorised access to customer data by its employees?
3.5.6 68.a If yes, is the service provider required to provide details about the incident to N/A N Y
affected customers to enable them to assess and manage the associated impact?
3.5.7 3.5.7 Data Persistence
3.5.7 69 69. Does the service provider have an auditable process for the secure sanitisation Amazon EBS volumes are presented to us as raw unformatted block N Y
of storage media before it is made available to another customer? devices that have been wiped prior to being made available for use.
Wiping occurs immediately before reuse so that we can be assured that
the wipe process completed. If we have procedures requiring that all
data be wiped via a specific method, such as those detailed in DoD
5220.22-M (“National Industrial Security Program Operating Manual “) or
NIST 800-88 (“Guidelines for Media Sanitization”), we have the ability to
do so on Amazon EBS. We conduct a specialised wipe procedure prior to
deleting the volume for compliance.
3.5.7 70 70. Does the service provider have an auditable process for secure disposal or When a storage device has reached the end of its useful life, AWS N Y
destruction of ICT equipment and storage media (e.g. hard disk drives, backup tapes procedures include a decommissioning process that is designed to
etc.) that contain customer data? prevent customer data from being exposed to unauthorised individuals.
AWS uses the techniques detailed in DoD 5220.22-M (“National
Industrial Security Program Operating Manual “) or NIST 800-88
(“Guidelines for Media Sanitization”) to destroy data as part of the
decommissioning process. If a hardware device is unable to be
decommissioned using these procedures, the device will be degaussed or
physically destroyed in accordance with industry-standard practices.
Refer to AWS Cloud Security Whitepaper for additional details - available
at http://aws.amazon.com/security.
3.5.8 3.5.8 Physical Security

3.5.8 71 71. If it is practical to do so (i.e. the datacentre is within New Zealand), can the No, All datacenter are maintained by AWS which we ourselves do not N Y
service provider’s physical security controls be directly reviewed or assessed by the have access to. AWS states: Due to the fact that our data centres host
agency? If no, will the service provider allow the agency to review of a recent third multiple customers, AWS does not allow data centre tours by customers,
party audit report (e.g. ISO 27001 or ISAE 3402 SOC 2 Type II) that includes an as this exposes a wide range of customers to physical access of a third
assessment of their physical security controls? party. To meet this customer need, an independent and competent
auditor validates the presence and operation of controls as part of our
SOC 1 Type II report. This broadly accepted third-party validation
provides customers with the independent perspective of the
effectiveness of controls in place. AWS customers that have signed a
non-disclosure agreement with AWS may request a copy of the SOC 1
Type II report. Independent reviews of data centre physical security is
also a part of the ISO 27001 audit, the PCI assessment, ITAR audit, and
the FedRAMP testing programs.
3.5.8 71.a a. If no, will the service provider allow the agency to review of a recent third party Yes, AWS states: "AWS has achieved ISO 27001 certification of our N Y
audit report (e.g. ISO 27001 or ISAE 3402 SOC 2 Type II) that includes an assessment Information Security Management System (ISMS). The AWS ISO 27001
of their physical security controls? certification can be downloaded at:
https://d0.awsstatic.com/certifications/iso_27001_global_certification.p
df
Frequently asked questions about the AWS ISO 27001 certification are
here:
https://aws.amazon.com/compliance/iso-27001-faqs/
Amazon Web Services publishes a SOC 1, Type II report. The audit for this
report is conducted in accordance with AICPA AT 801 and ISAE 3402. This
dual-standard report is intended to meet a broad range of financial
auditing requirements for U.S. and international auditing bodies. The
SOC 1 report audit attests that AWS’ control objectives are appropriately
designed and that the individual controls defined to safeguard customer
data are operating effectively. In addition, AWS publishes a SOC 2, Type II
report. The AWS SOC 2 is an evaluation of the design and operating
effectiveness of controls that meet the criteria for the security and
availability principles set forth in the AICPA’s Trust Services Principles
criteria. This report provides additional transparency into AWS security
and availability based on a pre-defined industry standard of leading
practices and further demonstrates AWS’ commitment to protecting
customer data.
AWS publishes a Service Organization Controls 3 (SOC 3) report, which is
a publically-available summary of the AWS SOC 2 report. The AWS SOC 3
report includes all AWS data centres worldwide that support in-scope
services. The SOC 3 report is here:
ervices.pdf
"
3.5.8 72 72. Do the service provider’s physical security controls meet the minimum Y N
requirements as defined in the New Zealand government’s security guidelines to
protect the information stored in the cloud service?
3.6 3.6 Data Integrity

3.6 73 73. Does the service provider provide data backup or archiving services as part of Yes N Y
their standard service offering to protect against data loss or corruption? If not, do
they offer data backup or archiving services as an additional service offering to
protect against data loss and corruption?

3.6 74 74. How are data backup and archiving services provided? AWS provides automated backups of database services. File storage N Y
backed by S3 and is replicated to other datacenters around the world.
3.6 75 75. Does the SLA specify the data backup schedule? If an SLA exists a schedule would be specified. N Y
3.6 76 76. Does the data back-up or archiving service ensure that business requirements Y N
related to protection against data loss are met? (I.e. does the service support the
business Recovery Point Objective?)
3.6 77 77. What level of granularity does the service provider offer for data restoration? Database services can be restored to a backup less than 24 hours old. Y Y
File storage can be restored within 48 hours. Amazon S3 provides
protection via Versioning. We can use Versioning to preserve, retrieve,
and restore every version of every object stored in an Amazon S3 bucket,
allowing recovery from both unintended user actions and application
failures. We can further protect versions using Amazon S3 Versioning's
MFA Delete feature. Amazon RDS allows us to restore DB Instances to
any one second during their retention period, up to the last 5 minutes.
3.6 78 78. What is the service provider’s process for initiating a restore? Restorisations are completed by restoring from a snapshot. The N Y
automated backup feature of Amazon RDS enables point-in-time
recovery of DB Instances. When we perform a restore operation to a
point in time or from a DB Snapshot, a new DB Instance is created with a
new endpoint. The old DB Instance is deleted with the AWS
Management Console.
3.6 79 79. Does the service provider regularly perform test restores to ensure that data can Yes. AWS allows us to move data as needed on and off AWS storage. N Y
be recovered from backup media? Amazon S3 helps maintain the durability of the objects by quickly
detecting and repairing any lost redundancy. S3 also regularly verifies the
integrity of data stored using checksums. If corruption is detected, it is
repaired using redundant data.
3.6 80 80. Does the agency need to implement a data backup strategy to ensure that it can Y N
recover from an incident that leads to data loss or corruption?
3.6 81 81. Does the proposed data backup and archiving strategy support the agency in Public Records Act 2005, Official Y N
meeting its obligations under the Public Records Act and Official Information Act? Information Act 1982,
3.7 3.7 Availability

3.7.1 3.7.1 Service Level Agreement
3.7.1 82 82. Does the SLA include an expected and minimum availability performance Yes. Amazon EC2 commits to annual uptime percentage of at least N Y
percentage over a clearly defined period? 99.95% during the service year. Amazon S3 commits to monthly uptime
percentage of at least 99.9%.
3.7.1 82.a a. If the SLA include an expected and minimum availability performance percentage Y N
over a clearly defined period, are the agencys business requirements for availability
met?
(I.e. does the service support the business’s Recovery Time Objective and
Acceptable Interruption Window?)
3.7.1 83 83. Does the SLA include defined, scheduled outage windows? We frequently upgrade our application, with many patches and upgrades N Y
being applied to instances transparently. However, some updates
require a short instance reboot in order to apply these updates. We can
outline within a customer SLA scheduled downtime and this is set
outside of normal M-F working hours.

3.7.1 83.a a. If the SLA includes defined, scheduled outage windows, do the specified outage Y N
windows affect New Zealand business operations?
3.7.1 83.b b. If the SLA does NOT include defined, scheduled outage windows, has the service see above N Y
provider implemented technologies that enable them to perform maintenance
activities without the need for an outage?
3.7.1 84 84. Does the SLA include a compensation clause for a breach of the guaranteed N Y
availability percentages?
3.7.1 84.a a. If the SLA include a compensation clause for a breach of the guaranteed Y N
availability percentages, does this provide an adequate level of compensation
should the service provider breach the SLA?
3.7.2 3.7.2 Denial of Service Attacks

3.7.2 85 85. Does the service provider utilise protocols and technologies that can protect Yes N Y
against DDoS attacks?
3.7.2 85.a a. If yes, does enabling the service provider’s DDoS protection services affect the No N Y
answer to questions 15, 16 and 17?
3.7.2 86 86. Can the agency specify or configure resource usage limits to protect against No N Y
EDoS/bill shock?
3.7.3 3.7.3 Network Availability and Performance
3.7.3 87 87. Do the network services directly managed, or subscribed to by the agency Y N
provide an adequate level of availability?
provide an adequate level of redundancy/fault tolerance?
provide an adequate level of bandwidth (network throughput)?
3.7.3 90 90. Is the latency between the agency network(s) and the service provider’s service Y N
at levels acceptable to achieve the desired user experience?
3.7.3 90.a a. If no, is the latency occurring on the network services directly managed, or Y N
subscribed to by the agency?
3.7.3 90.b b. Can the issue be resolved either by the network service provider or the agency? Y N
3.7.3 91 91. Is the packet loss between the agency network(s) and the service provider’s Y N
service at levels acceptable to achieve the desired user experience?
3.7.3 91.a a. If no, is the packet loss occurring on a network services directly managed, or Y N
subscribed to by the agency?
3.7.3 91.b b. Can the issue be resolved either by the network service provider or the agency? Y N
3.7.4 3.7.4 Business Continuity and Disaster Recovery

3.7.4 92 92. Does the service provider have business continuity and disaster recovery plans? Yes. Our application runs on Amazon’s infrastructure and has a high level N Y
of availability and provides the features to deploy a resilient IT
architecture. AWS has designed its systems to tolerate system or
hardware failures with minimal customer impact.
AWS provides us with the flexibility to place instances and store data
within multiple geographic regions as well as across multiple availability
zones within each region. Each availability zone is designed as an
independent failure zone. This means that availability zones are
physically separated within a typical metropolitan region and are located
in lower risk flood plains. In addition to discrete uninterruptable power
supply (UPS) and onsite backup generation facilities, they are each fed
via different grids from independent utilities to further reduce single
points of failure. Availability zones are all redundantly connected to
multiple tier-1 transit providers.
We architect our AWS usage to take advantage of multiple regions and

availability zones. Distributing applications across multiple availability
zones provides the ability to remain resilient in the face of most failure
modes, including natural disasters or system failures.
3.7.4 93 93. Will the service provider permit the agency to review of its business continuity Yes N Y
and disaster recovery plans?
3.7.4 94 94. Do the service provider’s plans cover the recovery of the agency data or only the Yes to both. AWS provides us with the capability to implement a robust N Y
restoration of the service? continuity plan, including the utilisation of frequent server instance back-
ups, data redundancy replication, and multi-region/availability zone
deployment architectures. AWS provides us the flexibility to place
instances and store data within multiple geographic regions as well as
across multiple Availability Zones within each region. Each Availability
Zone is designed as an independent failure zone. In case of failure,
automated processes move customer data traffic away from the affected
area.
Customers utilise AWS to enable faster disaster recovery of their critical

IT systems without incurring the infrastructure expense of a second
physical site. The AWS cloud supports many popular disaster recovery
(DR) architectures from “pilot light” environments that are ready to scale
up at a moment’s notice to “hot standby” environments that enable
rapid failover. To learn more about Disaster Recovery on AWS visit
https://aws.amazon.com/disaster-recovery/.
3.7.4 95 95. If the service provider’s plans cover the restoration of agency data, is the Yes. EBS Snapshot functionality allows us to capture and restore at any N Y
recovery of customer data prioritised? time.
3.7.4 95.a a. If so, how? Are customers prioritised based on size and contract value? N Y
Every customer is restored at the same time making all customers a
priority

3.7.4 96 96. Does the service provider formally test its business continuity and disaster Not currently. We mainly rely on Amazon's extremely robust approach. N Y
recovery plans on a regular basis? "AWS Business Continuity Policies and Plans have been developed and
tested in alignment with ISO 27001 standards.
Refer to ISO 27001 standard, annex A domain 17 for further details on

AWS and business continuity.
Also refer to the AWS SOC 1 Type 2 report."
3.7.4 96.a a. If yes, how regularly are such tests performed? see above N Y
3.7.5 96.b b. Will they provide customers with a copy of the associated reports? see above N Y
3.7.4 97 97. Does the agency have its own business continuity and disaster recovery plan in Y N
place to ensure that it can recover from a service outage, the service provider going
out of business or withdrawing the service?
3.7.4 98 98. Does the agency require its own data backup strategy to ensure that it can Y N
recover from a service outage, the service provider going out of business or
withdrawing the service?
3.7.4 99 99. Are the backups (whether performed by the service provider or the agency) Not currently. Should a customer require it, AWS allows us to use our Y Y
encrypted using an approved encryption algorithm and appropriate key length? own encryption mechanisms for nearly all the services, including S3, EBS,
and EC2. Amazon S3 also offers Server Side Encryption as an option for
customers.
3.8 3.8 Incident Response and Management

3.8 100 100. Does the service provider have a formal incident response and management Not specifically within our application. We do apply diagnostic tools 24 x N Y
process and plans that clearly define how they detect and respond to information 7. Further, Amazon staff operators provide 24x7x365 coverage to detect
security incidents? incidents and to manage the impact and resolution on their
infrastructure.
AWS' incident response program, plans and procedures have been

developed in alignment with ISO 27001 standard. AWS has been
validated and certified by an independent auditor to confirm alignment
with ISO 27001 certification standard. The AWS SOC reports provides
details on the specific control activities executed by AWS. All data stored
by AWS on behalf of customers has strong tenant isolation security and
control capabilities."
3.8 100.a a. If yes, will they provide the agency with a copy of their process and plans to N Y
enable it to determine if they are sufficient?
3.8 101 101. Does the service provider test and refine its incident response and No N Y
management process and plans on a regular basis?
3.8 102 102. Does the service provider engage its customers when testing its incident No N Y
response and management processes and plans?
3.8 103 103. Does the service provider provide its staff with appropriate training on incident No N Y
response and management processes and plans to ensure that they respond to
incidents in an effective and efficient manner?
3.8 104 104. Does the service provider’s Terms of Service or SLA clearly define the support Yes a SLA would cover this. N Y
they will provide to the agency should an information security incident arise?
For example, does the service provider:
3.8 104.a a. Notify customers when an incident that may affect the security of their Yes N Y
information or interconnected systems is detected or reported?
3.8 104.b b. Specify a point of contact and channel for customers to report suspected Helpdesk raise a ticket, email, or call us direct. N Y
information security incidents?

3.8 104.c c. Define the roles and responsibilities of each party during an information security If the breach is from Agency side eg providing a group access to info they N Y
incident? should not bee seeing. Then the role of Admin would be to remove the
content, replace the content, or to contact us if it is a serious breach
needing immediate assistance. If the incident lies in the vendors side
they will validate the security issue and ensure all steps are taken to
ensure the problem is resolved. The Agency will be kept up to date on all
steps takes by the vendor.
3.8 104.d d. Provide customers with access to evidence (e.g. time stamped audit logs and/or AWS CloudTrail if enabled for a customer provides a simple solution to N Y
forensic snapshots of virtual machines etc.) to enable them to perform their own log user activity that helps alleviate the burden of running a complex
investigation of the incident? logging system. Refer to [http://aws.amazon.com/cloudtrail] for
additional details.
3.8 104.e Provide sufficient information to enable the agency to cooperate effectively with an Yes. See above. N Y
investigation by a regulatory body, such as the Privacy Commissioner or the
Payment Card Industry Security Standards Council (PCI SSC)?
3.8 104.f f. Define which party is responsible for the recovery of data and services after an
If the information is lost by the vendor durning an operation such as a N Y
information security incident has occurred? migration the vendor will restore it. Any incidents created by the agency
must be resolved by the agency by either removing or overwriting the
data.
3.8 104.g g. Share post incident reports with affected customers to enable them to Yes. Notification of security incidents are handled on a case-by-case basis N Y
understand the cause of the incident and make an informed decision about whether and as required by applicable law. Any notification is performed via
to continue using the cloud service? secure communications.
3.8 104.h h. Specify in the contract limits and provisions for insurance, liability and indemnity Yes we have 5mil Public Liabaility and 2 mil Professional Indemnity. N Y
for information security incidents? (Note: it is recommended that agencies carefully
review liability and indemnity clauses for exclusions.)
3.8 105 105. Does the service providers incident response and management procedures Y N
map to (or fit with) the agency internal policy and procedures; that does not hinder
or delay the agency's ability to manage incidents in a timely and effective manner?

Return to Index
Instructions for Use of Tool
Clarification points Agency Questions / Comments / Requests
http://protectivesecurity.govt.nz/home/what-you-need-
to-know/
http://www.gcsb.govt.nz/news/the-nz-information-
security-manual/
http://www.dpmc.govt.nz/cabinet/circulars/co08/1
Consider disclosures that would adversely affect

government credibility and citizen trust, Also consider the
financial, operational and IPR impact.
Incident Response and Management plans that cover all

relevant aspects of operational, security, and service
problem incidents should be considered.
See also Q92.

This can be used to define the 'Recovery Point Objective'.
This can be used to define the 'Recovery Time Objective'.
This can be used to define the 'Acceptable Interruption

Window'.


GCPO can provide advice on what constitutes 'sufficient

information' on a case-by-case (project specific) basis.
Depending on the information risk assessment for this

Cloud Service, generic or non-contractual Terms of
Service should be avoided where they cannot be tested,
proved or assured by the agency.
Wording amended slightly to emphasise the requirement

for Service Providers to adequately provide for the
confidentiality (including privacy), intergrity and
availability of all information that government agencies
entrust to it.

This is something that will need to be handled on a case

by case basis, for example it will depend if the current
customer will allow the direct contact.

Although there may be some activities required of the

vendor, the agency has the lead responsibility for defining
actions required to achieve C&A, inline with the agencies
own C&A Process and policies.
These questions concern the agencies ability to control

exposure of their internal identity registries and only
expose those users and credentials to a Cloud Service
required for that service. If not, then the impact should
be included in the agencies risk assessment.

As part of their risk assessment, an agency should

consider what other customers share a multi-tenancy
service and the level of assurance for separation or
partitioning the provider will provide.

Includes Penetration Testing, operational (process)

controls testing, as well as other forms of testing.
Refers to the agency/customer performing (or

comissioning a third-party to perform) a penetration test
of the providers environment. This should cover the
transit, transport, storage and processing of customer
data/information involved .

Publically available data on the cost of various data

compromise scenarios can be used to estimate the cost
of potential breach.




This is potentially a hidden additional cost. Is the data

backup stored within agency resources, or with a second
vendor that has no common points of failure with the
cloud vendor.
Availability may be affected by multiple factors, such as

technical issues, faulty vendor hardware/software, facility
issues (power loss) and deliberate attacks.

Thinking about the agency business operating hours and

criticality of systems support 24/7.
These questions concern the network connectivity (local

network and telecommunications circuits/cables)
between agency users and the cloud vendor's facilities.
This should be considered in an end-to-end scenario.




Cognise Allfields Cloud Risk Assessment+Tool

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cognise Allfields Cloud Risk Assessment+Tool

Uploaded by

Copyright:

Available Formats

GCIO AoG Cloud Computing: Information Security and Privacy Considerations Self-Help Tool

Purpose of this tool

Assessement Tool Index and Navigation Aid

Section Question Category Agency to Vendor to

Description of Master Cloud Assessment Tool Fields

Uncontrolled copy as at 01/04/2021 when printed

Cloud Risk Assessment Tool - Instructions

Ø The classification of the information concerned.

Ø Sovereignty, commercial, financial or reputational risks.

2 of Uncontrolled copy as at 01/04/2021 when printed

Agency / Customer Project / Task Ref ID:

3.1 6 6. Who are the users of the information? Y N

3 of Uncontrolled copy as at 01/04/2021 when printed

4 of Uncontrolled copy as at 01/04/2021 when printed

5 of Uncontrolled copy as at 01/04/2021 when printed

6 of Uncontrolled copy as at 01/04/2021 when printed

3.5 3.5 Confidentiality

7 of Uncontrolled copy as at 01/04/2021 when printed

3.5.2 3.5.2 Multi-Tenancy

3.5.3 3.5.3 Standard Operating Environments

8 of Uncontrolled copy as at 01/04/2021 when printed

3.5.4 3.5.4 Patch and Vulnerability Management

9 of Uncontrolled copy as at 01/04/2021 when printed

3.5.5 3.5.5 Encryption

3.5.6 3.5.6 Cloud Service Provider Insider Threat

10 of Uncontrolled copy as at 01/04/2021 when printed

AWS has identified auditable event categories across systems and

AWS CloudTrail if enabled provides a log of requests for AWS resources

11 of Uncontrolled copy as at 01/04/2021 when printed

3.5.8 3.5.8 Physical Security

12 of Uncontrolled copy as at 01/04/2021 when printed

3.6 3.6 Data Integrity

13 of Uncontrolled copy as at 01/04/2021 when printed

3.7 3.7 Availability

14 of Uncontrolled copy as at 01/04/2021 when printed

3.7.2 3.7.2 Denial of Service Attacks

15 of Uncontrolled copy as at 01/04/2021 when printed

We architect our AWS usage to take advantage of multiple regions and

Customers utilise AWS to enable faster disaster recovery of their critical

16 of Uncontrolled copy as at 01/04/2021 when printed

Refer to ISO 27001 standard, annex A domain 17 for further details on

3.8 3.8 Incident Response and Management

AWS' incident response program, plans and procedures have been

17 of Uncontrolled copy as at 01/04/2021 when printed

18 of Uncontrolled copy as at 01/04/2021 when printed

Consider disclosures that would adversely affect

Incident Response and Management plans that cover all

See also Q92.

This can be used to define the 'Recovery Time Objective'.

This can be used to define the 'Acceptable Interruption

19 of Uncontrolled copy as at 01/04/2021 when printed

20 of Uncontrolled copy as at 01/04/2021 when printed

GCPO can provide advice on what constitutes 'sufficient

Depending on the information risk assessment for this

Wording amended slightly to emphasise the requirement

21 of Uncontrolled copy as at 01/04/2021 when printed

This is something that will need to be handled on a case

22 of Uncontrolled copy as at 01/04/2021 when printed

Although there may be some activities required of the

These questions concern the agencies ability to control

23 of Uncontrolled copy as at 01/04/2021 when printed

As part of their risk assessment, an agency should

24 of Uncontrolled copy as at 01/04/2021 when printed