- Directions and priorities
- Access to government services
- Access to government data
- Services to government employees
- Aligning agency applications
- Standardising enterprise applications
- Defining and reusing authoritative data
- Integrating workflow across government
- Unifying communications and networking
- Securing government information
- Aligning management of commodity software
- Building operational foundations
- Roadmap Overview Key
- Common capabilities
- COE Reference Architecture
- Benefits Realisation
- Checklist for agencies
- Enterprise Architecture
- Communication technologies
- Information and data
- Procurement and ICT contracts
- Trust and security
- Standards / compliance
- Agency Guides
- Government Use of Offshore ICT Service Providers
- Executive Summary
- Risk Management Approach
- Discussion of key risks
- Big picture risks
- Trust and public confidence risks
- Control risks
- Governance, management and project risks
- Economic risks
- Business continuity risks
- Security and integrity risks
- Privacy risks
- Legal, jurisdictional and commercial risks
- Fiscal risks
- Summary of key risks and mitigations
- Some topics to discuss with your legal advisors
- Open source
- Overseas Hosting Risk Analysis
- Government Use of Offshore ICT Service Providers
- Government Cloud Business Case 2011 FAQs
- Pre-2009 research
- Previous e-Government Strategy 2006
- The GCIO
The New Zealand government is a steward of information and data on behalf of all New Zealanders. Stewardship requires an informed balance between sometimes competing drivers. Advances in technologies such as software-as-a-service and cloud computing, the cost advantages of offshore service centres, or access to offshore expertise and its transfer onshore can make the use of offshore information and communication technologies (ICT) providers very attractive.
Conversly, agencies may dismiss potential opportunities to take advantage of these offerings because of uncertainty about their ability to meet obligations under legislation, regulation or policy. This Advice is intended to provide agencies with basic information about possible risks related to transferring government information offshore or processing government information from a foreign location and to provide approaches to mitigating and managing those risks. It does not seek to prohibit the use of offshore ICT service providers. Whether the use of an offshore provider is desirable is ultimately a fact-specific decision for individual agencies. This Advice aims to assist agencies in making their own decisions.
Some of the advice is not unique to offshore outsourcing but also applies to outsourcing within New Zealand, particularly if the contractor is foreign owned or a target for foreign ownership.
The Advice is intended to be used as a resource when conducting risk assessments and developing risk management plans for proposed initiatives within existing policy frameworks for procurement, government security, and ICT project management. It does not create any new requirements but assumes and recommends the use of risk management approaches within existing frameworks.
It addresses principal risks to New Zealand's autonomy, authority and control over government information systems and information assets that may accompany the use of offshore ICT service providers. It explains possible mitigations for those risks and proposes a risk management approach to addressing them. Risks covered include, among other things, the security and integrity of personal and government information, continuity of service, trust and public confidence.
The Advice does not apply to contracting for software development or similar activities if they do not involve either transferring government information offshore or processing government information from a foreign location. Likewise, formal secure networks where risks are already fully or sufficiently mitigated are excluded from the scope.
Existing Policy Frameworks
Procurement and ICT Project Management Frameworks
Departments have obligations under the Mandatory Rules for Procurement by Departments to conduct open and transparent procurement that respects New Zealand's non-discriminatory agreements with other countries. Clause 1 of those rules stipulates:These Rules set out mandatory standards and procedural requirements for the conduct of procurement by government departments (defined for this purpose as the "public service departments" listed in the Schedule to the State Sector Act 1988, plus New Zealand Defence Force and New Zealand Police). The Rules reflect and reinforce New Zealand's established policy of openness and transparency in government procurement. They are based on, but not limited to, the treaty obligations of New Zealand under Chapter 11 of the Trans-Pacific Strategic Economic Partnership Agreement with Brunei, Chile and Singapore (TPSEPA, also known as the P4 Free Trade Agreement). The Rules are to be applied by departments in their procurement globally to facilitate competitive participation by domestic and foreign suppliers in New Zealand's government procurement market.
Departments are also expected to abide by the Policy Guide for Purchasers produced by the Ministry of Economic Development and best practice guidance from the Auditor General, such as Procurement Guidance for Public Entities. Relevant ICT project management guidelines include the SSC Guidelines for Managing and Monitoring Major IT Projects, (* way old; delete ? the Government Web Site Outsourcing Guidelines *) and the Government Web Standards and Recommendations. Large projects may also come under the Gateway Review Process.
All government departments and agencies must comply with New Zealand legislation, regulation, government policy and national standards. Where overseas offices are maintained, legislation and regulation in the host country must also be taken into account. Where foreign legislation and regulation appears to be in conflict with New Zealand legislation, regulation, policy or national standards, advice should be sought from New Zealand's information security authority - the Government Communications Security Bureau (GCSB).
Government departments and agencies must also note the requirements for the handling of official information and any information classified under New Zealand's protective marking scheme. These requirements are specified in the document Security in the Government Sector (SIGS). Where necessary, advice on these matters should be sought from the GCSB.
- The Government requires that information important to its functions, its official resources and its classified equipment is adequately safeguarded to protect the public and national interests and to preserve personal privacy.
- Chief Executives and heads of government departments and agencies, State Owned Enterprises and Crown Entities are responsible for implementing and managing effective security arrangements within their organisations. They must create and maintain appropriate security environments to adequately protect official information and classified equipment. The level of protection must correspond to the assessed level of risk.(Security in the Government Sector. Department of the Prime Minister and Cabinet, 2002. Policy Statement, p. 5)
Government departments and agencies should note that SIGS is mandatory for all departments and is recommended for Crown entities. However, the requirement for Crown entities to comply with New Zealand legislation, regulation, government policy and national standards remains unchanged.
While standards and guidance on risk and ICT security from non-New Zealand sources may be helpful, these must be considered to be a supplement but may not supersede any New Zealand legislation, regulation, policy or standards.