- Directions and priorities
- Access to government services
- Access to government data
- Services to government employees
- Aligning agency applications
- Standardising enterprise applications
- Defining and reusing authoritative data
- Integrating workflow across government
- Unifying communications and networking
- Securing government information
- Aligning management of commodity software
- Building operational foundations
- Roadmap Overview Key
- Common capabilities
- COE Reference Architecture
- Benefits Realisation
- Checklist for agencies
- Enterprise Architecture
- Communication technologies
- Information and data
- Procurement and ICT contracts
- Trust and security
- Standards / compliance
- Agency Guides
- Government Use of Offshore ICT Service Providers
- Executive Summary
- Risk Management Approach
- Discussion of key risks
- Big picture risks
- Trust and public confidence risks
- Control risks
- Governance, management and project risks
- Economic risks
- Business continuity risks
- Security and integrity risks
- Privacy risks
- Legal, jurisdictional and commercial risks
- Fiscal risks
- Summary of key risks and mitigations
- Some topics to discuss with your legal advisors
- Open source
- Overseas Hosting Risk Analysis
- Government Use of Offshore ICT Service Providers
- Government Cloud Business Case 2011 FAQs
- Pre-2009 research
- Previous e-Government Strategy 2006
- The GCIO
Risk Management Approach
Agencies are required to take a risk management approach when considering any outsourcing, including sending government ICT services or data outside New Zealand. The New Zealand Government's standard for risk management is AS/NZS 4360 supplemented by HB231 (Handbook 231) which is a guide to applying this standard. Both of these documents may be purchased through Standards New Zealand. ISO/IEC27005 is expected to supplement these documents at some point.
The identification of critical success factors and unacceptable risks should be undertaken prior to a detailed risk analysis to establish the minimum protections required and any specific circumstances in which the offshoring initiative should be abandoned. The recommended risk assessment process is to:
- identify relevant risks, vulnerabilities and controls, and their likelihood and impact
- identify the relevant stakeholder communities, their concerns, and possible reactions to adverse events
- assess the identified risks, their likelihood and impact
- identify existing or planned mitigations for each risk, and
- assess the residual (untreated) risk based on the reduced impact and/or likelihood that results from mitigation (Risk - Controls = Residual Risk).
A risk report about sending government ICT services or data offshore should include:
- The proposed location and its specifics such as: whether it is a European Union (EU) member state (and if it implements the EU Privacy Directive), languages normally used, and how it is rated by Transparency International, an international organization concerned with open and transparent government.
- Contract specific information such as (where applicable) the service that is being hosted or provided, what information is to be transferred between NZ and the provider, what primarily NZ-held information is to be processed remotely by the offshore service provider and the classification level(s) of any information involved.
- The means of information transmission - how, when , what protections are applied
- The means of data recovery on termination of contract
- The management of test data for the service - what will be used, how it will be handled, how it will be safely disposed of when the test is over
Ideally such a risk assessment should be undertaken before any procurement activity starts. Agencies should then assess whether the level of residual risk is acceptable. Under some circumstances, the risk will be considered unacceptable irrespective of any assessed monetary benefit. (See: Big Picture Risks) A cost/benefit analysis can then determine the net benefit of offshoring ICT services, taking into account:
- The cost of the offshore contract and the cost of mitigating associated risks
- The residual (untreated/accepted) risks
- The expected benefits that will be realised through an offshore contract.
Ongoing risk management of an offshore contract
The final stage in the process is to define and implement management processes and governance structures to ensure that risk is managed throughout the life of the contract and possibly beyond. Change - political, legislative, business, systems, environmental, and cultural - is happening at an increasingly rapid rate and constant vigilance is needed to ensure that the ongoing risk, new risks that appear, and the impact of change is appropriately managed.
Agencies are reminded that regular, if not annual, reviews of risks and their mitigations/controls are good practice in any outsourcing arrangement. Those reviews should include whether any functions that have been outsourced might be (or have been) considered for secondary outsourcing, that is, sub-contracting, by the contractor. It is advisable for outsourcing contracts to prohibit the contractor from sub-contracting any of the outsourced tasks without the explicit written consent of the government agency.
Additionally, government agencies should not find themselves in the position where penalties arising from insufficiently flexible contract terms act as significant constraints on their ability to act in New Zealand's best interests.
Training and resources
Government Technology Services (GTS) provides risk assessment, risk management and security expertise.
GTS also provides training for government staff in applying the all-of-government Risk Assessment framework based on the AS/NZS4360 Risk Management standard. The workshop is aimed at those responsible for risk management either as part of a project or on a routine basis. While the training is generic, participants are encouraged to bring concrete examples for discussion. The email contact for this training is: email@example.com.
The Treasury provides guidance on preparing a cost benefit analysis.
Government agencies are strongly advised to take advantage of the expert risk assessment panel established by SSC for Quantitative Risk Analysis (QRA) services for the preparation or review of a risk analysis where appropriate.
Agencies are also advised to consult their monitoring agencies as appropriate to endorse or advise on the risk assessment and cost/benefit analysis. For major IT projects, agencies should consult the SSC Guidelines for Managing and Monitoring Major IT Projects and the Gateway Review Process.
Agencies are reminded that the Government Web Standards and Recommendations apply regardless of whether their website is hosted in New Zealand or offshore.
Copies of Security in the Government Sector (SIGS) and the NZ Security in Information Technology guidance (NZSIT 40x) are available from http://www.gcsb.govt.nz. Government organisations requiring advice or training related to the application of these documents should contact firstname.lastname@example.org in the first instance.