offshore ICT

Discussion of key risks

The categorisation of risks below is a starting point for preparing the detailed risk analysis of an offshore contract.  They should not be considered as either a complete or accurate reflection of all of the risks and mitigations that might exist in the unique circumstances relating to an agency's decision about an offshore contract.  Instead, agencies should build on and amend the identified risks through internal and external consultation to capture all relevant risks and mitigations.

The risks discussed on the following pages are:

Risk Management Approach

Agencies are required to take a risk management approach when considering any outsourcing, including sending government ICT services or data outside New Zealand. The New Zealand Government's standard for risk management is AS/NZS 4360 supplemented by HB231 (Handbook 231) which is a guide to applying this standard.  Both of these documents may be purchased through Standards New Zealand.  ISO/IEC27005 is expected to supplement these documents at some point.

Background

Government agencies considering the use of ICT service providers for data processing and management services or government data storage should assess the risks of doing so and compare those risks against any potential benefits.  Some risks may be trivial, such as when an agency chooses to make older publications available electronically. Others may be such as to preclude any consideration of permitting the information to be stored offshore, such as national security information or sensitive personal information such as criminal records.

Introduction

Purpose

The New Zealand government is a steward of information and data on behalf of all New Zealanders. Stewardship requires an informed balance between sometimes competing drivers.