Office Productivity — restricted security controls for public cloud services
Office Productivity's template for security controls mapped to the NZISM applies to most public cloud services using ‘RESTRICTED’ information.
Security template for Office Productivity
The Office Productivity template shows the security controls needed to protect information classified as ‘RESTRICTED’ according to the NZ Government Security Classification System.
Security requirements for offshore-hosted office productivity services explained (PDF 456KB)
Use the template for risk assessments for Office Productivity and most other public cloud services
The template describes how the security controls in the New Zealand Information Security Manual (NZISM) apply in the context of:
- Office Productivity services hosted offshore
- most other public cloud services that do not have security templates.
Government organisations can use it to help them with their risk assessments before using public cloud services.
Assess the risks of using a public cloud service
Meet the Protective Security Requirements
The security template for Office Productivity and the NZISM help government organisations to meet the mandatory security requirements from Protective Security Requirements (PSR).
Cabinet decision to accelerate the adoption of public cloud services
The security template was created by the:
- Government Chief Digital Officer (GCDO) — then-called the ‘Government Chief Information Officer’
- Government Communications Security Bureau (GCSB).
The GCDO and GCSB developed this guidance to assure risk owners and chief executives of how Office Productivity services, hosted offshore, met security requirements by applying specific controls. This was in response to the Cabinet decision for accelerating the adoption of public cloud services.
Cabinet minutes and papers for public cloud services
Security requirements covered
Focusing on paragraph 43 in the Cabinet minute, the security template for Office Productivity covers the security controls for:
- strategy — policies and processes
- architecture
- encryption
- access control
- backup
- archiving
- recovery
- incident management
- decommissioning
- third-party assurance.
Security requirements not covered
The security template for Office Productivity does not cover:
- business and technical contexts
- information classification
- criticality — service delivery
- data sovereignty — jurisdiction
- privacy.
Utility links and page information
Last updated