Information security

INF039

Outsourcing, offshoring and supply chains

Supply chains are becoming more complex. When you conduct your risk assessment, consider each part of your organisation’s supply chain.

If you’re considering outsourcing functions, services, or capabilities to third parties, make sure you understand the value and classification of the information that the supplier and their sub-contractors will have access to.

Check that your suppliers can articulate who and what they are connected to, and what dependencies they have.

Your organisation should consider using common capability solutions if they exist, rather than sourcing individual solutions themselves, because the security and capability has already been scoped.

Products and services — digital.govt.nz

Your organisation’s heads will remain accountable for ensuring that information is appropriately protected, even if you outsource responsibility for security controls.

It is your responsibility to perform due diligence, validation, and acceptance for supply chain services, even when you use common capability solutions.


If you outsource or offshore services

If you’re considering outsourcing functions, services, or capabilities to third parties — inside or outside of New Zealand — make sure you understand the value, classification, and relevant risks of the information that the supplier and their sub-contractors will have access to.  

Follow guidelines

New Zealand Government organisations must follow the outsourcing and offshoring guidelines and policies defined below.

  • You can enter into outsourced and offshore ICT arrangements for storing or processing information protectively marked at, or below, RESTRICTED.
  • You must not enter into offshore ICT arrangements for storing or processing information protectively marked CONFIDENTIAL, SECRET, or TOP SECRET.
  • You can enter into outsourced ICT arrangements which are physically located in New Zealand for storing or processing information protectively marked CONFIDENTIAL, SECRET or TOP SECRET with the approval of the Government Communications Security Bureau (GCSB).
  • If you’re considering using cloud services, you must contact the Government Chief Digital Officer (GCDO) for advice and guidance and follow the advice and guidance on digital.govt.nz about using cloud services.
    Cloud Services — digital.govt.nz
  • If you’re planning to use cloud services, you must perform a formal risk assessment. Use your organisation's process for information security risk assessment and the guidance provided by the GCDO below. Identify the controls needed to manage the information security and privacy risks associated with your use of the service.
    Cloud Computing: Information Security and Privacy Considerations — digital.govt.nz.
  • You must verify you have put effective controls in place to manage security and privacy risks before certifying and accrediting the service for use.


Storing and processing New Zealand Government information

You need to take the steps below when using cloud services to store or process New Zealand Government information. They apply to:

  • using New Zealand or overseas cloud services for information protectively marked at, or below, RESTRICTED (excluding non-protectively marked information that is publicly available)
  • using New Zealand cloud services for information protectively marked above RESTRICTED.

Your organisation must do these things:

  • Conduct a formal risk assessment to identify the controls required to manage the information security and privacy risks associated with using the service.
  • Formally accept the residual risk associated with using the service to process protectively-marked information
  • Inform the GCDO of your decision to use the service.
  • Provide the GCDO with evidence you have completed a formal risk assessment, followed the GDCO’s guidance and advice, and formally accepted the residual risk associated using the service.
  • Accredit the systems used by the contractor to at least the same minimum standard as the your systems.
  • Ensure cloud service providers apply the controls specified in the New Zealand Information Security Manual (NZISM) to any systems hosting, processing, or storing your data and systems.
  • You must not use public or hybrid cloud services to host, process, or store material marked New Zealand Eyes Only (NZEO).
     

Policy for storing and processing government information in outsourced or offshore arrangements


Outsourcing for unclassified information that is publicly available

You can outsource services for storing and processing information that is publicly available and not protectively marked to providers outside New Zealand.

Before entering into any arrangements, you must formally assess the security risks and identify controls to manage them.

You must follow the requirements for handling, storing, transmitting, transporting, and disposing of information in the Management protocol for information security.

Outsourcing for information that is protectively marked at, or below, RESTRICTED

You can outsource services for storing and processing information protectively marked at, or below, RESTRICTED to providers outside New Zealand. Before entering into any outsourced or offshore ICT arrangements, your organisation must:

Before you certify and accredit the service, as part of the validate stage of the security lifecycle, verify that the security controls for managing security and privacy risks have been implemented and are effective.

Your chief executive, or their formal delegate, must:

  • ensure that a formal risk assessment has been completed
  • accept the residual risk associated with your use of the service
  • inform the GCDO of your decision to enter into the outsourced or offshore arrangement.

Information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET

You must not outsource services for storing and processing information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET outside New Zealand.

You can outsource services to a provider physically located in New Zealand for storing and processing information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET. However, you must get approval from the GCSB first.

Supporting documents and information

 

Page last modified: 16/11/2018