Cloud Controls New Zealand Government 2014

1. Government Cloud References
Here is a non-exhaustive list of references for guidance that are referenced on the topic of Cloud Security Controls & Government in New Zealand as of November 2014.
 GCIO Framework & Guidelines
http://www.ict.govt.nz/assets/ICT-System-Assurance/Cloud-Computing-Information-Security-and-Privacy- Considerations-FINAL2.pdf
 New Zealand Information Security Manual (NZISM)
http://www.gcsb.govt.nz/assets/GSCB-NZISM/NZISM-2014-November-Release.pdf
 Security in Government Sector (SIGS) http://www.nzsis.govt.nz/assets/media/Security_in_the_Government_Sector_2002.pdf
 NZS6656 Code of Practice for Implementation and Operation of Trustworthy Computer Systems
Withdrawn
 AS/NZS ISO/IEC 27001:2006 Information Security Management Systems
Available for purchase from http://shop.standards.co.nz/catalog/27001%3A2006%28AS%7CNZS+ISO%7CIEC%29/view
 AS/NZS ISO/IEC 27002:2006 - Code of Practice for Information
Available for purchase from http://shop.standards.co.nz/catalog/27002%3A2006%28AS%7CNZS+ISO%7CIEC%29/view
 AS/NZS ISO/IEC 38500:2010 - Corporate Governance of Information Technology
Available for purchase from http://shop.standards.co.nz/default.htm?url=web- shop/&action=viewSearchProduct&pid=38500%3A2010%28AS%7CNZS+ISO%7CIEC%29&mod=catalog
 AS/NZS17799 Information Security Management Requirements and Controls
Superseded by AS/NZS ISO/IEC 27002:2006
 ISO/IEC 27005_2011(E) – Information Security Risk Management
http://shop.standards.co.nz/catalog/27005.ED+2.0%3A2011%28ISO%7CIEC%29+en/view
 AS/NZS ISO 31000:2009 – Risk Management
Available for purchase fromhttp://shop.standards.co.nz/catalog/31000%3A2009%28AS%7CNZS+ISO%29/view
 HB231 Process for information security risk management
Available for purchase from http://shop.standards.co.nz/catalog/231%3A2004%28HB%29/view
 Electronic Transactions Act (2002)
http://www.legislation.govt.nz/act/public/2002/0035/latest/DLM154185.html
 Protective Security Manual (PSM) Published by NZSIS “classified and not available to the general public.”
 NIST - Guidelines on Security and Privacy in Public Cloud Computing
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
 New Zealand Cloud Code of Practice (confirming Security compliance)
http://www.nzcloudcode.org.nz/upload/files/NZCloudCode.pdf
 Cloud Security Alliance – Cloud Control Matrix https://cloudsecurityalliance.org/media/news/csa-releases-ccm-version- 3/
 ENISA – Cloud Computing Information Assurance Framework http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-information-assurance- framework
 COSO – Enterprise Risk Management for Cloud Computing
http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf
 OPC – Privacy Commissioner
http://privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/OPC-Cloud-Computing-guidance-February- 2013.pdf
 SSC – State Services Commissioner
https://ict.govt.nz/assets/ICT-System-Assurance/offshore-ICT-service-providers-april-2009.pdf

2. Future likely references;
 ISO 27017 – ISO standards for Cloud due for publication 2015
 27018:14 – ISO standard for cloud PII http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498
 ISO 27032 – ISO standard for Cybersecurity http://www.iso.org/iso/catalogue_detail?csnumber=44375
Adam Voulstaker
Adam.voulstaker@gmail.com
November 2014