The Scottish Government considers any storage, information sharing or collaborative website that is outside of the Scottish Government IT systems to be a cloud service or tool. We recognise the benefits that cloud services and collaborative tools can provide, when used responsibly and with a full assessment made of the risks to our information assets.
The purpose of this document is to provide a template for a thorough assessment of the risks associated with the use of specific cloud service in a specific context.
| Version | Issued | Comments |
|---|---|---|
| 0.1 | dd-MM-yyyy | … |
| Role | RACI |
|---|---|
| … | … |
| Review frequency | Next review due |
|---|---|
| ? | ? |
<Summarise the document in 1 or 2 paragraphs.>
<_What classification is the data being stored and processed. In particular, consider if any OFFICIAL-SENSITIVE above must be stored or processed. In general, information classified at OFFICIAL-SENSITIVE or above should not be stored or shared in cloud services or collaborative tools unless they are provided by the Scottish Government and certified for that level of information.
What is the impact of a security breach in which confidential information stored and processed by the service could be publicly available or editable._>
<Will the users be SG, non-SG or both? Be aware of the access and privacy controls available with a cloud service or collaborative tool. The default position may be to open for public access, which is not always appropriate for Scottish Government information. Indicate whether all users of the service have completed up-to-date data protection training.>
Have you consulted with colleagues to ensure that an existing tool or service is already in place that can meet your requirement?
<Does the registration and log-in process require two factor authentication? Consider assessing the service against GDS’ Cloud Security Principles. Can we test the security of the service via PEN testing?>
Based on the impact of a security breach (above) and the security controls in place summarise the risk using the service.
<Carefully assess that the security of the site you have selected is suitable for the activity you need to undertake or information you wish to store.
- Are the security controls proportionate to the information that will be stored and processed?
- What risks are identified and what is their impact and likelihood?
- Can any further action be taken to reduce the risk?
- What is the residual risk and is this acceptable to your IAO?
- Is there any corporate risk that goes beyond the business area (e.g. could you impact SCOTS?)?>
<Consult the SG Security Incident Management Reporting Guidance.>
<The terms and conditions offered to users of the service or tool should be easy to find, clearly displayed and easy to understand. Read them, and make sure that you can live with them.>
<Some providers consider that they own any information stored with their services and tools and can exploit it as they see fit. Do we own the IP for information that is stored, created and processed by the service?>
Has the Information Asset Register been updated to include a record for the information stored in this cloud service?
Are users of the cloud service aware that this forms a part of the record of government and therefore any information in this service may be FOI’d and that information may be attributable?
Will any personal information be stored and processed? If so, provide a summary of your privacy impact assessment?
<Is the service based in the European Economic Area or participate in a "Privacy Shield" agreement?>
<Many providers either keep their data on servers sited outside the European Economic Area, or make no declaration in respect of their physical location. Use of such sites could mean that we are unable to comply with Principle Eight of the Data Protection Act and other information related legislation. Will any personal information be stored or processed by the service?>
<_That is, it doesn't insist that you use your Scottish Government email address as a user name.
Do not use your personal account for Scottish Government business. It can be tempting to use an existing personal account for work-related activities. This is especially risky as it can blur the boundary between what is private and what is not, and where responsibility for, and ownership of, content and information lies. Ensure that an SG specific user account is created with the service for each user. Do not use your SCOTS ID and password to create accounts._>
<A collaborative tool that has an element of interaction with, or contribution from, the public may be a legitimate way for someone to communicate a request for information under these regulations (see the Information Commissioner's guidance for advice on how to handle Subject Access Requests - a request by an individual asking you to tell them about the personal information you hold about them). So make sure you monitor such accounts or close them down if they are no longer used.>
<_eRDM continues to be the official repository for SG information. Explain which elements of the information stored in this service have corporate value and what regimen is in place to ensure that this information is recorded in eRDM.
Keep a record of anything important in the official repository, eRDM._>
<Can we tolerate this? For how long? What mitigations are in place?>
<Most providers make no claim to offer an effective back-up facility and no guarantee to restore data if lost, even if the service provider itself is at fault. Does the service have an acceptable back up regimen that guarantees data will not be lost if they experience a failure? If not is an appropriate back up regimen in place on SG side?>
<Ensure you have an exit strategy for ceasing use of the service or tool if it does not meet your requirements. Can we export the data in a usable format if we want to move to another service?>
Briefly summarise the residual risks for use of the this service.
| Risk | Impact (0-5) | Likelihood (0-5) | Exposure (0-25) | Comments |
|---|---|---|---|---|
| … | … | … | … | … |
Confirm the IAO has signed off that they understand and accept the risks to use of this cloud service based on the above.
- Confirmed.
<Provide any relevant appendices.>
<Provide any relevant references.>