Security Risk and Assurance
Cloud Services, Digital Services and ICT systems come with certain risks. To help agencies manage these risks, and exercise due diligence of the consumption of these services, Marketplace applies a three-tier Security Assurance and Cloud Endorsement Model to SaaS Channel service listings.
Three-tier security risk and assurance model
Agencies subscribing to cloud services and ICT Managed Services through Marketplace will assess these risks in a way that suits their risk appetite and will have it appropriately signed off.
SaaS Channel Cloud Services assurance
To support your customer agencies' security risk and assurance processes and decisions, Marketplace has been designed to apply the following three-tier Security Assurance and Cloud Endorsement Model to these services, for which Tier 1 is the highest level.
- Tier 1: Design and Control Effectiveness— To obtain this rating, suppliers have to provide additional information and receive Information Security Certification from the New Zealand Government Chief Digital Officer (GCDO). This activity can be supported from an organisation having international Standards Organisation (ISO), ISO 2700 and SOC2 Certification. Or the provider is recommended to engage with the Security Services Related Panel to provide independent assurance of Design and Control Effectiveness.
- Tier 2: Design and Control Analysis — Suppliers have to provide detailed security assurance information that Agencies will be able to review. This information will be reviewed and confirmed appropriate by the GCDO before Tier-2 endorsement.
- Tier 3: Baseline Index — Suppliers need to have an independently verified security risk rating to provide their service on Marketplace, such as a Confidence and Risk Index (CRI) rating, plus the Cloud Risk Assessment Tool.
Refer to the Guidance from the GCDO on how vendors complete the risk discovery tool for public cloud services. This guidance includes a link to view the unsorted questions. When submitting an application to provide cloud services, suppliers must complete a cloud service provider risk assessment questionnaire that includes these questions.
Baseline rating for new suppliers
When you apply to be a cloud services supplier, Marketplace looks for the service you wish to offer on an independent Cloud Assurance Security Broker (CASB) database registry.
If there is a match, it returns a Confidence and Risk Index (CRI) rating. Cloud services which return a CRI value between 1 and 6 (with 1 being the strongest) will be assigned by default to security Tier 3.
You also have to provide a copy of the Cloud Risk Assessment Tool with the supplier ('provider') questions answered.
Note that the GCDO is not endorsing or providing any form of assurance for the services listed under a Tier 3 status.
What happens if my cloud service is not listed in the CASB
If the service you wish to supply is not matched to a listing in the Marketplace CASB database registry, then we will add it when we set up your Marketplace account.
If this step is required, it will take around three working days.
Getting a higher security rating for SaaS Channel Services
If you wish to attain a higher security rating than Tier 3, you need to contact the Marketplace Team at marketplace@dia.govt.nz to request a deeper security assessment.
To be assessed for a higher rating, you may need to select a provider from the New Zealand government ICT Security and Related Services Panel (SRS Panel) to undertake Tier 2 and Tier 1 assessments if you do not have supporting assurance artefacts. Suppliers are required to pay their own costs for this higher security assessment process.
If the higher rating is granted or required as part of the application process, your service or product security tier will be updated accordingly.
A limited number of SaaS Cloud Services are assessed at Tier 2 during the application process because of the nature of their risk profiles.
These services are:
- Content Services Software – Process Automation Software
- Content Services Software – Content Digitisation Software
- Content Services Software – Content Services Software
- Digital Experience Software – Digital Personalisation Software
- Digital Experience Software – Digital Insights Software
- Digital Experience Software – Data Integration Software
- Digital Experience Software – No / Low Code Development Software
- Digital Experience Software – Digital Experience Software
Contact the Marketplace team to find out more about obtaining a higher security rating.
Managed Services Channel assurance
ICT Managed Services use a tiering model similar to SaaS Cloud Services. A limited number of current services are assessed at Tier 2 during the application process because of the nature of their risk profiles.
These services are:
- Service Integration and Aggregation Management - Service Aggregation Services
- Service Integration and Aggregation Management - Service Management Services
- Cloud Service Brokerage - Cloud Service Management
- Managed Content Services - Managed Content Services
- Digital Experience Services - Digital Experience Platform Services
To be assessed for these services, you may need to select a provider from the New Zealand government ICT Security and Related Services Panel (SRS Panel) to undertake Tier 2 assessments if you do not have supporting assurance artefacts.
Suppliers are required to pay their own costs for this higher security assessment process.
If the higher rating is granted or required as part of the application process, your service or product security tier will be updated accordingly.
If you are interested in obtaining a higher security rating, please contact the marketplace team at Contact the Marketplace team.