Case Study: Cloud Risk Assessment

A Government Department was seeking to transition the Department’s data drive and SharePoint data to ICT-as-a-service arrangements, specifically Microsoft OneDrive and SharePoint Online. The Department required independent assurance that OneDrive and SharePoint Online meet regulatory and privacy obligations, and align with the Queensland Government’s ICT-as-a-service offshore data storage and processing policy.

The scope of the cloud risk assessment included:

  • Classification of data within the Shared Drive
  • Classification of data within the SharePoint system
  • Privacy Impact Assessment of data as above
  • Assessment of the risk of using SharePoint Online and OneDrive as a replacement for current SharePoint and Shared Drive
  • Documentation of Briefing Notes to appropriate executives for approval.

Business Aspect’s approach for the risk assessment of IT systems and Cloud services is well defined, and uses a methodology based on industry best practice. The methodology is supported by recognised standards such as the ISO31000 (Risk Management) and the ISO 27000 series for security as well as key Queensland Government standards and guidelines. These were aligned with organisational specific risk assessment methodologies and frameworks.

Business Aspect undertook the risk assessment in the following phases:

4 risk assessment phases image

  1. Project Planning – including confirmation of prerequisites
  2. Data Classification and Privacy Impact Assessment - Information gathering / identification / data classification / Stakeholder interviews and workshops (including external vendor liaison)
  3. Assessment of risks (including threat identification), selection of controls, development of draft report, consultation with stakeholders
  4. Project Closure - finalisation of report, walkthrough with stakeholders and preparation of briefing notes.

Business Aspect prepared and released a questionnaire to site owners – seeking classification of data stored by the Department. Using a risk based assessment criteria, Business Aspect was able to classify data stores into Queensland Government’s own information security categories from Public through to Highly Protected:

Using this information as well as further information gathered through interviews, Business Aspect undertook a Risk Analysis that aligned with the Queensland Government ICT-as-a-Service Risk Assessment Guideline and the Department’s Risk Management Framework.   

The review also included a comprehensive analysis of the security controls inherent in the Microsoft OneDrive and SharePoint Online environments, including the review of onshore vs offshore and related regulatory issues.

The outcome of this assessment was provided in a Report that described the data classification, key risks and options for treatment.  The report provided clear direction for risks and options for treatment in moving data to the new environments.