What is covered in the Cloud Guidance?
This guidance is relevant to all cloud services, including other ICT services that incorporate cloud as part of its delivery model. An example may be a mail system, where the associated data is stored on the cloud.
For more detail on what cloud services are, please see the bottom of this page.
What is the Cloud Policy?
The Cloud Policy provides practical steps to move services to cloud. This includes information on preparation, contracting and management. Also included are practical steps to help agencies prepare for transitioning to cloud services and considerations to note when moving to cloud.
When should I use cloud?
In line with the current DFSI circular on Data Centre Reform, agencies should continue moving remaining data centre and computer room infrastructure to GovDC or the cloud, and be procuring ICT as a service where possible.
This means that cloud services, whether public, private or hybrid will be appropriate in a wide range of situations for NSW Government agencies.
To understand when and how to use cloud for your business, it is important to consider your specific operational needs, develop a business case and assess the market. The NSW Government As a Service ICT Sourcing Guide outlines the steps to source ICT as a service.
How do I go about buying a cloud product/service?
The NSW Government has policies, frameworks and procurement platforms that can assist in planning, procuring and managing a cloud solution.
When beginning to look at cloud, it is important to first understand the NSW Procurement Policy Framework and how it applies to your procurement needs.
From there, agencies can use the NSW Government As A Service ICT Sourcing Guide for information on planning, preparation and managing cloud solutions.
If a solution may exceed $10m, refer to the ICT Assurance Framework for guidelines on the Gateway process.
buy.nsw online cloud procurement platform
buy.nsw is designed for NSW Government to make informed decisions when buying cloud. It offers a space for buyers and sellers of cloud products and services to connect and do business. buy.nsw supports the ICT Services Scheme. An authorised buyer can login to purchase products through buy.nsw.gov.au and search through approved sellers and their product offerings. buy.nsw offers buyers over 89 points of data for each product to help buyers make informed and efficient decisions.
How do I contract for cloud?
Agencies must use the approved Procure IT Framework when procuring cloud. The Procure IT Framework comprises:
- Procure IT v3.2 - for all ICT procurement over $500,000 and all high-risk ICT procurement from 1 September 2017
- Core& Agreement (Low Risk) - for all low risk ICT procurement up to the value of $500,000 (excluding GST) from 1 November 2018
The Department of Finance, Services and Innovation (DFSI) has developed a new Cloud Agreement for the procurement of a broad range of cloud services. The Cloud Agreement aims to address the multifaceted challenges faced by Agencies when procuring cloud, leveraging the opportunities and managing the risks around data, security and other changes in the cloud environment. The Cloud Agreement seeks to remove the impediments to going digital – making the contracting process fast and efficient.
When to use it?
The Cloud Agreement is not currently part of the Procure IT Framework. It has been approved by the Procurement Board for use on a pilot basis for low risk procurement under $500,000. Agencies may choose between the Procure IT Framework or the Cloud Agreement depending on their own procurement needs and risks. The Cloud Agreement offers a true alternative to Procure IT v3.2 as v3.2 was developed for the procurement of ICT products and services at a time when ICT solutions were largely “on premises”. The Cloud Agreement’s starting point was the Core& Agreement (Low Risk) which was modified and expanded to address to the broader range of procurement and risk scenarios for cloud services, applying the same design principles and approach.
To understand the key changes brought by the Cloud Agreement and when and how to use it, refer to DFSI’s Cloud Agreement Discussion Paper.
The Cloud Agreement is currently available to use by contacting firstname.lastname@example.org.
See the ICT Procurement Reform website for further information.
What is GovDC?
GovDC is a program of colocation datacentre services offered by the NSW Government to enable agencies to consume ICT services efficiently (cost, effort, flexibility), ease of cloud connectivity and physical security. More information is available on the GovDC page.
What are the data/information classification levels and storage requirements?
Most official information does not need increased security and may be marked UNCLASSIFIED or left unmarked. This should be the default position for newly created material, unless there is a specific need to protect the confidentiality of the information.
Unclassified data/information can be stored on cloud subject to the below requirements:
- Information and data are government assets and must be kept for as long as legally required (see the State Records Act 1998 for more information).
- All relevant data, metadata and information must be transferred back to government or to another service provider at the end of the cloud contract if required.
- Data and information must be deleted and removed from systems at the end of a business relationship (with a cloud storage provider).
- Data and information remain identifiable, retrievable and accessible for the duration of the cloud contract.
- Data and information are protected from unauthorised or unlawful access, destruction, loss, deletion or alteration for the duration of the cloud contract.
- If requested, data and information can be extracted and provided in response to a public enquiry.
UNCLASSIFIED SENSITIVE data
The sensitive classification can be used with unclassified data/information only, and includes Personal, Legal, NSW Cabinet, NSW Government, Law Enforcement, and Health Information sub classifications.
Australian hosted cloud storage can be considered subject to the above UNCLASSIFIED data requirements plus the following:
- Personal information must be protected
- A data breach notification and management plan must be in place
- Agencies are aware of all third-party solutions used in their environment and ensure strong privacy and data ownership issues are covered in contractual relationships with these providers, or that the government is aware of any risks or issues posed by these solutions
- If clients change their mind and want to withdraw consent and no longer want their data kept, systems must enable this data to be removed
Cloud storage for PROTECTED data/information should only be considered in environments certified under Commonwealth government frameworks.
Further detailed information on data/information classification can be found in the Information Classification, Labelling and Handling Guidelines. Additional direction can also be found in the following pieces of legislation:
- Privacy and Personal Information Protection Act 1998 (PPIPA);
- Government Information (Public Access) Act 1998 (GIPA);
- Health Records and Information Privacy Act 2002 (HRIPA); and
- State Records Act 1998.
What are the security considerations for cloud storage?
Agencies must abide by the new Cyber Security Policy when procuring cloud services. The Policy outlines mandatory requirements to appropriately manage cyber security risks.
Mandatory requirements from the Cyber Security Policy for cloud include (but are not limited to):
- Agencies remain accountable for the cyber risks of their ICT service providers and ensure the providers also comply where relevant, including notification of security incidents (Mandatory Requirement 1.5)
- Agencies must implement regular cyber security education for all employees, contractors and outsourced ICT service providers (Mandatory Requirement 2.1)
- ISO27001 certification (or appropriate alternative) is required for all clusters or agencies (Mandatory Requirement 3.1)
See the NSW Cyber Security Policy for further detail.
The Australian Cyber Security Centre’s Cloud Computing Security Considerations provide detailed cloud security considerations, which includes:
- Maintaining availability and business functionality
- Protecting data from unauthorised access by a third party
- Protecting data from unauthorised access by the vendor’s customers
- Protecting data from unauthorised access by rogue vendor employees
For the detailed requirements visit the Australian Signals Directorate Cloud Computing Security Considerations.
What other factors do I need to consider when buying cloud?
Accessibility – is the platform accessible to WCAG 2.0 AA or above?
Cost – such as value for money, total cost of ownership, organisational impact and fit for purpose.
Technical requirements – including enterprise architecture, bandwidth, response time, capacity, priority, availability, firewalling, automation, virtualisation, compatibility, interoperability and configuration. Vendor lock-in should be avoided.
Data location – where possible, data should be located in Australia. This is a standard term in the Cloud Agreement.
Risk management – agencies must undertake comprehensive risk assessments, including on network access, storage and maintenance of public sector information and records held by cloud providers.
Security – the provider must meet the security obligations listed in the Cyber Security Policy.
Privacy – ensure the cloud service provider meets NSW information privacy laws and any other applicable privacy laws.
Ownership – the consumer (NSW Government) must retain ownership and control of all consumer data from the time it is created, and the cloud provider is not permitted to access or use any consumer data for purposes other than specified in the draft Cloud Agreement.
Insurance – providers should be appropriately insured including for public liability, product liability, workers’ compensation, cyber security and professional indemnity. For further detail of the insurance requirements see the draft Cloud Agreement Core Terms.
Jurisdiction – the contract should nominate NSW as the exclusive jurisdiction of the agreement, including for any disputes.
What is cloud?
Cloud computing is a delivery model for ICT services and is defined by the US National Institute of Standards and Technology (NIST) as 'a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction'.
There are three cloud service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Services (SaaS).
For further information on ‘what is cloud’ refer to the Australia Cyber Security Centre’s Cloud Computing Security Considerations website.
What are the different types of cloud?
The cloud infrastructure is shared via the internet with many other organisations and members of the public.
Provided solely for the use of one organisation and managed by that organisation or by a third party, provided at the organisation’s premises or off-site.
A cloud deployment using at least two different cloud deployment models. An example is using resources from a pubic cloud for displaying non‐sensitive data, which interacts with sensitive data stored or processed in a private cloud.
Exclusively shared by a number of organisations with common objectives, and it may be on or off premises. An example may be the sharing of cloud infrastructure among several agencies of the same government.
Multi-cloud involves leveraging two or more cloud computing platforms to perform various tasks. This allows organisations to realise resourcing and service benefits by taking advantage of the systems and costs structures of multiple providers.
For further information on the types of cloud refer to the NSW Government Cloud Policy (Cloud Policy).