Document 3 FINAL.pdf

ICT Shared Capabilities
Marketplace
Managed Payroll Services
Security Risk Assessment
Report
Issued by
under the Official Information Act 1982
Digital Public Services Branch
Released

under the Official Information Act 1982
Released

IN-CONFIDENCE
Glossary of Terms
Availability
Ensuring  that  authorised  users  have  timely  and  reliable  access  to
information.
Confidentiality
Ensuring that only authorised users can access information.
Consequence
The outcome of an event. The outcome can be positive or negative.
However, in the context of information security it is usually negative.
Control
A  risk  treatment  implemented  to  reduce  the  likelihood  and/or
impact of a risk.
Gross Risk
The risk without any risk treatment applied.
Impact
See Consequence.
Information Security
Ensures that information is protected against unauthorised access
or  disclosure  users  (confidentiality),  unauthorised  or  improper
modification  (integrity)  and  can  be  accessed  when  required
(availability).
Integrity
Ensuring  the  accuracy  and  completeness  of  information  and
information processing methods.
Likelihood
See Probability.
Probability
The chance of an event occurring.
Recovery Point Objective
The earliest point time that is acceptable to recover data from. The
(RPO)
RPO effectively specifies the amount of data loss that is acceptable
to the business.
Recovery Time Objective
The  amount  of  time  allowed  for  the  recovery  of  an  information
(RTO)
system  or  service  after  a  disaster  event  has  occurred.  The  RTO
effectively  specifies  the  amount  of  time  that  is  acceptable  to  the
business to be without the system.
Residual Risk
The risk remaining after the risk treatment has been applied.
Risk
The effect of uncertainty on the business objectives. The effect can
be  positive  or  negative.  However,  in  the  context  of  information
security it is usually negative.
Risk Appetite
The  amount  of  risk  that  the  organisation  is  willing  to  accept  in
pursuit of its objectives.
under the Official Information Act 1982
Risk Owner
A person or entity with the accountability and authority to manage
a  risk.  Usually,  the  business  owner  of  the  information  system  or
service.
Stakeholder
A person or organisation that can affect, be affected by, or perceive
themselves to be affected by a risk eventuating.
Threat
A potential cause of a risk.
Released
Vulnerability
A  weakness  in  an  information  system  or  service  that  can  be
exploited by a threat.
Managed Payroll Services SRA
IN-CONFIDENCE
Page 4 of 51

IN-CONFIDENCE
Contents
Glossary of Terms
4
Executive Summary
6
Introduction
6
Key Risks
7
Gross Risk Position
8
Key Recommendations
9
Residual Risk Positions
11
Business Context
13
Business Processes Supported
13
Information Classification
16
Users and Stakeholders
18
Legislation, Policy, and Guidelines
19
Technical Context
20
Security Requirements
23
Out-of-Scope
25
Detailed Findings
26
Controls Catalogue
38
Appendix A – Consulted Agencies and Suppliers
46
Appendix B - Project Overview
47
Scope
47
Approach
48
Appendix C – Risk Assessment Guidelines
49
Rating Risk
49
Likelihood (Probability) Assessment
49
Impact (Consequences) Assessment
49
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 5 of 51

IN-CONFIDENCE
Executive Summary
Introduction
Payroll is a large, important, and complex part of an Agency. To effectively run payroll services, the
software used must integrate with many different systems. All these systems combined perform key
business functions ranging from payroll, time and attendance, award interpretation, rostering, human
resources, workforce management, self-service, and data management.
Payroll itself is made up of two channels:
• Managed Services, which includes both software and a range of associated business and
supporting services; and
• Enterprise Software, which includes the software.
The Marketplace Managed Payroll Service catalogue may rely on either provider-hosted (or Software-
as-a-Service, SaaS) or agency-hosted software.
This report includes the findings for the information security Risk Assessment for the Managed Payroll
Service,  reliant  on  provider-hosted  software  and  used  by  Consuming  Agencies  (CA).  There  will  be
multiple suppliers (referred to as Managed Service Providers, MSP) that will provide this service, and
each CA will have their own unique context and risk appetite. Therefore, this report contains generic
findings, and the intent is that each CA will review them using their own risk management framework.
This Risk Assessment also only considers the context that the data stored, transmitted, or processed
by these products is classified as IN-CONFIDENCE or lower. If a CA stores, transmits, or processes data
with  a  higher  classification,  they  will  need  to  re-assess  these  risks  using  their  own  information
classification policy and risk management framework.
Only provider-hosted software options are considered in-scope for this assessment. This means this
assessment will include risks relating to the MSP:
• Managing and administering payroll functions and business processes on behalf of a CA;
• Managing and performing software support for provider-hosted software (i.e. management
of CA tenancy data, configurations, and users); and
• Managing or sharing responsibility for the underlying software infrastructure (i.e.
under the Official Information Act 1982
management of all other components of the software stack).
The  details  of  the  Marketplace  structure  and  security  risk  assurance  framework  can  be  found  in
Appendix B.
The  Risk  Assessment  performed  followed  the  Government  Chief  Information  Officer’s  (GCIO)  Risk
Assessment  process,  which  is  based  on  the  AS/NZS  ISO  31000:2009  and  ISO/IEC  27005:2011  risk
Released
management standards.
Managed Payroll Services SRA
IN-CONFIDENCE
Page 6 of 51

IN-CONFIDENCE
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 7 of 51

IN-CONFIDENCE
9(2)(k)
Gross Risk Position
Error! Reference source not found. illustrates the rating of each risk without any controls in place.
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 8 of 51

IN-CONFIDENCE
Key Recommendations
The Risk Assessment included key controls that if implemented, would help to address the identified
risks.  A  Controls  Validation  Plan  (CVP)  was  also  developed  to  specify  the  recommended  controls
outlined in the Risk Assessment.
9(2)(k)
To mitigate and manage the identified gross risks rated as
9(2)(k) the following key recommendations should be undertaken:
1. MSP Due Diligence
Most of the recommended security controls must be implemented and managed by the MSP, or
the MSP must perform their own due diligence and share the management of the control with
another third party (such as a public cloud hosting provider). This includes controls for:
• Access controls and management;
• System resiliency, redundancy, and recovery;
• Encryption (in-transit and at-rest);
• Change and configuration management;
• Endpoint and host hardening and protection;
• Secure development and operations management; and
• Internal training.
While it is unlikely that the CA will be able to influence or dictate how the MSP manages these
controls, it is important to make sure the  CA is aligned with the MSP before they enter  into  a
contract or start sharing data.
2. Access Management
The highest risks in this assessment relate to unauthorised access and misuse of access. While
most of these risks sit with the MSP, it will be critical for the CA to consider their own access
controls. Although CA users may have limited access to self-service or Manager permissions, this
can still be misused and lead to significant impacts to the CA.
This includes integrating the software with the CA’s own identity provider, or at least having
security controls configured to enforce two-factor authentication. It also means making sure that
under the Official Information Act 1982
logging is configured so the MSP or CA could be notified when events happen that need to be
investigated, such as failed login attempts or multiple bank account changes. It also includes
making sure there are granular enough permissions so high-risk requests, such as bank account
changes, can be approved by a manager or other role.
3. Incident Response and Resiliency Planning
Given the high-risk nature of a payroll function, it is important to balance out preventative controls
with detective controls. That way if a control fails, it can still be detected. This is especially the
Released
case where permissions might not be granular enough to require a second level of approval before
making a high-risk security configuration change.
Logging and alerting will depend on the software and managing this will be the responsibility of
the MSP. This does not mean the CA does not have to be concerned with this risk. The CA should
Managed Payroll Services SRA
IN-CONFIDENCE
Page 9 of 51

IN-CONFIDENCE
be prepared to respond if the MSP raises an incident with them and should have a clear plan for
how those incidents are to be treated and escalated. The same goes for resiliency planning. If the
software is unavailable and the MSP is working to recover the system, the CA should be prepared
and aware of their plan of action as they will remain responsible for paying their payees. This could
involve a business continuity plan or a severe incident response playbook, including the option to
issue last month’s pay while the issue is resolved.
4. Additional Assessments
This Risk Assessment is expected to cover most of the use cases for a CA that wishes to use a
managed payroll service and software. However, there will be a few edge cases that might apply
that can have large impacts to security risk. This includes edge cases related to:
• Initial migration from the previous payroll system;
• Overseas legislation;
• Use or storage of Classification Removed data; and
• Limitations of software hosted overseas (i.e. jurisdictional, performance, operational risks).
A CA should consider if these edge cases apply to their context and perform additional risk or
assessment work to fully understand how this context affects these risks.
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 10 of 51

IN-CONFIDENCE
Residual Risk Positions
Table 2 below illustrates the expected residual rating of each of the risks if all the recommended MSP
controls are implemented and appropriately configured and managed.
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 11 of 51

IN-CONFIDENCE
Table 3 below illustrates the expected residual rating of each of the risks if all the recommended CA
controls are implemented and appropriately configured and managed.
Table 3 – CA Residual Risk Ratings
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 12 of 51

IN-CONFIDENCE
Business Context
This section provides an overview of the generic business context for the Managed Payroll Services
that are in scope of this generic information security Risk Assessment.
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 13 of 51

IN-CONFIDENCE
9(2)(k)
Pre-payroll Services Processes
Recording of pay data involves many factors:
•
Salary or rostered wages;
•
Schedules or work patterns (default, or custom); and
•
Pay rules (award interpretation, or deductions and allowances)
Salary
under the Official Information Act 1982
Salaried employees have a pattern set in their work profiles that determines how pay is calculated,
and this would be configured and set in the payroll system. There is a default pattern that represents
a common, standard salaried employee (such as Monday to Friday, 8AM to 4PM).
This pattern can be changed and is often happens due to different pattern terms in the salaried
employee’s individual agreement or collective agreement, change in part-time or full-time status.
Released
Rostering / Time and Attendance
Payees paid according to a roster can be full-time, part-time, or casual employees. If a payee is on
rostered wages, the time that they are paid for is based on either rostering (hours recorded in
advance) or a time and attendance (hours recorded already worked). Either could be performed:
Managed Payroll Services SRA
IN-CONFIDENCE
Page 14 of 51

IN-CONFIDENCE
•
Manually, such as using spreadsheets and entering data into a system; or
•
Using a system, either within a separate rostering system or within the payroll software (as an
add-on feature).
There are common controls and processes followed to confirm the integrity of the hours before the
payroll process kicks off:
•
Default schedules and configurations – These are set in the rostering or time and attendance
systems, and make sure the pay is correct and complies with the Holidays Act;
•
Approval  flows  -  Hours  recorded  would  go  through  an  approval  flow  and  the  approvers
required  would  depend  on  either:  delegation  matrix,  collective  agreement,  individual
agreements, or multi-employer agreements; and
•
Data integrity reports – These can be run in the payroll systems to confirm the pay calculated
is accurate, complete, and reliable.
Pay Rules
Last  part  of  recording  pay  correctly  involves  pay  rules  and  this  involves  considering  any  award
interpretation, allowances, and deductions that might apply to a specific payee.
Award interpretation involves the translation of worked hours into a paid value based off rules and
regulatory requirements set in the system. This can include allowances, overtime, and penalties. The
rules and requirements are configured in either:
•
The separate rostering systems; or
•
Within the payroll software (as an add-on feature).
Common deductions that need to be configured before payroll is run includes:
•
Employment or contract status;
•
Salary sacrifice (or a donation of part of their salary to a charity);
•
Kiwisaver or superannuation contributions;
•
Inland Revenue Department or Ministry of Justice fines;
•
Student loan payments;
•
Any other changes agreed (such as overpayments, payment of leave up-front); and
•
Payroll tax.
under the Official Information Act 1982
Payroll Processes
The payroll process for each CA will vary, but there are some common steps taken including:
•
Data integrity reporting and validation;
•
Trial pay runs;
•
Calculation of pay;
•
Final pay run and generation of pay, bank, and other third-party files; and
•
Repeat of process for multiple pay runs (i.e. multi-agency payroll).
Released
Pay Calculations
Pay calculation may start off with the data that is imported in from other systems 9(2)(k)

9(2)(k)
or it will start off with data based off the profile and rules that the
payee is set up with in the payroll system.
Managed Payroll Services SRA
IN-CONFIDENCE
Page 15 of 51

IN-CONFIDENCE
These calculations are consistent across agencies due to required compliance with the Holidays Act,
however  they  still  need  to  be  configured  within  the  system.  The  CA  can  alternatively  follow  the
common  process  model,  which  helps  the  CA  make  sure  the  payroll  rules  configured  meet  good
practice and legislative requirements.
Pay Runs
A CA may administer multiple pay runs before pay is finalised. It may involve a trial run, which checks
if the CA is not under or overpaying. Multiple checks take place including checking number of payees
compared to number of employees, comparing of pay data to previous pay runs. These results are
also needed for audit evidence.
When the final run is administered, multiple files will be generated and may include (but is not limited
to):
•
Bank files – which are transferred to the CA’s bank for payment to payees;
•
IRD files – which are transferred to IRD for tax and other compliance;
•
Payees pay information – which includes a summary of their pay, allowances, and deductions;
•
3rd party files – for uploading of pay data into other systems the CA may use (such as financial
management or accounting systems), or to other 3rd parties that deductions were made for
(such as Ministry of Justice); and
•
Union files – which includes a summary of union fees that have been paid.
These files may be manually transferred (by manually uploading the files to the other system) or there
may be an integration or file transfer system used by the CA.
For CA that look after multiple agencies’ payroll, this process would repeat for each agency they look
after.
Post-payroll and Ongoing Processes
After the payroll run is complete, a CA will perform:
•
Accounting and recording of the pay run; and
•
Reporting and sharing of reports with groups within the CA or agencies they administer payroll
for.
There will also be ongoing services that take place outside of the payroll run, such as:
under the Official Information Act 1982
•
Software  data  management  (such  as  configuration  management  of  profiles,  pay  rules,  and
other payroll-related configurations, access management, and data management);
•
Integration  management  (such  as  Rostering,  Time  and  Attendance,  HR,  and  bank  system
integration);
•
Identity Provider integration (for authentication to the system);
•
Software, infrastructure, and hardware management; and
•
Supporting  procedural  controls  (such  as  incident  response,  disaster  recovery,  and  business
Released
continuity).
Information Classification
The  security  classification  of  the  information  that  will  be  stored,  processed,  or  transmitted  by  the
payroll software and the MSP has been evaluated as IN-CONFIDENCE and below. This is because while
Managed Payroll Services SRA
IN-CONFIDENCE
Page 16 of 51

IN-CONFIDENCE
the payroll software, managed service provider, and business processes use personal information, this
data  would  not  cause  an  impact  to  diplomatic,  economic  wellbeing,  safety,  or  operational
effectiveness of New Zealand.
There is a risk that the payroll software and service may store Classification Remove information. The most common
situations include:
•
Data  or  documents  uploaded  related  to  leave  taken  that  involves  domestic  violence,
vulnerable children, or health information.
If CA wish to consume the software and service for information classified to Classification Removed
CAs will need to comply and confirm with controls detailed in the Protective Security Requirements
(PSR).
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 17 of 51

under the Official Information Act 1982
Released

IN-CONFIDENCE
Legislation, Policy, and Guidelines
CA must ensure that they can demonstrate compliance with applicable legislation, policies, guidelines,
and any other external requirements when using payroll software and services.
The  following  legislation,  policy,  and  guidelines  relate  specifically  to  security  requirements  are
considered relevant to most CA:
• Protective Security Requirements (PSR); and
• New Zealand Information Security Manual (NZISM v3.4).
The following legislation, policy, and guidelines relate different aspects to the payroll function or the
business processes they support:
• Holidays Act 2003;
• Human Rights Act 1993;
• Privacy Act 2020;
• Income Tax Act 2007;
• Employment Protection Act 1987;
• Live Organ Donors Act 2016;
• Public Records Act 2005;
• Minimum Wage Act 1983;
• Official Information Act 1982;
• Parental  Leave  and  Employment
• Kiwisaver Act 2006;
Protection Act 1987;
• Accident Compensation Act 2001;
• Public Finance Act 1989;
• Child Support Act 1991;
• Student Loan Scheme Act 2011;
• Datacom GSF Specifications;
• Support  Workers  (Pay  Equity)
• Domestic Violence Amendment;
Settlements Act 2017;
• Employment Relations Act 2000;
• Tax  Administration  (Correction  of
• Equal Pay Act 1972;
Errors
in
Employment
Income
• General Disposals Authority 6;
Information) Regulations 2019;
• Health and Safety at Work;
• Tax Administration Act 1994;
• Home  and  Community  Support
• Volunteers  Employment  Protection
(Payment  for  Travel  Between  Clients)
Act 1973; and
Settlement Act 2016;
• Wages Protection Act 1983.
Some CA may be responsible for payroll services to payees who must comply with overseas legislation.
There will be different requirements and impacts if these are not followed and were not considered
in the context of this work. The CA should perform their own assessment when understanding their
specific requirements under any legislation.
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 19 of 51

IN-CONFIDENCE
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 20 of 51

IN-CONFIDENCE
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 21 of 51

IN-CONFIDENCE
9(2)(k)
Service Owner and Experts
Each CA will use this Risk Assessment and apply it to the specific MSP and payroll software solution
they selected from the Marketplace, and to their own internal risk framework and context. As part of
that, the CA can get support from the following stakeholders:
•
Senior Responsible Officer – or the officer responsible for the use and risk of the software in
their agency;
•
IT Security Manager – or the manager responsible for performing security assurance for the
system;
•
Solution Architect – or the architect responsible for identifying the technical components and
features in the MSP and software chosen; and
•
Payroll and other subject matter experts – or others in the CA who can assist with adjusting
this Risk Assessment in the context of how the system will be used within the CA.
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 22 of 51

IN-CONFIDENCE
Security Requirements
The security requirements help inform the technical impact of the security risks captured, and the
requirements vary based off the confidentiality, integrity, availability, and privacy requirements of the
data used by the payroll system.
The  exact  security  requirements  will  vary  by  CA  and  will  require  the  CA  to  assess  using  their
framework. In most cases, the impacts across a CA will be similar. Those impacts have been defined
below.
Confidentiality and Privacy
The payroll system and service will store, process, and transmit information that includes Personally
Identifiable Information (PII), and limited Classfication

Removed information that may be included in their leave,
allowance, and deduction requests. This information is considered IN-CONFIDENCE.
There  are  different  ways  this  information’s  confidentiality  or  privacy  could  be  compromised:  an
administrative or system user could accidently or intentionally share data exports, pay files, or reports;
the system could be mis-configured which would allow other system users to see data they shouldn’t
be allowed to see; a CA’s account could be inappropriately accessed leading to a data breach; the MSP
could have a security incident relating to their staff or the system which leads to a data breach.
The impact of a confidentiality or privacy incident would vary, and it would depend on the amount of
information involved. If there was a small amount of information involved, the impact to the CA would
be moderate. If there was a large of amount of information, the impact would be significant. It could
result in:
•
Breach  of  laws,  resulting  in  litigation  and  against  the  CA  (and  other  agencies  they  provide
payroll services for);
•
Significant reputational and political damage;
•
Loss of confidence in the security of the software;
•
Significant  ongoing  operational  and  service  delivery  impact  to  the  CA  due  to  incident
investigation and process changes;
•
Significant  financial  impact  due  to  the  need  for  additional  resources  to  assist  with  the
investigation and resolve any issues, and for any litigation fees; and
•
Minister and leadership briefing and updates.
under the Official Information Act 1982
Integrity
The payroll system is a key component of the overall payroll function within a CA. They rely on the
accuracy and integrity of the data in the system for payroll processes as well as supporting business
processing (such as financial reporting and HR).
There are different ways the information’s integrity could be compromised, and most of those events
come down to access controls (including user access and data separation). The impact would also vary
Released
and would depend on the amount of information that was modified. If there was a small amount of
information involved, the impact to the CA  would be moderate. If there was a large of amount of
information, the impact would be significant. It could result in:
•
Breach of laws (such as Holidays Act due to incorrectly calculated pay);
•
Significant reputational and political damage;
Managed Payroll Services SRA
IN-CONFIDENCE
Page 23 of 51

IN-CONFIDENCE
•
Loss of confidence in the security of the software;
•
Significant  ongoing  operational  and  service  delivery  impact  to  the  CA  due  to  incident
investigation and process changes;
•
Moderate  financial  impact  due  to  the  need  for  additional  resources  to  assist  with  the
investigation and resolve any issues, and for any litigation fees; and
•
Minister and leadership briefing and updates.
Availability
Payroll is a regularly occurring process and is heavily relied on by multiple stakeholders (as captured
above under Users and Stakeholders).
There are different ways the availability of the system, service, or information could be compromised.
It could be unavailable for a short period of time due to a breaking change or misconfiguration, or it
could be unavailable for an extended period due to a prolonged Distributed Denial of Service (DDoS),
Denial of Service (DoS), or security incident with the payroll software and Provider.
If the system were unavailable outside of the pay run part of the process (less busy period), the impact
would be moderate.  If the system were unavailable during the pay run part of the process, the impact
would be significant. It could result in:
•
The CA standing up an incident response or business continuity team to  administer the pay
run without the payroll software;
•
Increased  operational  and  service  delivery  impacts  due  to  manual  processing  and  post-
incident system updates;
•
Significant reputational and political damage;
•
Financial impact due to additional resources needed to administer manual pay runs; and
•
Leadership and Minister briefing and updates.
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 24 of 51

under the Official Information Act 1982
Released

IN-CONFIDENCE
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 26 of 51

under the Official Information Act 1982
Released

IN-CONFIDENCE
9(2)(k)
9(2)(k)
R05
A Super User misconfigures the system which impacts the
security of the system.
9(2)(k)
R06
A CA user account is inappropriately accessed which leads
to a data breach or fraud.
under the Official Information Act 1982
9(2)(k)
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 29 of 51

IN-CONFIDENCE
R07
An MSP user is inappropriately accessed which leads to a
9(2)(k)
data breach or misconfiguration incidents.
9(2)(k)
R08
An integration with another CA system is not secured
which leads to a data leak.
9(2)(k)
R09
An integration with a third-party system is not secured
which leads to a data leak.
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 30 of 51

IN-CONFIDENCE
9(2)(k)
R10
Data sent to the payroll software via another system
integrations is compromised which leads to an integrity
incident.
9(2)(k)
R11
The software has a vulnerability which leads to a data
leak.
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 31 of 51

under the Official Information Act 1982
Released

IN-CONFIDENCE
9(2)(k)
R15
The supporting infrastructure is not hardened or is
misconfigured which leads to a data leak.
9(2)(k)
R16
The platform is unavailable due to an availability attack,
malware infection, or an MSP mistake.
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 33 of 51

IN-CONFIDENCE
9(2)(k)
R17
A Platform Administrator user account is inappropriately
accessed which leads to a data breach or misconfiguration
incidents.
9(2)(k)
R26
The MSP has a physical security breach which leads to data
loss or availability issues.
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 34 of 51

under the Official Information Act 1982
Released

IN-CONFIDENCE
9(2)(k)
R21
Class fication

Remo data is entered into the software which can
cause the technical and business impact of any other risk
event to be higher.
9(2)(k)
R22
A CA fails to comply with overseas legislation due to a
misconfiguration, data leak, or other security event.
9(2)(k)
under the Official Information Act 1982
R23
A CA has a different operating model which means this
assessment might not accurately capture their risks and
recommended controls.
9(2)(k)
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 36 of 51

IN-CONFIDENCE
9(2)(k)
R24
A remote working user does not secure their device which
leads to a data leak.
9(2)(k)
R25
A system that the MSP relies on has a breach which affects
the CA and their data.
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Services SRA
IN-CONFIDENCE
Page 37 of 51

under the Official Information Act 1982
Released

IN-CONFIDENCE

Table 6 shows which controls (that are recommended for both the MSP and CA) are related to each
risk from Table 4.
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Service SRA
IN-CONFIDENCE
Page 44 of 51

IN-CONFIDENCE
9(2)(k)
under the Official Information Act 1982
Released
Managed Payroll Service SRA
IN-CONFIDENCE
Page 45 of 51

under the Official Information Act 1982
Released

IN-CONFIDENCE

Appendix B - Project Overview
Scope
Marketplace is an AoG initiative that enables New Zealand and international businesses to offer their
products and services directly to New Zealand government agencies. Marketplace links business with
government,  making  the  procurement  process  easier  for  all.  For  more  details,  please  visit
https://marketplace.govt.nz

The Department of Internal Affairs (DIA), as Government Chief Digital Officer (GCDO), have performed
and completed this Risk Assessment report and Controls Validation Plan (CVP) to support the CA who
plan to use this Marketplace-listed catalogue service.

The objective was to create a generic Risk Assessment and CVP that would cover most of the security
risks and controls that would apply regardless of Supplier, technology, or specific context. The intent
is that this would set a baseline for the CA to use and then apply their own internal risk management
frameworks and accredit the service for their own use.

Marketplace has a list of catalogue items and suppliers that are categorised in Tier 1, Tier 2, and Tier
3. The Tier 3 a is lower entry bar for small products and suppliers where, Tier 1 is for enterprise grade
products that require the highest assurance.

For the purposes of this work, it was assumed the Managed Payroll Service would have a minimum
Tier 2 rating.

The minimum Tier rating is based on:
•  Risk profile of the service;
•  Use / delivery of cloud-based tools to deliver Managed Services;
•  Reliance on Agency controls, particularly for people and process controls; and
•  Claims made by the Supplier in the service description.

Tier  3:  Baseline  Index  — Suppliers  respond  to  security  questions  which  can  include  the  Cloud  Risk
Assessment  Tool  (GCIO105).  Assessment  is  based  on  self-assertions  and  not  independent  reviews.
SaaS go through a Confidence and Risk Index (CRI) rating by McAfee MVision.
under the Official Information Act 1982

Tier  2:  Design  and  Control  Analysis  — Suppliers  must  provide  independent  security  assurance
information that Consuming Agencies will be able to review. This can include ISO27001 or SOC2 Type
2  audit  reports,  and  penetration  testing  reports.  This  information  will  be  reviewed  and  confirmed
appropriate by the GCDO before Tier-2 endorsement.

Tier  1:  Design  and  Control  Effectiveness—  To  obtain  this  rating,  suppliers  must  provide  additional
information and receive Certification from the GCDO. Certification is based on Risk Assessment and
Released
demonstration of controls effectiveness can be supported from an organisation having ISO 27001 or
SOC2 Certification or going through an audit by an auditor from the SRS panel.

Managed Payroll Service SRA
IN-CONFIDENCE
Page 47 of 51

IN-CONFIDENCE

A typical Managed Payroll Service solution consists of:
•  A Managed Payroll Service software package;
•  A hosting service, either provided by:
o  a Public Cloud IaaS Service Provider;
o  a Private Cloud IaaS Service Provider; or
o  any hybrid-cloud or Government dedicated cloud IaaS Service Provider.
•  The implementation of the Managed Payroll Service on the hosting service by the Supplier;
•  The integration of the Managed Payroll Service with existing agency systems by the Supplier;
and
•  The management and administration of the solution by the Supplier.

Approach
The  Risk  Assessment  followed  the  GCIO  risk  framework  based  on  the  AS/NZS  ISO  31000:2018  risk
management  standards.  The  assessment  was  conducted  as  a  series  of  workshops  and  document
reviews, including:
•  Consumption of documentation provided by DIA;
•  Identification  of  risks  and  controls  associated  with  the  use  of  Managed  Payroll  Services
through a business and technical context workshop;
•  Development of a Risk Assessment report in draft;
•  Review of risks and ratings through a risk validation workshop; and
•  Issuance of a final Risk Assessment report.

under the Official Information Act 1982
Released
Managed Payroll Service SRA
IN-CONFIDENCE
Page 48 of 51

under the Official Information Act 1982
Released