Final | April 2019 | v3.0.0 | OFFICIAL - Public | QGCIO
The Queensland Government Enterprise Architecture (QGEA) Policy on ICT hardware currency requires departments to retire or update ICT hardware with a medium or high business impact before it reaches end-of-service-life (EOSL) support unless the risk of not doing so has been formally accepted by the department.
EOSL refers to ICT hardware that is no longer manufactured or supported. Terminology for EOSL varies between vendors, however, most vendors will have an end-of-life (EOL) announcement stipulating when the manufacturing or product ordering will end followed by an end of service life EOSL that stipulates when support for the ICT hardware will end. The Hardware currency policy is supported by the Queensland Government’s Digital and ICT Strategic Planning Framework and the Procurement and disposal of ICT products and services policy (IS13) and implementation guideline.
Digital and ICT strategic planning framework linkages
Agency ICT resources strategic planning must be supported by a structured and consistent approach for managing current ICT assets and planning for current and future investments. When undertaking ICT planning for all ICT assets (including ICT hardware), agencies can use the Digital and ICT strategic planning framework (the framework).
The gather activity in the Current state: information, applications and technologies document within the framework collects information about each of the department’s technology assets. An agency’s technology assets register should at a minimum include the attributes set out within the ICT profiling standard which includes a ‘End of Support’, ‘business impact’ and ‘technical condition’ attributes . The ‘End of Support’ attribute reflects the scheduled last date of manufacturer/vendor support of operation for the asset. The ‘business impact’ attribute addresses the criticality of the asset to the business and help departments understand the importance of the asset. The ‘technical condition’ attribute measures the performance of the asset in terms of its access, currency, maintainability, compliance and alignment with better practices.
The Current state: enterprise architecture assessment document within the framework, describes three assessment criteria that indirectly relate to EOSL for technology assets - these are protection, vendor support and maintainability. It is recommended that in addition to these characteristics, explicit attention to EOSL is given during the assessment step of the framework.
The Current state: enterprise architecture assessment document within the framework also includes a section on asset lifecycle. This relates to the overall phase of use of a technology within the department and doesn’t apply to the life of the specific versions of a technology product. Appendix A of the Information asset lifecycle guideline also lists typical activities required to manage information, application and technology assets throughout their lifecycle.
In the ‘Analysis’ step within the Current state: enterprise architecture assessment document, departments may want to create grid models, to understand the current and future positioning of assets. In particular the Business exposure grid model (Business impact vs Technical condition) can provide an indication of the current risk and performance of an asset and can be used to determine appropriate strategies for optimising the agencies assets into the future.
Whole-of-government end of support requirements
End of support technology is software or hardware that represents a risk from a whole-of-government perspective. It requires action to be taken by departments such as decommissioning, upgrading or replacing the unsupported technologies with supported versions, products or services.
The ICT profiling standard also collects attributes where selected technologies nearing or past end of support dates represent a security risk and/or require significant time and cost to address across the whole sector. Appendix F of the ICT profiling standard captures a rolling list of unsupported technologies, listed by manufacturer and product name.
Formal approval of the ICT hardware currency plan
Recommended best practice is that identification of ICT hardware replacement strategies be done within the department’s overall ICT work plan and not as a separate document. As such, ICT assets approaching EOSL should be identified within the technology profile and within the ICT work plan, and approval be within the department’s normal digital and ICT strategic planning approval process.