ICT-as-a-service policy

Policy

Final | January 2017 | v2.0.0 | PUBLIC | QGCIO

Purpose

This Queensland Government Enterprise Architecture (QGEA) policy ensures that departments include externally provisioned ICT services when making decisions associated with ICT solution sourcing.

For the purposes of this policy ‘ICT-as-a-service’ includes all forms of externally provisioned ICT services from managed services to cloud services.

Examples of external provisioned managed services include:

  • an ICT service or function such as application, network or server management
  • application hosting
  • web hosting
  • managed capacity for the provisioning of ICT assets
  • combinations of the above.

Examples of cloud service include:

  • software as-a-service, e.g. social media, on-line collaboration
  • platform as-a-service
  • infrastructure as-a-service
  • business process as-a-service
  • customer relationship management as-a-service
  • identity as-a-service
  • storage as-a-service.

This policy should be read in conjunction with the Queensland Government ICT-as-a-service Decision Framework. This tool stipulates an assessment criteria addressing key areas of risk, in particular availability, performance, security, and offshoring of data, with suggested treatments to ensure a consistent approach to ICT decision-making across Queensland Government.

Policy statement

Departments adopt an ICT-as-a-service strategy and source ICT services, in particular for commoditised services, from industry providers in a contestable market where this is feasible and represents value for money.

Departments will also utilise as appropriate cloud-based and other emerging technologies as enablers to complement their ICT-as-a-service strategy.

Policy benefits

Increasing adoption of ICT-as-a-service will reduce the constraints and financial liability of owning and managing ICT assets and allow departments to operate in an environment where ICT is primarily consumed as a service. Departments will become managers and consumers of services where they will be able to:

  • avoid vendor lock in through lengthy and expensive ICT contracts
  • avoid the life cycle of vendors’ product upgrades
  • improve service delivery efficiency via the use of standard solutions
  • provide greater flexibility and agility to adopt ‘fit for purpose’ ICT solutions
  • simplify service provisioning and enable ‘right sizing’ of services
  • enable alignment of changing business systems and processes with ICT
  • leverage innovation as it becomes available from the market
  • improve ICT cost efficiency by:
    • only paying for services consumed
    • scaling up or down based on demand
    • requiring no capital investment.
  • reduce the need for departmental ICT capability to build and operate ICT systems and allow departmental ICT to focus on ICT strategic aspects as an enabler of departmental services.

Applicability

This policy applies to all Queensland Government departments and internal Queensland Government ICT service providers.

Policy requirements

Policy requirement 1: All investment decisions must consider ICT-as-a-service as part of a procurement option analysis

Departments must include externally provisioned ICT services as part of an option analysis process when making investment decisions. For example, when departments are considering new or replacement ICT solutions or when departments consider the long term future direction for ICT investments within their organisations.

Advice

There are a number of specific risks/issues/challenges that need to be considered when using ICT-as-a-service including but not limited to:

  • appropriate delivery model
  • ownership
  • disaster recovery and business continuity
  • recovery of data that cannot be retrieved or is lost by the provider
  • implementation
  • application integration and migration
  • unauthorised disclosure of data by the provider
  • unauthorised access to data
  • availability and integrity of data
  • information security classification
  • privacy
  • maintaining public records
  • reporting breaches of privacy and security requirements
  • operational management responsibilities and required skills across traditional and as-a-service delivery models
  • issues related to offshore storage and processing (ICT-as-a-service offshore data storage and processing policy).

Departments need to review contractual arrangements for suitability and appropriate coverage of the attributes associated with ICT delivered as-a-service and to address identified risks and issues. Specifically, contract clauses need to cover issues such as:

  • protection of information
  • liability
  • performance management
  • ending the arrangement
  • dispute resolution
  • other:
    • introduction of harmful code
    • change of control and assignment/novation
    • terms changeable at provider discretion
    • application of foreign laws and trans-border data transfer
    • requirement to accept software updates
    • intellectual property ownership.

In moving to ICT-as-a-service, departments still remain responsible for examining any legislative, standards and other compliance requirements that are relevant to their data, information or records.

The Queensland Government ICT-as-a-service risk assessment guideline can provide further guidance on common ICT-as-a-service contractual issues. The guideline is part of the ICT-as-a-service Decision Framework and is designed to assist departments in developing a risk assessment when considering the use of ICT-as-a-service. It outlines the key considerations/risks that departments should address as part of their existing risk management processes. The guideline incorporates advice from a range of key sources, and also directs departments to relevant guidance provided by others, including:

The Office of the Information Commissioner (OIC) – The OIC has published specific advice on ICT-as-a-service and privacy of data which is available on the Commission’s website.

Queensland State Archives (QSA) – QSA has published specific advice around custody and ownership of public records during outsourcing or privatisation (QSA is currently performing a review of this advice) and on managing record keeping risks with cloud computing.

Issue and review

Version: v2.0.0
Issue date: 6 January 2017
Next review date: January 2018

This QGEA policy is published within the QGEA which is administered by the Queensland Government Chief Information Office. It was developed by the Queensland Government Chief Information Office and approved by the Queensland Government Chief Information Officer.

Implementation

This policy comes into effect from the issue date.


Last Reviewed: 06 January 2017