Final | January 2017 | v2.0.2 | OFFICIAL - Public | QGCDG
This Queensland Government Enterprise Architecture (QGEA) policy ensures that departments include externally provisioned ICT services when making decisions associated with ICT solution sourcing.
For the purposes of this policy ‘ICT-as-a-service’ includes all forms of externally provisioned ICT services from managed services to cloud services.
Examples of external provisioned managed services include:
- an ICT service or function such as application, network or server management
- application hosting
- web hosting
- managed capacity for the provisioning of ICT assets
- combinations of the above.
Examples of cloud service include:
- software as-a-service, e.g. social media, on-line collaboration
- platform as-a-service
- infrastructure as-a-service
- business process as-a-service
- customer relationship management as-a-service
- identity as-a-service
- storage as-a-service.
This policy should be read in conjunction with the Queensland Government ICT-as-a-service Decision Framework. This tool stipulates an assessment criteria addressing key areas of risk, in particular availability, performance, security, and offshoring of data, with suggested treatments to ensure a consistent approach to ICT decision-making across Queensland Government.
Departments adopt an ICT-as-a-service strategy and source ICT services, in particular for commoditised services, from industry providers in a contestable market where this is feasible and represents value for money.
Departments will also utilise as appropriate cloud-based and other emerging technologies as enablers to complement their ICT-as-a-service strategy.
Increasing adoption of ICT-as-a-service will reduce the constraints and financial liability of owning and managing ICT assets and allow departments to operate in an environment where ICT is primarily consumed as a service. Departments will become managers and consumers of services where they will be able to:
- avoid vendor lock in through lengthy and expensive ICT contracts
- avoid the life cycle of vendors’ product upgrades
- improve service delivery efficiency via the use of standard solutions
- provide greater flexibility and agility to adopt ‘fit for purpose’ ICT solutions
- simplify service provisioning and enable ‘right sizing’ of services
- enable alignment of changing business systems and processes with ICT
- leverage innovation as it becomes available from the market
- improve ICT cost efficiency by:
- only paying for services consumed
- scaling up or down based on demand
- requiring no capital investment.
- reduce the need for departmental ICT capability to build and operate ICT systems and allow departmental ICT to focus on ICT strategic aspects as an enabler of departmental services.
This policy applies to all Queensland Government departments (as defined by the Public Service Act 2008). Accountable officers (not already in scope of the Public Service Act 2008) and statutory bodies under the Financial and Performance Management Standard 2019 must have regard to this policy in the context of internal controls, financial information management systems and risk management. Please see the Applicability of the QGEA for further information.
This policy also applies to internal Queensland Government ICT service providers.
Policy requirement 1: All investment decisions must consider ICT-as-a-service as part of a procurement option analysis
Departments must include externally provisioned ICT services as part of an option analysis process when making investment decisions. For example, when departments are considering new or replacement ICT solutions or when departments consider the long term future direction for ICT investments within their organisations.
There are a number of specific risks/issues/challenges that need to be considered when using ICT-as-a-service including but not limited to:
- appropriate delivery model
- disaster recovery and business continuity
- recovery of data that cannot be retrieved or is lost by the provider
- application integration and migration
- unauthorised disclosure of data by the provider
- unauthorised access to data
- availability and integrity of data
- information security classification
- maintaining public records
- reporting breaches of privacy and security requirements
- operational management responsibilities and required skills across traditional and as-a-service delivery models.
Departments need to review contractual arrangements for suitability and appropriate coverage of the attributes associated with ICT delivered as-a-service and to address identified risks and issues. Specifically, contract clauses need to cover issues such as:
- protection of information
- performance management
- ending the arrangement
- dispute resolution
- introduction of harmful code
- change of control and assignment/novation
- terms changeable at provider discretion
- application of foreign laws and trans-border data transfer
- requirement to accept software updates
- intellectual property ownership.
In moving to ICT-as-a-service, departments still remain responsible for examining any legislative, standards and other compliance requirements that are relevant to their data, information or records.
The Queensland Government ICT-as-a-service risk assessment guideline can provide further guidance on common ICT-as-a-service contractual issues. The guideline is part of the ICT-as-a-service Decision Framework and is designed to assist departments in developing a risk assessment when considering the use of ICT-as-a-service. It outlines the key considerations/risks that departments should address as part of their existing risk management processes. The guideline incorporates advice from a range of key sources, and also directs departments to relevant guidance provided by others, including:
The Office of the Information Commissioner (OIC) – The OIC has published specific advice on ICT-as-a-service and privacy of data which is available on the Commission’s website.
Queensland State Archives (QSA) – QSA has published specific advice around custody and ownership of public records during outsourcing or privatisation (QSA is currently performing a review of this advice) and on managing record keeping risks with cloud computing.
Issue and review
Issue date: 6 January 2017
Next review date: January 2018
This QGEA policy is published within the QGEA which is administered by the Queensland Government Customer and Digital Group. It was developed by the Queensland Government Chief Information Office and approved by the Queensland Government Chief Information Officer.
This policy comes into effect from the issue date.