Software currency policy

Policy

Final | May 2016 | v2.0.0 | PUBLIC | QGCIO

Purpose

This policy states the Queensland Government’s direction in regards to maintaining an up-to-date software portfolio and consequently reduce the cost and risk inherent in managing unsupported software products.

Policy statement

To ensure that the delivery of government services underpinned by information technology is reliable, low risk, cost effective and agile, the Queensland Government will reduce and where possible eliminate instances of unsupported software.

Policy benefits

The benefits of this policy cover the areas of reducing risk, cost and improving agility:

  • maintain and possibly improve capacity to integrate with up-to-date technologies and to align with changing business requirements
  • ensure better vendor support for deployed software, particularly during incidents
  • maintain alignment with skills available in the labour market
  • create financial savings associated with software procurement, support and training through opportunities to consolidate software portfolios
  • reduce risk and complexity through supporting fewer versions with different behaviours
  • ease consolidation of agency infrastructure to whole-of-government services provided by CITEC or external non-government service providers.

Applicability

This policy applies to all Queensland Government departments.

It applies to off-the-shelf software with periodical release cycles.

The following are outside the scope of the current policy:

  • custom-built applications (but the underlying technology software platforms are in scope)
  • any product whose version has been mandated across government through another QGEA artefact
  • software licensing issues are dealt with under the Software asset management policy.

Policy requirements

Policy requirement 1:    Agencies must retire or replace software before it reaches to end of mainstream[1] support unless the CEO has formally accepted the risk of not doing so

Agencies must retire or replace any off-the-shelf software with a high or medium[2] business impact before it reaches the end of mainstream support by the vendor.

If mainstream support cannot be determined, the software must be maintained no more than two major[3] versions behind the latest release (N-2), or within three years of the general availability of a new release, whichever occurs sooner.

When calculating the percentage of software in an agency that complies with this policy, the following is to be used:
  • fleet items are to be considered as a single asset, individual instances are not to be counted
  • for all other software, individual instances should be counted.

Advice

The term ‘unsupported’ refers to the situation where vendors (or communities in the case of some open source software) no longer provide patches, updates or other technical support services for the product in question. In these situations, the Queensland Government currently bears the full burden of risk associated with running unsupported software. These risks include:

  • easily identifiable software with known vulnerabilities and often automated compromise tools exposing the platform and associated data to easy exploitation
  • increased of agility resulting from its inability to align with changes in business requirements
  • lack capacity to integrate with up-to-date technologies
  • limited of skilled labour to maintain unsupported technologies
  • scarcity of skilled labour to maintain unsupported technologies
  • human error and resulting costs from supporting the complexity of many versions.

Issue and review

Version: v2.0.0
Issue date: May 2016
Review date: May 2018

This QGEA policy is published within the QGEA which is administered by the Queensland Government Chief Information Office. It was developed by the Queensland Government Chief Information Office and approved by the Queensland Government Chief Information Officer.

Implementation

Agencies should conduct a high-level risk assessment of their compliance with the requirements of this QGEA policy.

A business impact analysis is required to determine the risk level of a software asset. Business Impact is defined and calculated using the Queensland Government ICT planning methodology.

This policy comes into effect from the issue date.

[1] Mainstream support refers to the period of time during which a vendor product is available for general release and receives warranty support, security and non-security updates

[2] Business Impact is defined and calculated using the Queensland Government ICT Planning Methodology; High refers to a score above 3.2 and Medium refers to a score ranging between 1.6 and 3.2.

[3] Major version. Vendors use a variety of systems to version their products. As such it is difficult to define exactly what a major release is. For the purposes of this policy, a major release should have the following characteristics:

  • is not merely a revision or a bug fix release but which contains substantial changes and new features; and
  • generally occurs annually, or less frequently.

Last Reviewed: 01 May 2016