Final | April 2019 | v3.0.0 | OFFICIAL - Public| QGCIO
This policy states the Queensland Government’s direction in regards to maintaining an up-to-date software portfolio and consequently reduce the cost and risk inherent in managing unsupported software products.
To ensure the delivery of government services underpinned by information technology is reliable, low risk, cost effective and agile, the Queensland Government will reduce and where possible eliminate instances of unsupported software.
The benefits of this policy cover the areas of reducing risk, cost and improving agility:
- maintain and possibly improve capacity to integrate with up-to-date technologies and to align with changing business requirements
- ensure better vendor support for deployed software, particularly during incidents
- maintain alignment with skills available in the labour market
- create financial savings associated with software procurement, support and training through opportunities to consolidate software portfolios
- reduce risk and complexity through supporting fewer versions with different behaviours
- ease consolidation of agency infrastructure to whole-of-government services provided by CITEC or external non-government service providers.
This policy applies to all Queensland Government departments.
It applies to off-the-shelf software, including operating systems, with periodical release cycles.
The following are outside the scope of the current policy:
- custom-built applications (but the underlying technology software platforms are in scope)
- any product whose version has been mandated across government through another QGEA artefact
- software licensing issues are dealt with under the Software asset management policy.
Policy requirement 1: Agencies must retire or replace software including an as-a-service solution before it reaches end of mainstream support unless the risk is formally accepted via the department corporate risk management process
Agencies must retire or replace any off-the-shelf software with a high or medium
business impact before it reaches the end of mainstream support by the vendor. Exemption to this requirement is only at the acceptance of risk by the appropriate delegate in accordance to the agencies corporate risk management processes.
If mainstream support cannot be determined, the software must be maintained no more than two major versions behind the latest release (N-2), or within three years of the general availability of a new release, whichever occurs sooner.
When calculating the percentage of software in an agency that complies with this policy, the following is to be used:
- fleet items are to be considered as a single asset, individual instances are not to be counted
- for all other software, individual instances should be counted.
The term ‘unsupported’ refers to the situation where vendors (or communities in the case of some open source software) no longer provide patches, updates or other technical support services for the product in question.
In these situations, the Queensland Government currently bears the full burden of risk associated with running unsupported software. These risks include:
- easily identifiable software with known vulnerabilities and often automated compromise tools exposing the platform and associated data to easy exploitation
- increased cost to maintain a software asset without assistance from the vendor
- lack of agility resulting from its inability to align with changes in business requirements
- limited capacity to integrate with up-to-date technologies
- scarcity of skilled labour to maintain unsupported technologies
- human error and resulting costs from supporting the complexity of many versions.
 Mainstream support refers to the period of time during which a vendor product is available for general release and receives warranty support, security and non-security updates
 Business Impact is defined and calculated using the Digital and ICT strategic planning framework; High refers to a score above 3.2 and Medium refers to a score ranging between 1.6 and 3.2. See Current state module – Enterprise architecture assessment
 Major version. Vendors use a variety of systems to version their products. As such it is difficult to define exactly what a major release is. For the purposes of this policy, a major release should have the following characteristics:
- is not merely a revision or a bug fix release but which contains substantial changes and new features; and
- generally occurs annually, or less frequently.
Departments are to assess their compliance with the requirements of this QGEA policy and decide as to whether to retire, replace or accept the risk associated with off-the-shelf software assets or an as-a-service solution by 30 June each year. This should be conducted routinely as part of the department’s regular ICT planning process and the resultant actions included in their ICT Work Plan
This policy comes into effect from the issue date.
Issue and review
Issue date: 9 April 2019
Review date: April 2021
This QGEA policy is published within the QGEA which is administered by the Queensland Government Chief Information Office. It was developed by the Queensland Government Chief Information Office and approved by the Queensland Government Chief Information Officer.