Hardware currency policy
Purpose
The policy states the Queensland Governments direction in regards to maintaining the currency of Information and Communication Technology (ICT) hardware.
The purpose of the policy is to ensure departments define and implement suitable strategies for managing the life cycle of ICT hardware assets.
Policy statement
To ensure that the delivery of government services underpinned by information technology is reliable, low risk, cost effective and agile, the Queensland Government will reduce and where possible eliminate instances of unsupported ICT hardware. Unsupported refers to the situation where there is no longer vendor or third-party maintenance available to provide replacement components or field support.
Policy benefits
The policy will assist departments in managing the balance between cost and operational risk for ICT hardware and potentially increase the ability to:
- maintain and possibly improve capacity to integrate with up-to-date technologies and to align with changing business requirements
- ensure better vendor support is in place for ongoing ICT hardware maintenance, particularly during incidents
- maintain alignment with skills available in the labour market
- increase management visibility of the business risk associated with running on old or unsupported ICT hardware
- reduce costs associated with ICT hardware procurement, support and training through consolidation
- reduce costs, risk and complexity through supporting fewer ICT hardware models.
Applicability
This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). Accountable officers (not already in scope of the Public Sector Act 2022) and statutory bodies under the Financial and Performance Management Standard 2019 must have regard to this policy in the context of internal controls, financial information management systems and risk management. Please see the Applicability of the QGEA for further information.
Where a department owns the ICT hardware, regardless of the location they are responsible for ICT hardware currency management. If a managed service is outsourced to another Queensland Government agency such as CITECs managed services, the ICT hardware currency is the responsibility of the service provider. In the event of outsourcing to an entity external to the Queensland Government, the department is responsible for covering the ICT hardware currency risk in the associated service contracts and service level agreements.
Policy requirements
Policy requirement 1: Departments must retire, update ICT hardware or replace with an as-a-service solution with a medium or high business impact before it reaches the end of service life support unless the risk is formally accepted via the corporate risk management process
Departments must retire or replace any ICT hardware asset with a high or medium business impact before it reaches end-of-service-life (EOSL) support by the vendor or replace with an as-a-service solution. Exemption to this requirement is only at the acceptance of risk by the appropriate delegate in accordance to the agencies corporate risk management processes.
EOSL refers to ICT hardware that is no longer manufactured or supported. Terminology for EOSL varies between vendors, however most vendors will have an end of life announcement stipulating when the manufacturing or product ordering will end followed by an EOSL that stipulates when support for the ICT hardware will end.
Advice
High or medium business Impact is defined and calculated using the Digital and ICT strategic planning framework; High generally refers to a score above 3.2 and Medium refers to a score ranging between 1.6 and 3.2. See Current state module Enterprise architecture assessment.
Policy requirements are supported by best practice guidance in the Hardware currency guideline.
Implementation
This policy comes into effect from the issue date.
Departments are to assess ICT hardware with a medium to high business impact due to reach EOSL and decide as to whether to update, retire or accept the risk associated with those ICT assets by 30 June each year. This should be conducted routinely as part of the departments regular ICT planning process and the resultant actions included in their ICT Work Plan.
The business risks associated with the EOSL hardware must be formally documented and managed within the corporate risk management framework.
Issue and review
Issue date: 9 April 2019
Next review date: April 2021
This QGEA policy is published within the QGEA which is administered by the Queensland Government Customer and Digital Group. It was developed by the Queensland Government Chief Information Office and approved by the Queensland Government Chief Information Officer.