Skip links and keyboard navigation

ICT-as-a-service policy

Document type:
Policy
Version:
v2.0.4
Status:
CurrentMandated
Owner:
QGCDG
Effective:
January 2017–current
Security classification:
OFFICIAL-Public

Purpose

This Queensland Government Enterprise Architecture (QGEA) policy ensures that departments include externally provisioned ICT services when making decisions associated with ICT solution sourcing.

For the purposes of this policy ICT-as-a-service includes all forms of externally provisioned ICT services from managed services to cloud services.

Examples of external provisioned managed services include:

  • an ICT service or function such as application, network or server management
  • application hosting
  • web hosting
  • managed capacity for the provisioning of ICT assets
  • combinations of the above.

Examples of cloud service include:

  • software as-a-service, e.g. social media, on-line collaboration
  • platform as-a-service
  • infrastructure as-a-service
  • business process as-a-service
  • customer relationship management as-a-service
  • identity as-a-service
  • storage as-a-service.

Policy statement

Departments adopt an ICT-as-a-service strategy and source ICT services, in particular for commoditised services, from industry providers in a contestable market where this is feasible and represents value for money.

Departments will also utilize as appropriate cloud-based and other emerging technologies as enablers to complement their ICT-as-a-service strategy.

Policy benefits

Increasing adoption of ICT-as-a-service will reduce the constraints and financial liability of owning and managing ICT assets and allow departments to operate in an environment where ICT is primarily consumed as a service. Departments will become managers and consumers of services where they will be able to:

  • avoid vendor lock in through lengthy and expensive ICT contracts
  • avoid the life cycle of vendors product upgrades
  • improve service delivery efficiency via the use of standard solutions
  • provide greater flexibility and agility to adopt fit for purpose ICT solutions
  • simplify service provisioning and enable right sizing of services
  • enable alignment of changing business systems and processes with ICT
  • leverage innovation as it becomes available from the market
  • improve ICT cost efficiency by:
    • only paying for services consumed
    • scaling up or down based on demand
    • requiring no capital investment.
  • reduce the need for departmental ICT capability to build and operate ICT systems and allow departmental ICT to focus on ICT strategic aspects as an enabler of departmental services.

Applicability

This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). This policy also applies to accountable officers (not already in scope of the Public Sector Act 2022) and to statutory bodies under the Financial and Performance Management Standard 2019 in the context of internal controls, financial information management systems and risk management. Please see How to apply the QGEA for further information.

This policy also applies to internal Queensland Government ICT service providers.

Policy requirements

Policy requirement 1: All investment decisions must consider ICT-as-a-service as part of a procurement option analysis

Departments must include externally provisioned ICT services as part of an option analysis process when making investment decisions. For example, when departments are considering new or replacement ICT solutions or when departments consider the long-term future direction for ICT investments within their organisations.

Advice

There are a number of specific risks/issues/challenges that need to be considered when using ICT-as-a-service including but not limited to:

  • appropriate delivery model
  • ownership
  • disaster recovery and business continuity
  • recovery of data that cannot be retrieved or is lost by the provider
  • implementation
  • application integration and migration
  • unauthorised disclosure of data by the provider
  • unauthorised access to data
  • availability and integrity of data
  • information security classification
  • privacy
  • maintaining public records
  • reporting breaches of privacy and security requirements
  • operational management responsibilities and required skills across traditional and as-a-service delivery models.

Departments need to review contractual arrangements for suitability and appropriate coverage of the attributes associated with ICT delivered as-a-service and to address identified risks and issues. Specifically, contract clauses need to cover issues such as:

  • protection of information
  • liability
  • performance management
  • ending the arrangement
  • dispute resolution
  • other:
    • introduction of harmful code
    • change of control and assignment/novation
    • terms changeable at provider discretion
    • application of foreign laws and trans-border data transfer
    • requirement to accept software updates
    • intellectual property ownership.

In moving to ICT-as-a-service, departments remain responsible for examining any legislative, standards and other compliance requirements that are relevant to their data, information or records.

The Queensland Government ICT-as-a-service risk assessment guideline can provide further guidance on common ICT-as-a-service contractual issues. The guideline is part of the ICT-as-a-service Decision Framework and is designed to assist departments in developing a risk assessment when considering the use of ICT-as-a-service. It outlines the key considerations/risks that departments should address as part of their existing risk management processes. The guideline incorporates advice from a range of key sources, and also directs departments to relevant guidance provided by others, including:

The Office of the Information Commissioner (OIC) has published specific advice on ICT-as-a-service and privacy of data which is available on the Commissions website.

Queensland State Archives (QSA) QSA has published specific advice around custody and ownership of public records during outsourcing or privatisation and managing record keeping risks with cloud computing.

Issue and review

Issue date: 6 January 2017

This QGEA policy is published within the QGEA which is administered by the Queensland Government Customer and Digital Group.

Implementation

This policy comes into effect from the issue date.