Skip links and keyboard navigation

Software currency policy

Document type:
Policy
Version:
Final v3.0.3
Status:
Owner:
QGCDG
Effective:
April 2019–current
Security classification:
OFFICIAL-Public

Purpose

This policy states the Queensland Governments direction in regards to maintaining an up-to-date software portfolio and consequently reduce the cost and risk inherent in managing unsupported software products.

Policy statement

To ensure the delivery of government services underpinned by information technology is reliable, low risk, cost effective and agile, the Queensland Government will reduce and where possible eliminate instances of unsupported software.

Policy benefits

The benefits of this policy cover the areas of reducing risk, cost and improving agility:

  • maintain and possibly improve capacity to integrate with up-to-date technologies and to align with changing business requirements
  • ensure better vendor support for deployed software, particularly during incidents
  • maintain alignment with skills available in the labour market
  • create financial savings associated with software procurement, support and training through opportunities to consolidate software portfolios
  • reduce risk and complexity through supporting fewer versions with different behaviours
  • ease consolidation of agency infrastructure to whole-of-government services provided by CITEC or external non-government service providers.

Applicability

This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). Accountable officers (not already in scope of the Public Sector Act 2022) and statutory bodies under the Financial and Performance Management Standard 2019 must have regard to this policy in the context of internal controls, financial information management systems and risk management. Please see the Applicability of the QGEA for further information.

It also applies to off-the-shelf software, including operating systems, with periodical release cycles.

The following are outside the scope of the current policy:

  • custom-built applications (but the underlying technology software platforms are in scope)
  • any product whose version has been mandated across government through another QGEA artefact
  • software licensing issues are dealt with under the Software asset management policy.

Policy requirements

Policy requirement 1: Agencies must retire or replace software including an as-a-service solution before it reaches end of mainstream[1] support unless the risk is formally accepted via the department corporate risk management process

Agencies must retire or replace any off-the-shelf software with a high or medium[2] business impact before it reaches the end of mainstream support by the vendor. Exemption to this requirement is only at the acceptance of risk by the appropriate delegate in accordance to the agencies corporate risk management processes.

If mainstream support cannot be determined, the software must be maintained no more than two major[3] versions behind the latest release (N-2), or within three years of the general availability of a new release, whichever occurs sooner.

When calculating the percentage of software in an agency that complies with this policy, the following is to be used:

  • fleet items are to be considered as a single asset, individual instances are not to be counted
  • for all other software, individual instances should be counted.

Advice

The term unsupported refers to the situation where vendors (or communities in the case of some open source software) no longer provide patches, updates or other technical support services for the product in question.

In these situations, the Queensland Government currently bears the full burden of risk associated with running unsupported software. These risks include:

  • easily identifiable software with known vulnerabilities and often automated compromise tools exposing the platform and associated data to easy exploitation
  • increased cost to maintain a software asset without assistance from the vendor
  • lack of agility resulting from its inability to align with changes in business requirements
  • limited capacity to integrate with up-to-date technologies
  • scarcity of skilled labour to maintain unsupported technologies
  • human error and resulting costs from supporting the complexity of many versions.

[1]Mainstream support refers to the period of time during which a vendor product is available for general release and receives warranty support, security and non-security updates

[2]Business Impact is defined and calculated using the Digital and ICT strategic planning framework; High refers to a score above 3.2 and Medium refers to a score ranging between 1.6 and 3.2. See Current state module Enterprise architecture assessment

[3]Major version. Vendors use a variety of systems to version their products. As such it is difficult to define exactly what a major release is. For the purposes of this policy, a major release should have the following characteristics:

  • is not merely a revision or a bug fix release but which contains substantial changes and new features; and
  • generally occurs annually, or less frequently.

Implementation

Departments are to assess their compliance with the requirements of this QGEA policy and decide as to whether to retire, replace or accept the risk associated with off-the-shelf software assets or an as-a-service solution by 30 June each year. This should be conducted routinely as part of the departments regular ICT planning process and the resultant actions included in their ICT Work Plan

This policy comes into effect from the issue date.

Issue and review

Issue date: 9 April 2019
Review date: April 2021

This QGEA policy is published within the QGEA which is administered by the Queensland Government Customer and Digital Group. It was developed by the Queensland Government Chief Information Office and approved by the Queensland Government Chief Information Officer.