NSW Government. End User Computing Standard. Version 1.0. October 2014

Transcription

1 NSW Government End User Computing Standard Version 1.0 October 2014 ICT Services Office of Finance & Services Level 23, McKell Building 2-24 Rawson Place SYDNEY NSW 2000

2 CONTENTS 1. CONTEXT Background Purpose Scope and application Policy context The ICT Service Catalogue 4 2. KEY PRINCIPLES 4 3. STANDARD Use case / scenarios End User Computing Standard elements Configuration management Security management Service management DOCUMENT ISSUE 12 APPENDIX A Definitions 14 APPENDIX B References 15 APPENDIX C Background on standards 16 Developing standards 16 Management and implementation 16 2

3 1. CONTEXT 1.1 Background This End User Computing Standard is a technical standard developed through the NSW Government ICT Procurement and Technical Standards Working Group (PTS Working Group). The standard defines minimum government requirements for end user computing services. 1.2 Purpose The purpose of this standard is to provide technical guidance to NSW Government agencies when implementing end user computing internally and when they are procuring these services. It details the issues that need to be considered so each agency can identify the available options that best suit their business requirements, ensuring agencies can take full advantage of the benefits of end user computing services. 1.3 Scope and application For the purposes of this standard, end user computing describes all devices traditionally associated with computing use within government and industry including desktops, notebooks (including high-end tablet devices), and thin-client terminals. It can also include mobility devices, such as smartphones and consumer type tablet devices. The standard applies to end user computing solutions across NSW Government agencies. The standard does not exhaustively cover all agency specific considerations, and agencies may need to asses any specific requirements they have in addition to those detailed here. 1.4 Policy context The NSW Government ICT Strategy sets out the Government s plan to build capability across the NSW public sector to deliver better, more customer-focused services that are available anywhere, anytime, and derive better value from the Government s annual investment in ICT. Developing whole of NSW Government ICT technical standards is a key initiative of the NSW Government ICT Strategy, driven by the ICT Procurement and Technical Standards Working Group. These standards leverage principles defined in the NSW Government ICT Strategy and the NSW Government Cloud Policy and Guidelines, and they support the NSW ICT Service Catalogue. The standards set out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW Service Catalogue. This helps achieve consistency across service offerings, emphasising a move to as a service sourcing strategies in line with the NSW Government ICT Strategy, and it signals government procurement priorities to industry. This standard should be applied along with existing standards, policies and guidance that make up the NSW Information Management Framework, as set out in the Information Management: A Common Approach, and including the NSW Digital Information Security Policy. NSW Government agencies must carefully consider their obligations to manage government data and information. Contract arrangements and business processes should address requirements for data security, privacy, access, storage, management, retention and disposal. ICT systems and services should support data exchange, portability and interoperability. More information on the development of standards for the ICT Service Catalogue is at Appendix C Background on standards. 3

4 1.5 The ICT Service Catalogue The ICT Service Catalogue provides suppliers with a showcase for their products and services, and an opportunity to outline how their offerings meet or exceed standard government requirements. The standards, together with supplier service offerings in the ICT Service Catalogue, help to reduce red tape and duplication of effort by allowing suppliers to submit service details once. The offerings are then available to all potential buyers, simplifying procurement processes for government agencies. 2. KEY PRINCIPLES The following principles guide the development and implementation of this standard. Facilitating as a service: Specification of end user computing environments should support agencies in moving to as a service sourcing models. Interoperability: Meeting this standard should help agencies achieve application and hardware interoperability, ensuring that agency computing environments enable appropriate information sharing across devices and applications. Mobile and flexible: The end user environment should support modern office work practices including flexible arrangements, activity based working and hot desking. Vendor / operating environment agnostic: Determining end user computing environments should be vendor and operating system agnostic. Devices such as laptops, notebooks, thin-clients should be able to connect to and access the network. The network must be fully compatible with widely used operating environments. 3. STANDARD 3.1 Use case / scenarios This section provides a more detailed description of the recommended business and technical requirements for NSW Government. It provides a consistent approach for all NSW Government agencies regardless of their size. 4

5 Tier 0 applications Tier 1 applications Tier 2 applications Tier 3 applications Tier 4 applications Disaster recovery Data replication Auditing & investigation Moves, additions & changes Performance & latency Remote management / Remote wipe Application packaging BYOD capability Backup & restore Device hygiene End User Computing Standard Use Case / Scenarios SILVER Requirements for Silver level service to support messaging, collaboration and unified communication solutions are listed in the table below. Configuration management Use Case / Scenarios Task Worker?? Knowledge (Office) Worker Knowledge (Mobile) Worker Field (Mobile) Worker 5

6 Onshore / offshore management Password protection/ User authentication Information classification and labelling Role-based security Self-service administration Full service administration Compliant data centre Government Data Centre Service level management Multi-service broker provision End User Computing Standard Security management Service management Use Case / Scenarios Task Worker Knowledge (Office) Worker Knowledge (Mobile) Worker Field (Mobile) Worker 6

7 Tier 0 applications Tier 1 applications Tier 2 applications Tier 3 applications Tier 4 applications Disaster recovery Data replication Auditing & investigation Moves, additions & changes Performance & latency Remote management / remote wipe Application packaging BYOD capability Backup & restore Device hygiene End User Computing Standard Use Case / Scenarios GOLD Requirements for Gold level service to support end user computing solutions are listed in the table below. Configuration management Use Case / Scenario Task Worker?? Knowledge (Office) Worker Knowledge (Mobile) Worker Field (Mobile) Worker 7

8 Onshore/offshore management Password protection / User authentication Information classification & labelling Role-based security Self-service administration Full service administration Any compliant data centre NSW Government Data Centre Service level management Multi-service broker provision End User Computing Standard Security management Service management Use Case / Scenario Task Worker Knowledge (Office) Worker Knowledge (Mobile) Worker Field (Mobile) Worker 8

9 3.2 End User Computing Standard elements Refer to Appendix A Definitions for guidance on service levels, worker types and defined terms in this document Configuration management Tier 0 applications Applications that are embedded in the operating system (either physical or virtual), examples are browser (other browsers may be included as Tier 1 applications) and operating system management tools. Tier 1 applications Applications that are used by all worker types and universally across all areas of government and industry. Examples include browsers (including browser plug-ins for commonly used solutions), hygiene products and office productivity suites including word processing, spreadsheets, and presentation tools. These are ordinarily supplier-provided applications. Tier 2 applications Commercial-Off-The-Shelf (COTS) applications that are used by many worker types but not universally across all areas of government and industry. Examples include project management applications and high-end graphics tools. These are ordinarily supplier-provided applications. Tier 3 applications COTS applications that are used by specialist worker types but not universally across all areas of government and industry. Examples include CAD (Computer Aided Design) applications, specialised engineering, human resources and financial tools. These are ordinarily agency-supplied applications. Tier 4 applications Specialised in-house developed applications and/or legacy applications used by certain business units for specific purposes, often developed to deliver specialised services. Used by many worker types but not universally. These are ordinarily agency-supplied applications. Disaster recovery The solution is to have appropriate levels of disaster recovery built in to minimise downtime or disruption to the service. This element could include anything from a duplicated solution that is available immediately if the primary site fails, to a fully documented process for restoring services within Service Level Agreement (SLA) defined times. Data replication Solution providers must not change any data replication parameters and/or locations without prior written consent from agencies concerned. All data storage locations must be known to agencies and changes agreed before they occur. If data is replicated to a location that has not been approved, the service may be terminated for breach. Auditing and investigation All elements of end user computing solution(s) must provide the agency(s), the Auditor General and/or any other statutory body with the authority to do so the ability to audit and/or conduct investigations of the agency environment within the solution. Moves, additions and changes For Silver level solution offerings, moves, additions and changes remain the responsibility of the commissioning agency. For Gold level solution offerings this is be the sole responsibility of the 9

10 solution provider, unless otherwise agreed and included in the Service Level Agreement (SLA) for the service. Performance and latency The solution will provide appropriate built-in redundancy to achieve agency required levels of service. Typically this may be not less than 99.99% availability during operating hours, and for most agencies this would be a minimum 7:00am-7:00pm Monday to Friday. Some agencies may have a requirement for 24 hours, 7 days per week (eg. Police and Emergency Services, Health, Transport). Bandwidth and latency expectations are to be defined and agreed up front. Remote management / Wipe All solutions must support the ability for remote management (and where appropriate remote wipe) capabilities of end-point devices. Application packaging As appropriate solutions need to provide the ability for non-standard applications (generally those belonging to Tier 3 and Tier 4, or similar) to be packaged for rapid and non-human invention remote deployment. The method will be defined upfront by the solution provider. BYOD capability Any end user computing solution needs to allow for the potential of agencies allowing staff (and/or other engaged human resources) to provide and use non-agency provided (but agency approved) devices that are capable of meeting minimum specifications as prevailing from time-to-time. Solution providers are expected to be able to include a full list (that is updated as appropriate) of all device types, operating systems and/or other requirements that meet minimum standards for the purposes of accessing the solution provided. Device hygiene All devices, including bring your own device (BYOD), must have appropriate and up-to-date hygiene solutions installed. Device hygiene includes, but is not limited to, anti-virus, anti-spam, anti-spyware. For agency and/or service provider issued devices, this will be provided by the agency service provider, for BYOD this must be provided by the device owner and will meet agreed minimum agency/service provider requirements. Backup and restore Services are capable of being backed up and restored of data and configuration settings. The owner of BYO devices are responsible for any backing up and restoring of configuration settings of their device. Agencies need to establish rules and/or guidelines for locations they consider acceptable for backing up agency data and agency-related configuration files. Agency data must only be backed up to approved locations Security management Devices must comply with minimum security standards as determined by agency security policies. They must also be compliant with agency Information Security Management Systems (ISMSs) and assist agencies in the implementation and maintenance of minimum controls under the NSW Government Digital Information Security Policy. Onshore/offshore management All solution providers must be able to articulate where their services will be provided from, including any remote support services. For example, if the provider has a follow the sun support model, the locations of each of their support sites around the globe need to be identified. Any changes to these need to be communicated to the customer agency promptly and if this causes issues, the agency has the right to cancel the service with appropriate notification. 10

11 Password protection / User authentication All implementations must support password authentication (numeric / alphanumeric or similar) End User Computing Setting Minimum password length Maximum password attempts Forbidden passwords Password History Security time-out Value 7 characters 4 attempts Popular: Eg. password, department Repetitive: Eg , Sequential: Eg , Not allowed to use previous x passwords x minutes Information classification and labelling If sensitive information is being stored or transferred using the devices then agencies must have regard to compliance with the NSW Government Classification and Labelling Guidelines. Devices need to be enabled to apply security classifications and dissemination limiting markers (DLMs) to sensitive content. End User Computing environments also need to implement control and handling requirements relevant to the level of sensitivity of the device content, as set out in the NSW Government Information Classification and Labelling Guidelines. Role-based security Solutions should offer the ability to have role based security elements either for all users or defined sub-sets. The ability to allow this should be clearly identified by any potential solution provider Service management All service management elements are assumed to be delivered to an ITIL (Information Technology Infrastructure Library) based service management methodology, unless otherwise specified either by an agency or the service provider. Self-service administration The ability to automatically provision and de-provision for all agency resources within the system, together with other appropriate administration and management tasks that can be delegated from the service provider that do not impinge on the solution being provided to other customers. Full-service administration All provisioning, de-provisioning, together with all other administration and management tasks required to operate the environment, are provided as part of the service offering. The only exception will be service management of the provider which remains the sole responsibility of the initiating agency. Any compliant data centre 11

12 All relevant services for the solution to be provisioned from a compliant data centre. A compliant data centre is defined as having the following attributes and/or capabilities: The location of the data centre must be identified either by name and/or location (city and country) in any response The data centre location cannot be changed without first informing the agency(s) concerned The facility must comply with minimum Tier III The facility must be certified against the following international standards: o ISO9001 o ISO27001 o ISO2000 o ISO14001 and other relevant certification including but not limited to: o PCI-DSS o ASD o ASIO-T4 o Uptime Institute o CSA. If the data centre facilities changes to a location that is deemed unacceptable either to NSW Government or to the agency and/or loses attributes and/or capabilities identified above, the agency may need to examine termination of services. NSW Government Data Centre All relevant services for the solution to be provisioned from one or both NSW Government Data Centre (GovDC). Depending on the service offering and agency requirements, it may be possible to burst some elements of services to other location(s) subject to agreement with the commissioning agency. Burst data centres must be deemed Compliant. If the burst data centre facilities change to a location that is deemed unacceptable either to NSW Government or to the agency, the agency may need to re-examine the burst service or the full service. Service level management Agencies will retain ultimate responsibility for service level management in any solutions engagement, which would ordinarily be covered by a SLA. Agencies, service-brokers and solution providers need to agree all SLA reporting and other related activities as part of any transition-in process. Multi-service broker provision Any solution provider must work within the confines of a multi-service provider environment where either the agency or nominated provider will perform broker service provision. This will be defined as one provider being made accountable for the provision of all associated services, whether these are provided by the provider itself, or other third-party providers. 4. DOCUMENT ISSUE This document is issued by the Office of Finance and Services. For more information call (02) or standards@finance.nsw.gov.au 12

13 This standard will be reviewed in twelve months or earlier in response to post-implementation feedback from agencies. 13

14 APPENDIX A Definitions Service support levels Bronze Service Not defined at this time. Silver Service All End User Computing administration, management and/or related support services that can be delegated from the solution provider to the agency s internal ICT teams are delegated and these services are not provided by the solution provider. Gold Service All End User Computing administration, management and/or related support services are optionally provided by the solution provider in addition to appropriate services being managed by the agency (as allowed by the solution s construct). Platinum Service Not defined at this time. Use Case / Scenario descriptions Use Case / Scenario Task Worker Knowledge (Office) Worker Knowledge (Mobile) Worker Field (Mobile) Worker Description Fixed location based worker. Performs a limited set of tasks. Refer to Worker Type Details in NSW Government Worker Type description. Primarily fixed location based worker (however some mobility may be required). Performs a variety of high intensity tasks using information from various sources. Refer to Worker Type Details in NSW Government Worker Type description. Various locations, often at short notice and always connected. Performs a variety of high-intensity tasks, using information from various sources. Refer to Worker Type Details in NSW Government Worker Type description. Mostly in the field, rarely in the office and always connected. Performs a variety of tasks. Refer to Worker Type Details in NSW Government Worker Type description. Other definitions Desktop A computer that is designed to stay in one place, and typically not powered by an internal battery. End User Computing Describes all uses of computers, and in the context of this standard, covers all devices traditionally associated with computing use, that is Desktop, Notebook (including high-end Tablet devices), Thin-Client terminals and devices. It can also include Smartphones and Tablet devices. Notebook A lightweight personal computer, and in the context of this standard, this also includes variations, such as laptop computers. Smartphone A mobile phone that performs many of the functions of a computer, typically having a touchscreen interface, internet access, and an operating system capable of running downloaded applications. Thin-Client A client machine that relies on the server to perform data processing. Either a dedicated thin client terminal or a regular PC with thin client software is used to send keyboard and mouse input to the server and receive screen output in return. Tablet A small computer which is ordinarily used through touching the screen rather than via a keyboard. 14

15 APPENDIX B References Agencies should have regard to the following statutes, NSW Government policies and standards: AS/NZS ISO Risk management Principles and guidelines Electronic Transactions Act 2000 Government Information (Information Commissioner) Act 2009 Government Information (Public Access) Act 2009 Health Records and Information Privacy Act 2002 M Digital Information Security Policy NSW Government Open Data Policy NSW Government Cloud Services Policy and Guidelines NSW Government ICT Strategy NSW Government ICT Technical Standards Mobility Standard TPP Internal Audit and Risk Management Policy for the NSW Public Sector NSW Government Digital Information Security Policy NSW Government Information Classification and Labelling Guidelines Privacy and Personal Information Protection Act 1998 Public Finance and Audit Act 1983 Public Interest Disclosures Act 1994 NSW Procurement: Small and Medium Enterprises Policy Framework State Records Act 1998 Copyright Act 1968 Copyright Amendment Act

16 APPENDIX C Background on standards Developing standards Development of a standard begins with identifying the need for a new standard, which is followed by the development of the standard in consultation with the industry and experts groups, including the Australian Information Industry Association (AIIA). The following diagram outlines the process. Need for new or amended standard identified Business requirements change Standard developed (Industry/agencies consulted) Services added to Catalogue Standard approved and released by PTS Working Group Market engagement for services which meet the standard The ICT Procurement and Technical Standards Working Group (PTS Working Group) is chaired by the Office of Finance and Services and includes senior representation from across NSW Government. Agencies engage with the PTS Working Group concerning services for inclusion in the ICT Service Catalogue. This drives the development of technical standards, where none exist. The PTS Working Group has the leading role in reviewing and endorsing the technical standards developed in response to agencies requirements. The PTS Working Group is supported by two sub-groups responsible for the areas of Telecommunications and Services and Solutions. The sub-groups are responsible for initial development and review of standards relating to their areas of responsibility Management and implementation There is scope to modify standards through the NSW Government ICT governance arrangements as necessary. Standards are designed to add value, augment and be complementary to, other guidance, and they are continually improved and updated. This standard does not affect or override the responsibilities of an agency or any employee regarding the management and disposal of information, data, and assets. Standards in ICT procurement must also address business requirements for service delivery. NSW Procurement facilitates the implementation of the standards by applying them to the goods and services made available through the ICT Service Catalogue. 16