NSW Government. Document Management Solutions Standard. v1.0. June 2015

Transcription

1 NSW Government Document Management Solutions Standard v1.0 June 2015 ICT Services Office of Finance & Services McKell Building 2-24 Rawson Place SYDNEY NSW 2000

2 CONTENTS 1. CONTEXT Background Purpose Scope and application Policy context The ICT Services Catalogue 4 2. KEY PRINCIPLES 4 3. REQUIREMENTS Information lifecycle Service level and complexity Requirements tables Silver (standard) Use Cases / Scenarios Gold (complex) Use Cases / Scenarios Elements of DM standard Acquisition/Capture Document Management Collaboration/Workflow Service Management 13 DOCUMENT CONTROL 16 APPENDIX A DEFINITIONS 17 Information lifecycle elements 17 Worker types 17 APPENDIX B ABBREVIATIONS 18 APPENDIX C REFERENCES 19 APPENDIX D STANDARDS 20 Developing technical standards 20 Management and implementation 20 2

3 1. CONTEXT 1.1. Background This is a technical standard developed through the NSW ICT Procurement and Technical Standards Working Group. The standard contains technical and functional requirements that agencies should consider when procuring ICT services for document management (DM) solutions. By defining the necessary and common elements across agencies the standard provides an opportunity to leverage the buying power of Government as a whole, improve procurement efficiency and increase interoperability Purpose The purpose of this standard is to assist NSW Government agencies to evaluate the functionality of DM solutions and tools, as well as take full advantage of their benefits. This standard also helps agencies procure in a strategic manner that reflects the NSW Government s priorities as outlined in the NSW Government ICT Strategy. This standard sets out the minimum technical requirements for the provision of DM solutions to NSW Government. This standard details the issues that need to be considered so each agency can identify the available options that best suit their business requirements, helping agencies achieve value for money through cost savings and improved flexibility of service offerings Scope and application This standard applies to all NSW Government departments, statutory bodies and shared service providers, in the procurement of DM solutions. It does not apply to state owned corporations, but is recommended for their adoption. For the purposes of this standard, DM solution describes all elements of a system for providing DM for an organisation. This standard sets out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW ICT Services Catalogue. Agencies should consider any specific operational or regulatory factors that impact their requirements, and specific requirements they have in addition to those detailed in this standard Policy context The NSW Government ICT Strategy and Implementation Update set out the Government s plan to: build capability across the NSW public sector to deliver better, more customer-focused services that are available anywhere, anytime; and to derive increased value from the Government s annual investment in ICT. Developing whole of NSW Government ICT technical standards is a key initiative of the NSW Government ICT Strategy, driven by the ICT Procurement and Technical Standards Working Group. These standards leverage principles defined in the NSW Government ICT Strategy and the NSW Government Cloud Services Policy and Guidelines, and they support the ICT Services Catalogue. The standards set out service definitions as minimum requirements that vendors must meet to be able to offer their services through the ICT Services Catalogue. This helps achieve consistency across service offerings, emphasising a move to as a service sourcing strategies in 3

4 line with the NSW Government ICT Strategy, and it signals government procurement priorities to industry. This standard should be applied along with existing standards, policies and guidance that make up the NSW Information Management Framework, as set out in the Information Management: A Common Approach, and including the NSW Digital Information Security Policy. In addition, solutions should assist agencies in their alignment with the NSW Government Enterprise Architecture Strategy. NSW Government agencies must carefully consider their obligations to manage government data and information. Contract arrangements and business processes should address requirements for data security, privacy, access, storage, management, retention and disposal. ICT systems and services should support data exchange, portability and interoperability. More information on the process for the development of standards that populate the ICT Services Catalogue is at Appendix D Standards The ICT Services Catalogue This catalogue provides suppliers with a showcase for their products and services, and an opportunity to outline how their offerings meet or exceed standard government requirements. The standards, together with supplier service offerings, help to reduce red tape and duplication of effort by allowing suppliers to submit service details only once against the standards. The offerings are then available to all potential buyers, simplifying procurement processes for government agencies. Implementing this category management approach will embed common approaches, technologies and systems to maintain currency, improve interoperability, and provide better value ICT investment across NSW Government. 2. KEY PRINCIPLES This standard is based on the following principles: End-to-end digital: DM solutions should facilitate end-to-end digital management, without the need to move in and out of hardcopy format through the process. Customer-centricity: DM solutions should provide a positive end-user experience, designed around the needs of the user and the journey from document capture and indexing, through search, retrieval, editing and dissemination, to archiving or disposal. DM solutions should support the ability to form a single view of the customer, presenting all relevant documents together where appropriate. They should facilitate public engagement where they are used for data collection from members of the public, accounting for privacy and security requirements. Streamlined authentication mechanisms (using trusted identity providers) can help maintain a customer-centric focus. Eliminating duplication: DM solutions, and associated workflow processes, should minimise the need to enter (or re-enter) data and information. Manual information entry also creates the potential for errors in datasets. Facilitating as a service: DM solutions should be available as a service. Vendors should facilitate agency transitioning from on-premise software to solutions provided as service. Performance and latency: DM solutions should be designed to optimise performance and minimise latency across all functions to encourage concurrent use and collaboration across different geographic locations. 4

5 Business process integration: DM solutions should be capable of integration and interoperability with other systems to enable seamless business processes. Document storage, editing and retrieval should be built into business processes, to ensure that any DM system used creates minimal (or preferably no) impact on staff. It should be more efficient for staff to use the DM solution than to not use it. Interoperability: DM solutions must meet industry recognised standards for metadata and interoperability to support sharing, security and business process integration, across the whole information lifecycle as set out in 3.1. Accountability: DM solutions must support the creation, population and export of audit metadata, workflows, permissions and any other metadata needed to evidence the authenticity, reliability, integrity and useability of documents. Mobile and flexible: DM solutions should support mobility and flexible work practices, be accessible online or offline, and be device independent. They should also be able to integrate new technologies as required. Vendor / operating environment agnostic: DM solutions should be vendor and operating system agnostic. Users should be able to capture, access and edit documents in a range of environments. The solution should also support import from, or export to, solutions in other environments. DM solutions should also apply NSW data and information management principles, as outlined in Information Management: A Common Approach. Data and information should be compliant, governed, collected once, fit for purpose, defined, optimised, organised, secured, used, shared, maintained and available. 3. REQUIREMENTS 3.1. Information lifecycle The following elements should be considered when assessing a DM solution: 1. Acquisition/capture 2. Document management 3. Collaboration/workflow 4. Service management These elements are drawn from a typical information lifecycle, which includes capture, distribute, use, maintain and dispose of data, as set out in the NSW Information Management Framework Information Management: A Common Approach. DM solutions must also comply with IPC privacy guidance, NSW State Records requirements including the Standard on Records Management, and the NSW Government Classification and Labelling Guidelines. Information management is the process of using technology to collect, organise, store, and provide information within a company or organisation with a goal of efficient and accountable management. DM is regarded as a subset of information management. The goal of information management is to enable organisations to control and administer information assets throughout their lifecycle. A document is recorded information or an object that can be treated as a unit (AS ISO Part 1 Clause 3.10). It is ordinarily an item or collection of written, printed, or electronic matter with accompanying metadata that provides information. DMs should facilitate the management of document content and context (metadata about process and actions). This standard also applies to records, as defined by AS ISO (Part 1 Clause 3.15) and the State Records Act 1998 (NSW). See the State Records NSW Glossary for more detail on relevant definitions. 5

6 3.2. Service level and complexity DM can be provided in a range of ways. For example, the supplier of the service may manage some of the service or environment during the course of the contract, or the supplier of the service may manage the entire service for course of the contract. The following requirements use case tables are separated into three service levels, bronze, silver and gold, reflecting the complexity of the DM solution required: Bronze: Not defined at this time. Silver: Standard DM solution or service. Gold: Advanced/complex DM solution or service Requirements tables The following tables set out the recommended business and technical requirements for NSW Government. They provide a consistent approach for all NSW Government agencies regardless of their size. Explanations for each element of the following use cases are provided at section 3.4. Meeting the requirements of this standard A service that meets all the requirements across both worker types and public at Silver or Gold level, in relation to at least one of the above stages of the information lifecycle, meets this standard. For example, if a service meets all of the requirements of the Acquisition/capture lifecycle stage, at the Silver level, across both worker types and public, then that service is deemed compliant. Where this service is represented in the ICT Services Catalogue, the stage(s) for which it is compliant will be noted. See Appendices A and B for additional details on information lifecycle stages and worker types, as well as a list of abbreviations used in this standard. See the NSW Government Cloud Services Policy and Guidelines for as a service and cloud definitions. 6

7 Optical Character Recognition Digitalisation of paper documents Bulk import Digital workflow to DM Electronic documents Electronic &/or manual metadata capture Secure document Access schedule Version control Classification & labelling Office tools integration Custom metadata classification Content searching Retrieval via metadata search Web & mobile based access Offline synchronisation LDAP authentication & authorisation Roles based authorisation CMIS integration Document control Enterprise search File plan management Retention policy management Automated dispositions Tracking & documenting of record destruction Secure legal & audit holds Formal/informal documents Document Management Solutions Standard Silver (standard) Use Cases / Scenarios Use cases for standard DM that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns. Acquisition/Capture Document Management Use Case / Scenario SILVER Office-based Worker Mobile Worker Public 7

8 Real time editing of documents Security of documents & profiles Linear workflow processing Internal & external sharing of files Instant messaging integration Notification on document updates Planning & scheduling management of workflow Parallel workflow processing Workflow task & case management Rules integration Self-service administration Full-service administration Cloud compliant hosting facility NSW Government Data Centre Onshore/offshore management Non-proprietary & open standards compatible Audit logging Compliance with NSW Government legislation Service level management Multi-service broker provision Document Management Solutions Standard Collaboration/Workflow Service Management Use Case / Scenario SILVER Office-based Worker Mobile Worker Public 8

9 Optical Character Recognition Digitalisation of paper documents Bulk import Digital workflow to DM Electronic documents Electronic &/or manual metadata capture Secure document Access schedule Version control Classification and labelling Office tool integration Custom metadata classification Content searching Retrieval via metadata search Web & mobile based access Offline synchronisation LDAP authentication and authorisation Roles based authorisation CMIS integration Document control Enterprise search File plan management Retention policy management Automated dispositions Tracking & documenting of record destruction Secure legal and audit holds Formal/informal documents Document Management Solutions Standard Gold (complex) Use Cases / Scenarios Use cases for standard DM that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns. Acquisition/Capture Document Management Use Case / Scenario GOLD Office-based Worker Mobile Worker Public 9

10 Real time editing of documents Security of documents & profiles Linear workflow processing Internal & external sharing of files Instant messaging integration Notification on document updates Planning & scheduling management of workflow Parallel workflow processing Workflow task & case management Rules integration Self-service administration Full-service administration Cloud compliant hosting facility NSW Government Data Centre Onshore/offshore management Non-proprietary & open standards compatible Audit logging Compliance with NSW Government legislation Service level management Multi-service broker provision Document Management Solutions Standard Collaboration/Workflow Service Management Use Case / Scenario GOLD Office-based Worker Mobile Worker Public 10

11 3.4. Elements of DM standard Acquisition/Capture Solutions should be able to capture documents/data (either manually or electronically) for storage and work-flowing (as appropriate) to an appropriate DM solution. Should a solution not have capture methods, it must be able to demonstrate as a minimum that it has the ability for this function to be added to it through integration of a bolt on element or identifying appropriate third-party solutions/services. Examples of document capture for the purposes of this standard include (but are not limited to): Optical Character Recognition (OCR). with and without attachments. Digitisation of paper documents hardcopy documents digitised for storage. Bulk import allowing automated, efficient import or acquisition of documents. Digital workflow to DM digital workflow of documents either natively as part of the solution or as a connector to a third party workflow engine. Electronic documents (most common formats) either directly or from , collaboration and/or other third party solutions or business systems. Electronic &/or manual metadata capture for manual a minimum requirement is the manual entry of identification material related to the document. In addition to digitally capturing data, solutions should be able to provide audit logs (events tracking). Event information must be specific, meaningful and useful Document Management Solutions should be able to manage documents/records throughout their life (including disposal and/or archiving) as required by the agency. Elements that should be delivered as a minimum are listed below. Any additional element(s) would be considered favourably and should be highlighted in any response to market engagements. All solutions must be able to input/export content and defined metadata to a format that is industry standard to facilitate transfer between solutions should an agency need to change its solution. Secure document preventing unauthorised access and managing the rights to access the document. This includes automated security access control, based on the file plan. This should also address the situation where a person who is able to assign rights to access leaves an organisation, and the rights to access require modification. Access schedule ability to change the access group based on certain criteria. Version control management of changes to documents, and other collections of information linked to business process/workflow. Classification & labelling process of assigning document(s) to one or more classifications or labelling categories for sensitive information, as per NSW Government classification and labelling requirements. Office tools integration interoperability of the digital document with the organisations office productivity tools. 11

12 Custom metadata classification ability to modify the class or category of data that has been assigned to a digital document in order to provide information about the document for the purpose of identification. Content searching use of search technology to find or extract a document based on its digital content (as opposed to the meta-data). Retrieval via metadata search use of search technology to find or extract a document based on its metadata. Web & mobile based access obtain or retrieve a digital document via the web or a mobile device. Offline synchronisation work on documents whilst not directly connected to the DM repository and update documents automatically when connected. LDAP authentication & authorisation use of agency Lightweight Directory Access Protocol (LDAP) solution to authenticate a user and provide authorisation to access documents. Roles based authorisation granting document access based on a user s login credentials. CMIS integration (Content Management Interoperability Services) share and access documents across multiple content management systems. Document control (lifecycle) mechanism to manage and classify the various stages of a document as it changes from version to version. Enterprise search discovery and output technology to search for document content regardless of where it exists for example collaboration repositories, solutions, network shares, intranets, extranets, websites, databases, social media etc. Consider whether an option is required to provide a link to all documents which a person in a specific role has accessed, so that if a new person comes into the role they can quickly identify and access those same documents enhancing business continuity. File plan management define the method for classifying records and document classifications. Retention policy management define the method for document retention periods. Automated dispositions automated destruction/permanent retention of record(s) or document(s), based on the file plan. This should also address scenarios where exceptions arise because specific documents need to be retained beyond minimum periods, e.g. through the use of prompts to check before documents are destroyed. Tracking & documenting of record destruction. Secure legal & audit holds to preserve all forms of relevant information during an audit or when legal action is reasonably anticipated. Formal/informal documents ability to distinguish between documents that have been part of a formal work or approval process from informal documents Collaboration/Workflow Solutions should be able to provide a level of collaboration/workflow for the management of documents/data. Should a solution not have collaboration/workflow capability, it should be able to demonstrate as a minimum that it has the ability for this function to be added to it through integration of a bolt on element or through identifying appropriate third-party solutions/services. This section should be considered in conjunction with the collaboration elements of the Messaging Collaboration and Unified Communications Standard. Real time editing of documents technology to enable Real Time Collaborative Editing (RTCE), allowing multiple users to edit the same document or file simultaneously (with merging, conflict prevention and resolution for protecting edits). 12

13 Security of documents & profiles securing document(s) from unauthorised access and managing the rights to access documents via user accounts / profile based / role based controls inherited from the file plan. Linear workflow processing basic workflow process of moving document(s) in a sequential manner from user to user or queue to queue and ability to move the document forward or backwards in the process by accepting or rejecting changes; document versions should be linked to workflow steps, e.g. it can be viewed as it was submitted to a committee, then viewed as it was edited after taking in committee input etc. Internal & external sharing of files ability to access, upload or download documents across corporate and public networks. Instant messaging integration real time communication service over the Internet allowing collaboration on a document (beyond and/or in additional to services provided within a collaboration tool). Notification on document updates electronically alerts/notification to users of event triggers for example document updates etc. Planning & scheduling management of workflow for example manage workload across users or when user needs to complete a specific piece of work. Parallel workflow processing ability to run two or more workflows concurrently when they split onto separate paths and manage process if they re-join. Workflow task & case management manage tasks or actions involving document workflows. Encapsulates metadata relating to a case where document is a sub component. Rules integration ability to dynamically specify, modify, or control rules associated with workflow process Service Management Self-service administration The ability to automatically provision and de-provision for all agency resources within the system, together with other appropriate administration and management tasks that can be delegated from the service provider that do not impinge on the solution being provided to other customers. Full-service administration All provisioning, de-provisioning, together with all other administration and management tasks required to operate the environment, are provided as part of the service offering. The only exception will be service management of the provider which remains the sole responsibility of the initiating agency. Cloud compliant hosting facility All relevant cloud services for the solution are to be provisioned from a compliant hosting facility. Compliant hosting is defined as having the following attributes and/or capabilities: The location of the hosting facility must be identified either by name and/or location (city and country) in any response The hosting location cannot be changed without first informing the agency concerned The service provider undertakes, maintains and provides access to SSAE 16 Service Organization Control (SOC) Type II reports (or equivalent) for the services and facilities in scope for the engagement The hosting facility must comply with minimum Tier 3, as defined by the Uptime Institute, ANSI TIA-942, or an equivalent industry standard. 13

14 The hosting facility must be certified against ISO 27001; compliance with the following international standards is desirable: o ISO 9001 o ISO o ISO :2011 o ISO Other desirable certifications may include, but are not limited to: o PCI-DSS v3.0 or later o Australian Signals Directorate o ASIO-T4 o Uptime Institute o CSA Also consider contractual obligations relating to the service provider allowing security assessments and treatment of outcomes as agreed with the client. If the hosting facilities changes to a location that is deemed unacceptable either to NSW Government or to the agency and/or loses attributes and/or capabilities identified above, the agency may need to consider termination of services. NSW Government Data Centre All relevant services for the solution to be provisioned from one or both NSW Government Data Centre (GovDC). Depending on the service offering and agency requirements, it may be possible to burst some elements of services to other location(s) subject to agreement with the commissioning agency. Burst data centres must be deemed compliant. If the burst data centre facilities change to a location that is deemed unacceptable either to NSW Government or to the agency, the agency may need to re-examine the burst service or the full service. Onshore/offshore management All solution providers must be able to articulate where their services will be provided from, including any remote support services. For example, with a follow the sun support model, the locations of each of their support sites around the globe need to be identified. Any changes to these need to be communicated to the customer agency promptly; depending on the terms of the arrangement, this may give the agency the right to cancel the service with appropriate notification. Non-proprietary & open standards compatible All data and associated material generated, captured, stored or otherwise in a compliant solution must conform with open standards principles to the extent possible such that data and metadata can be ported to another solution with minimum cost and effort should the need occur. Providers need to demonstrate compliance with this element. Audit logging All elements of DM solutions should have the ability to log events to an auditing facility containing as a minimum name of person (user ID) making a change together with the changes being made. Compliance with NSW Government legislation (relating to document and/or records management) All solutions relating to DM must be compliant with existing NSW Government legislation relating to document and/or records management. Further should this legislation change to remain an endorsed solution, the solution must reflect these changes within a reasonable timeframe. 14

15 Service level management Agencies will retain ultimate responsibility for service level management in any solutions engagement, which would ordinarily be covered by a SLA. Agencies, service-brokers and solution providers need to agree all SLA reporting and other related activities as part of any transition-in process. Multi-service broker provision Any solution provider must work within the confines of a multi-service provider environment where either the agency or nominated provider will perform broker service provision. This will be defined as one provider being made accountable for the provision of all associated services, whether these are provided by the provider itself, or other third-party providers. 15

16 DOCUMENT CONTROL Document history Status: Final Version: 1.0 Approved by: Procurement & Technical Standards Working Group Approved on: 4 June 2015 Issued by: ICT Services Contact: ICT Services, Service Innovation and Strategy Division, Office of Finance and Services standards@finance.nsw.gov.au Telephone: (02) Review This standard will be reviewed in 12 months. It may be reviewed earlier in response to postimplementation feedback from agencies. 16

17 APPENDIX A DEFINITIONS Information lifecycle elements Use Case / Scenario Acquisition/Capture Document Management Collaboration/Workflow Service Management Description The initial information gathering and capture phase of the DM lifecycle. This needs to cover aspects of the solution that are involved with the initial capture of information, and encourage citizen engagement. The set of services or technology for managing the document after it is captured and throughout its lifecycle. The set of services or technology for enabling collaboration on documents and the business processes associated with the documents. This area needs to be considered in relation to the Messaging, Collaboration and Unified Communications Standard. Details elements of managing the service itself, includes full or self-service, NSW Government Data Centre, and onshore/offshore management. Worker types Use Case / Scenario Office-based Worker Description This worker type combines two worker types used in NSW Government standards, namely Task Worker and Knowledge (Office) Worker. Task Worker: Fixed location based worker. Performs a limited set of tasks. A task worker is a person that performs a specific (IT) task all day. Categories include: call centre agents, data capturing clerks and the like. In fact anyone who spends their day primarily using one application to perform their daily work is defined as a task worker. Knowledge (Office) Worker: Primarily fixed location based worker (however some mobility may be required). Performs a variety of high intensity tasks using information from various sources. Works at any of the tasks of planning, acquiring, searching, analysing, organising, storing, programming, distributing, marketing information, and those who work using the knowledge so produced. This worker type combines two worker types used in NSW Government standards, namely Knowledge (Mobile) Worker and Field (Mobile) Worker. Knowledge (Mobile) Worker: Various locations, often at short notice and always connected. Performs a variety of high-intensity tasks, using information from various sources. Mobile Worker Public Field (Mobile) Worker: Mostly in the field, rarely in the office and always connected. Performs a variety of tasks. Return to an office occasionally. This segment contains traditional field-based workers such as insurance adjusters, real estate agents, roofing contractors/agents, and sales representatives. The amount of time these individuals spend in the field varies, and often does not directly correspond to the amount of time they spend working remotely. A member of the public who is associated with the document that is managed by an agency. 17

18 APPENDIX B ABBREVIATIONS AIIA ASD ASIO CMIS CSA DM GovDC ICT ISO IT LDAP OCR PTS RTCE SLA Australian Information Industry Association Australian Security Directorate Australian Secret Intelligence Organisation Content Management Interoperability Services Canadian Standards Association Document Management Government Data Centre Information & Communication Technology International Organization for Standardization Information Technology Lightweight Directory Access Protocol Optical Character Recognition Procurement & Technical Standards Real Time Collaborative Editing Service Level Agreement 18

19 APPENDIX C REFERENCES Agencies should have regard to the following statutes, NSW Government policies and standards: AS ISO Australian Standard on Records Management AS/NZS ISO Risk management Principles and guidelines Copyright Act 1968 DFS C Data Centre Reform Strategy Electronic Transactions Act 2000 Government Information (Public Access) Act 2009 Health Records and Information Privacy Act 2002 Information Management: A Common Approach IPC Privacy Guidance M Digital Information Security Policy NSW Government Open Data Policy NSW Government Cloud Services Policy and Guidelines NSW Government Enterprise Architecture Strategy NSW Government ICT Strategy NSW Government Digital Information Security Policy NSW Government Information Classification and Labelling Guidelines Privacy and Personal Information Protection Act 1998 Public Finance and Audit Act 1983 Public Interest Disclosures Act 1994 State Records Act 1998 State Records Standard on Records Management TPP Internal Audit and Risk Management Policy for the NSW Public Sector 19

20 APPENDIX D STANDARDS Developing technical standards Development of a standard begins with identifying the need for a new standard, which is followed by the development of the standard in consultation with the industry and experts groups, including the Australian Information Industry Association (AIIA). The following diagram outlines the process. Need for new or amended standard identified Business requirements change Standard developed (Industry/agencies consulted) Services added to Catalogue Standard approved and released by PTS Working Group Market engagement for services which meet the standard The ICT Procurement and Technical Standards Working Group (PTS Working Group) is chaired by the Office of Finance and Services and includes senior representation from across NSW Government. Agencies engage with the PTS Working Group concerning services for inclusion in the ICT Services Catalogue. This drives the development of technical standards, where none exist. The PTS Working Group has the leading role in reviewing and endorsing the technical standards developed in response to agencies requirements. The PTS Working Group is supported by two sub-groups responsible for the areas of Telecommunications and Services and Solutions. The sub-groups are responsible for initial development and review of standards relating to their areas of responsibility. Management and implementation There is scope to modify standards through the NSW Government ICT governance arrangements as necessary. Standards are designed to add value, augment and be complementary to, other guidance, and they are continually improved and updated. This standard does not affect or override the responsibilities of an agency or any employee regarding the management and disposal of information, data, and assets. Standards in ICT procurement must also address business requirements for service delivery. NSW Procurement facilitates the implementation of the standards by applying them to the goods and services made available through the ICT Services Catalogue. 20