AGIMO DRAFT REPORT ON CLOUD SERVICE PROVIDER CERTIFICATION REQUIREMENTS. AIIA Response
|
|
- Godfrey Caldwell
- 8 years ago
- Views:
Transcription
1 AGIMO DRAFT REPORT ON CLOUD SERVICE PROVIDER CERTIFICATION REQUIREMENTS AIIA Response 10 February 2013
2 INTRODUCTION AIIA welcomes the opportunity to provide comment on AGIMO s draft report on cloud service provider certification requirements. AIIA Cloud Special Interest Group, chaired by Fujitsu, has reviewed the draft and provided some comprehensive feedback. Individual members may also respond to AGIMO in their own right. The Australian Information Industry Association (AIIA) is the peak national body representing multinational and domestic suppliers and providers of a wide range of information technology and communications (ICT) products and services. We represent over 400 member organisations nationally, including global brands such as Apple, EMC, Fujitsu, Google, HP, IBM, Intel, Microsoft and Oracle; international companies including Telstra; national companies including Data#3, SMS Management and Technology, Technology One and Oakton Limited; and a large number of ICT SME s. SUMMARY FEEDBACK When setting objectives to encourage the uptake of cloud, government should orientate policies towards where industry will be five years from now, to ensure they remain appropriate in what is a challenging and fast moving environment. We understand Government is challenged to make the right decisions in this fast moving environment. Policy makers must be careful to intervene only where there is a clear opportunity to add value and address future market failure this is particularly true of cloud computing because of its dynamic and evolving nature. AIIA recommends AGMIO engage with equivalent state based government groups who are embarking on similar initiatives. Ensuring a national approach to assurance / certification will reduce duplication and costs and support harmonization with global markets. As cloud relies on economies of scale, service providers who make the investment for any certification would prefer to be then able to address a national market at least and prospectively also global markets. If the Commonwealth Government develops a unique certification requirement then the full benefits of cloud may not eventuate for all. An example is the recent NSW Government announcement attached. AIIA considers that the proposed approach which places emphasis on local standards, restrictions and government mandated limitations is significantly at odds with the adaptive, market-supportive strategy outlined by the Department of Broadband, Communications & the Digital Economy. Page 2 of 12
3 We congratulate the Government on its continuing efforts to secure efficiencies in the assessment and procurement of cloud computing offerings for use by departments and agencies. However, the proposed two stage process outlined in the draft report raises a number of significant and fundamental concerns for industry which are summarised below: 1. The five options considered in the draft do not in our view represent a comprehensive or complete range of the possibilities open to government. AIIA has proposed an alternative option that we believe addresses the needs of government whilst not unduly restricting nascent cloud services. 2. AIIA considers that the proposed strategy, based fundamentally on certification that aims to centralise and automate the process of managing cloud risk, is ill advised at this early stage of market development. The consequence for government of the proposed approach will be unnecessary limitation in the range of services available, additional cost and burden on cloud service providers. 3. Applying certification requirements to DCaaS offerings would impose an additional cost burden on all service providers, lower the potential economic viability of an already marginal business thereby reducing the number of potential market participants and represent an unwise first target for accreditation or baseline model for a future framework. 4. The proposed approach is inconsistent with the inherent dynamics of cloud service provision and consumption, which require both more sophisticated risk management frameworks on the consumer side as well as greater understanding of local requirements and commercial adaptation to the local market on the provider side. AIIA suggests a pathway for both sides to learn from each other in developing a mutually beneficial framework. The Commercial Service Provider Assurance Framework (CSPAF) referenced appears to address a separate and very specific government to citizen use-case that may or may not even be delivered as a cloud based service. AIIA views it having limited relevance for AGIMO s proposed scenario. Our view is that extending the restrictive CSPAF as proposed would result in an unworkable means of compliance for the IT industry and deny agencies the broadest contestable market. The approach that AIIA proposes as an alternative way forward is quite simple: i) In the short term, establish a working group that comprises representative local and global cloud providers, a representative sample of agencies that seek to procure and utilise cloud services along with key stakeholders from government including DSD and AGIMO. A possible charter for this working group is described later in the document. Page 3 of 12
4 ii) In the medium term, leverage the working group above and other resources to establish a framework that aligns Australian requirements and global practices. AIIA considers that the proposed approach which places emphasis on local standards, restrictions and government mandated limitations is significantly at odds with the adaptive, market-supportive strategy outlined by the Department of Broadband, Communications & the Digital Economy. We believe our alternative approach is more reflective of a genuine government-industry partnership as sought by Prime Minister Gillard in her speech at the Digital Economy Forum in October We believe it will maximise the benefit of perhaps the most significant advance in information technology for all of the Australian government, for business and for consumers. EXPANDED FEEDBACK Better approach required: Streamlining the evaluation process for a growing pool of cloud candidate offerings may have merits. Nevertheless we caution against an over-ambitious first attempt to apply prescriptive means of compliance against a highly diverse set of offerings that are not yet systematically or systemically described. Cloud computing has developed from the premise that standardisation coupled with scale (and hyperscale in some cases), can provide an economically attractive alternative means of sourcing IT requirements. Cloud computing offerings continue to develop apace addressing the current and emerging gamut of typical IT operations and business services within agencies. This evolution tends to confound simplistic risk categorisation based on a series of presently described prescriptive security requirements. We note that there is no indication in the document of the need to have a clear understanding of various cloud offerings and capabilities that would make it easier to perform a comparative evaluation. Certainly, AIIA sees the development of a consensus-agreed taxonomy or terminology for cloud services being of value. Members of the ICT industry have noted a similar desire amongst large commercial organisations to streamline the process of cloud selection and procurement especially by organisations in the financial services industry where risk management is a core business competency. In this sector the approach to cloud risk assessment has been conservative with the application of a case-by-case risk assessment of the many cloud proposals. In addition individual firms, together with the industry as a whole, have maintained a supporting, rolling review of assessments to identify logical groupings of services and risk patterns that can then be used to identify future opportunities for more streamlined assessment. Suggested action: We encourage AGIMO to consider a similar approach to that adopted in the financial services industry by following the Protective Security Policy Framework (PSPF) Page 4 of 12
5 requirements for agency risk management in respect of specific cloud proposals. We would further encourage AGIMO to take a lead role in harvesting learnings from these individual assessments across government to identify natural groupings or patterns of cloud risk that might be incorporated into some form of consolidate guidance. DCaaS is not an appropriate foundation: The DCaaS is a mechanism established to assess the feasibility of applying cloud computing to the long-tail problem of IT contracting where the market descriptively involves a high value by contract number but low individual and aggregate value of service provision. Although no specific numbers have been published to date, the IT industry is conscious that agency uptake has been low. This suggests that the mechanism remains unattractive to agencies at this point. Certainly the work involved to set up and operate such cloud offerings without any indication or commitment of agency demand and at a maximum price point of $80,000 already imposes severe economic limitations on suppliers. Consequently providers have had to make in good faith investment decisions to participate and the extent of market provision is yet to stabilise. We suggest that the additional burden of the type of certification implied in the draft would further erode the viability of the DCaaS rather than enhance it. The UK G-Cloud initiative pursues a similar objective and has already developed a certification program to underpin this App store approach. However as outlined in a study paper by Queen Mary University of London School of Law 1, it has already become clear that a significant cost and resource burden challenges suppliers contemplating selling under this regime. DCaaS has a defined narrow scope specific to a particularly IT-centric scenario. It does not provide a solid foundation for a framework to evaluate such divergent cloud services as citizen-relationship management, or social networking within the enterprise. Extending scope of CSPAF ill-advised: The Commercial Service Provider Assurance Framework (CSPAF) addresses a very specific use case - citizens using government services in a particular scenario around authentication and secure mailbox. Our understanding is that it was not constructed to address the circumstances of government using cloud in support of its own broader technology requirements. The actors and transactions and hence the risk profiles of cloud scenarios are likely to diverge very widely from this narrow use case. 1 Queen Mary University of London, School of Law, Legal Studies Research Paper No 115/2012 UK G-Cloud v1 and the impact on cloud contracts. W Kuan Hon; Christopher Millard; Ian Walden Page 5 of 12
6 For this reason we believe that the CSPAF is unsuitable for application to cloud accreditation for the purpose envisioned by AGIMO. In particular, we refer to the following key challenges with this proposed approach: i. The CSPAF s definitions of Digital Mailbox and Digital Vault embrace the specific requirements of a personal vault concept and would not suitably reflect the broad range of cloud service descriptions likely to interest government agencies. ii. The identity component of the CSPAF is based on references to early works in progress and does not represent a fully developed basis on which to support any accreditation scheme. The DVS, for instance, is currently a government runway to validate the authenticity of a paper-based ID credential and only lightly utilised within government. The National Trusted Identities Framework (NTIF), although a welcome initiative with considerable merit, is currently at the early exploratory stages of development and lacks a formal work stream. Additionally, the NTIF proposes an approach to claims-based ID that runs counter to the remainder of the ID and security approach in the CSPAF thereby establishing an apparent internal consistency. iii. Encryption requiring Public Key Infrastructure (PKI) must comply with Australianspecific Gatekeeper requirements which not only precludes any global IT cloud vendors from providing services involving PKI but also encumbers local providers with a significant cost burden. iv. No commercial model reflecting the cost of ID provisioned and risk apportionment for the operation of such an Assurance framework has been articulated and therefore its viability and the potential imposts for stakeholders are unknowable at this point. v. We provide additional detailed, line item feedback in Appendix 1 at the end of this document and refer the reader to this for specific details. A PROPOSED ALTERNATIVE APPROACH AIIA does not consider that the options presented in the draft paper represent a complete articulation of the possible range of approaches, nor do we consider the proposed preferred option of extending the DCaaS MUL or the CSP Assurance Framework is the right course for the Australian government to take. We would however like to suggest a possible alternative approach based on a set of principles that can enable a consistent evaluation of cloud service options. Start with principles as a basis We suggest that any framework to facilitate evaluation and adoption of cloud services by government agencies should be founded on a set of core principles, including: Page 6 of 12
7 1. Assume a collaborative approach. Collaboration between industry and government including user-agency representatives will be critical to ensure that the benefits and risk of cloud based IT service delivery is maximised for government and the stakeholders of government 2. Least possible infringement on innovation and choice: Cloud computing services are an emerging industry that offers tremendous potential benefit for government. It incorporates a wide variety of services, mechanisms for delivery, underlying technologies and commercial models. Any artificial limitations imposed through policy or regulation will inhibit necessary market innovation on one hand, and lessen the compelling value of cloud services on the other. 3. Standardisation where applied, should be globally relevant not locally biased: To secure maximum efficiency and resilience, cloud services are often standardised at a global level, even if delivered from a local data centre. Where possible, any unique requirements should be identified in a way that enables separate use cases to be isolated and accommodated without impacting the benefits of broader standardisation. Introducing unique local regulations or requirements will diminish the potential for a wide range of cloud providers to offer services locally. For Australian based cloud service providers, Australian-specific requirements may in the short term help restrict competition, but in the long term will hamper their ability to compete in an increasingly global market. 4. High standards of business conduct and demonstrated openness are paramount: Many of the operational, security, privacy and commercial protections of a cloud service consumer are embodied in commercial contracts and the business practices of the cloud provider. Transparency and accountability in these practices is essential and cloud providers should be prepared to table their practices in an open way that encourages scrutiny. The Cloud Security Alliance STAR registry is a positive example. 5. Security controls should be appropriate to cloud services and proportional to the risk: Traditional security controls and frameworks such as the Federal Information Security Manual are premised on agencies having direct control over the technology and controls supporting a particular IT service. These prescriptive approaches do not translate well into the circumstances of multi-tenancy, virtualisation and georedundancy that are features of cloud services. Achieving the right level of security protection in cloud services requires different types and mechanisms of control than Page 7 of 12
8 would be expected for an on-premise or hosted system. It is not possible to sensibly apply many of the controls with the ISM to a cloud service. 6. Treat assessment holistically. Certification and assurance should advance from a sound understanding of the stakeholders, assets and transactions. Risk should be apportioned and addressed by the entities most able to address it. Instantiate a framework embracing stakeholders, assets and risk The framework approach outlined in the Service Provider Certification Requirements for Australian Government (SPCR) and the Commercial Service Provider Assurance Framework (CSPAF) attempts to outline a set of prescriptive must haves rather than setting out a clear way of understanding the stakeholders, their relationship and responsibilities to each other, the information, and the risk associated with their interaction. An alternative model would look to bring together the three groups of stakeholders that each brings their perspective to a cloud option: 1: Government Protective security frameworks, such as the Business Impact Level models defining impact characteristics of information assets Sundry policies and constraints determining the boundaries of acceptable risk. 2: An agency cloud acquirer A set of business capability requirements A budget 3: Cloud computing vendor A prescribed set of offerings (service descriptions) A set of contractual undertakings A set of controls implementing these undertakings Possible 3 rd party attestations of performance against them Viewing the decision making more holistically like this will then enable AGIMO to describe the outcomes required, the limitations or parameters imposed by various government and related requirements and set the boundaries for a more targeted, streamlined risk assessment process. Page 8 of 12
9 Build out a clear risk evaluation path and process for agencies Industry accepts that government agencies need assistance to assess and evaluate cloud options and to assure themselves of an adequate level of security and operational reliability. It is therefore proposed that the following course of action be adopted: 1. In the short term, establish a working group that comprises representative local and global cloud providers, a representative sample of agencies that seek to procure and utilise cloud services along with key stakeholders from government including DSD and AGIMO. The charter of this working group would be to establish: a. Consensus principles of a framework that would enable government to more effectively and efficiently evaluate and risk assess cloud service options, while enabling the nascent cloud industry to develop, adapt and innovate b. Support the creation of risk management guidance and resources for the comparative evaluation of alternative cloud solutions, perhaps to include consensus agreed terminologies, taxonomies and evaluation templates. A set of evaluation guides based on a risk management approach could be developed by AGIMO together with the working group to help agencies interpret the relative merits of different cloud services and specifically assess issues like security, standards support, privacy protections, contractual processes, etc. c. It may be feasible to develop a standard format by which providers of cloud services can document the services that they provide to a minimal level of depth. This description could be comprehensive and document the types of services offered, operating models, security frameworks, privacy and data protection controls, etc. Importantly, it could detail whether specific international standards or frameworks are complied with such as ISO 27001, Cloud Security Alliance, etc. The government need not establish any formal registry as such, but it should be understood by the cloud provider industry that agencies or AGIMO may request the description documents during an evaluation or informal assessment of options. d. The group would build upon the Business Impact Level concept and other mechanisms from the PSPF to establish appropriate guidance for risk which would then inform subsequent candidate risk analysis. The DSD Cloud Computing Considerations could be reviewed to move beyond their quite narrow and restrictive beginnings. It is understood that the DSD guidance at present is built from a foundation of highest sensitivity to risk with an assumption of control over the physical and logical implementations. They may be appropriate for BIL levels 3+, but guidance for BIL 1-2 at the very least, should be developed with the working group. Page 9 of 12
10 2. In the medium term, leverage the working group above and other resources to establish a framework that aligns Australian requirements and global practices. In the end, the most efficient and effective outcome for Australian government will come about if this alignment exists. Local standards, local restrictions, local procurement nuances will only serve to increase the costs to government, limit the range of available choices and diminish the opportunities of local cloud service providers in the global market. Already the global market has coalesced around ISO standards and the Cloud Security Alliance. Australia s international allies have progressed cloud evaluations against mechanisms like Impact Levels in the UK and FedRAMP in the US. For Australia to invent a new framework would be counterproductive. Page 10 of 12
11 APPENDIX 1: Additional detailed feedback on specific line items. A review of both the Service Provider Certification Requirements for Australian Government (SPCR) together with Commercial Service Provider Assurance Framework (CSPAF) to which the former references has identified a number of inconsistencies. We have provided some examples below which, although not exhaustive, do indicate that the work stream requires considerable work. In referencing Business Impact Levels (BILs) in Attachment 3, The SPCS provides for a BIL 0. However, the formal description of these levels in the Attorney Generals public document of 21 June 2011 titled Protective security governance guidelines - Business impact levels makes no such reference. Page 8 of CSPAF describes requirements for Information Security Management Systems for LOA 1 and references requirements for DSD Cloud Computing Considerations as a baseline and the DSD Top Neither of these documents is actually control frameworks but rather guidance or discussion papers intended to precede a fuller risk analysis. Together with this DSD guidance, Page 8 of CSPAF for LOA 1 demands the requirement for documented Security Risk Management Plan including mitigation strategies. This presumably follows the Protective Security policy Framework (PSPF) requirement that agency heads ensure Risk Management principles are comprehensively applied within their agencies. However, if this is deemed necessary at the lowest LOA level, would it not be logical to subject all such cloud options to a snapshot Cloud Risk Assessment rather than trying to prematurely encapsulate the risk profile within an accreditation for a particular offering. The approach appears inconsistent. This would enable any risk to be identified formally, appropriate mitigations agreed and any necessary controls formalised with suppliers in a fully auditable way. These could later be formalised as natural patterns amongst cloud use emerge over time. Page 8 of CSPAF calls for I-RAP assessment for LOA 2. Cloud computing delivered by a supplier with infrastructure based outside Australia or even having infrastructure within Australia but servicing other geographies - either in a primary or failover capacity - would be unable to practically conform to this requirement. The multi- 2 Page 11 of 12
12 tenancy nature of cloud computing both at the infrastructure and the application layers means that it would be untenable for customer-led audits to be performed. For this reason many cloud providers have provided for third party yearly audits and made the results of these available publically. Given the market is already offering this form of attestation, would it not make more sense to cross recognise between government requirements and these? Page 8 of CSPAF demands encryption at rest as a base requirement for the lowest level LOA 1. In requiring encryption at this low risk level, government is imposing considerable cost burden to suppliers, and considerably narrowing the field of candidate suppliers and offerings which will tend to obviate the value of cloud as a service model. Additionally, the requirement for encryption at rest does not appear to recognise the need for complex key management in order to ensure any benefit and the cost and performance imposts this makes. Nor does it address the need for applications to operate on such encrypted data and hence the challenges of managing the trust chain in any processes involved together with attendant key management. Page 12 of 12
ACS CLOUD COMPUTING CONSUMER PROTOCOL. Response from AIIA
ACS CLOUD COMPUTING CONSUMER PROTOCOL Response from AIIA AUGUST 2013 INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing multinational and domestic
More informationCloud Computing in the Victorian Public Sector
Cloud Computing in the Victorian Public Sector AIIA response July 2015 39 Torrens St Braddon ACT 2612 Australia T 61 2 6281 9400 E info@aiia.com.au W www.aiia.comau Page 1 of 9 17 July 2015 Contents 1.
More informationTHE AUSTRALIAN PUBLIC SERVICE BIG DATA STRATEGY. Comments from AIIA
THE AUSTRALIAN PUBLIC SERVICE BIG DATA STRATEGY Comments from AIIA JULY 2013 INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing multinational and
More informationGEMS Regulator Performance Framework Metrics
GEMS Regulator Performance Framework Metrics AIIA response June 2015 Ground Suite B 7-11 Barry Drive Turner ACT 2612 GPO Box 573 Canberra ACT 2601 T 61 2 6281 9400 E info@aiia.com.au W www.aiia.comau About
More informationMicrosoft appreciates the opportunity to respond to the Cloud Computing Consumer Protocol: ACS Discussion Paper July 2013 (the protocol).
Microsoft Submission to ACS Cloud Protocol Discussion Paper General Comments Microsoft appreciates the opportunity to respond to the Cloud Computing Consumer Protocol: ACS Discussion Paper July 2013 (the
More informationNational Cloud Computing Strategy
National Cloud Computing Strategy DBCDE DRAFT DISCUSSION PAPER AIIA Response 21 DECEMBER 2012 INTRODUCTION The Australian Information Industry Association (AIIA) welcomes the opportunity to provide comment
More informationNSW GOVERNMENT DRAFT ICT STRATEGY PLAN. AIIA Response
NSW GOVERNMENT DRAFT ICT STRATEGY PLAN AIIA Response 22 December 2011 INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing suppliers and providers
More informationAGIMO BIG DATA STRATEGY ISSUES PAPER. AIIA Response
AGIMO BIG DATA STRATEGY ISSUES PAPER AIIA Response 5 APRIL 2013 2 INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing multinational and domestic suppliers
More informationPROGRAMME OVERVIEW: G-CLOUD APPLICATIONS STORE FOR GOVERNMENT DATA CENTRE CONSOLIDATION
PROGRAMME OVERVIEW: G-CLOUD APPLICATIONS STORE FOR GOVERNMENT DATA CENTRE CONSOLIDATION 1. Introduction This document has been written for all those interested in the future approach for delivering ICT
More informationElectronic Health Records and Healthcare Identifiers: Legislation Discussion Paper
Electronic Health Records and Healthcare Identifiers: Legislation Discussion Paper AIIA response July 2015 Ground Suite B 7-11 Barry Drive Turner ACT 2612 GPO Box 573 Canberra ACT 2601 T 61 2 6281 9400
More informationThe Australian Public Service Big Data Strategy
The Australian Public Service Big Data Strategy Improved understanding through enhanced data-analytics capability AIIA response March 2014 Contact for this submission: Suzanne Roche 39 Torrens St Braddon
More informationEnhancing Online Safety for Children
Enhancing Online Safety for Children Public consultation on key election commitments AIIA response March 2014 Contact for this submission: Sharon Kennard 39 Torrens St Braddon ACT 2612 Australia T 61 2
More informationIMPLEMENTATION OF LABOUR MARKET TESTING IN THE STANDARD TEMPORARY WORK (SKILLED) (SUBCLASS 457) VISA PROGRAM. Response from AIIA
IMPLEMENTATION OF LABOUR MARKET TESTING IN THE STANDARD TEMPORARY WORK (SKILLED) (SUBCLASS 457) VISA PROGRAM Response from AIIA AUGUST 2013 INTRODUCTION The Australian Information Industry Association
More informationRationale for a Cloud Services Framework
Rationale for a Cloud Services Framework AIIA response to Draft Paper for Consultation January 2015 T 61 2 6281 9400 E W info@aiia.com.au www.aiia.comau About AIIA The Australian Information Industry Association
More informationSecurity in the Cloud: Visibility & Control of your Cloud Service Providers
Whitepaper: Security in the Cloud Security in the Cloud: Visibility & Control of your Cloud Service Providers Date: 11 Apr 2012 Doc Ref: SOS-WP-CSP-0412A Author: Pierre Tagle Ph.D., Prashant Haldankar,
More informationAARNet submission to the Australian Computer Society Cloud Protocol Discussion Paper. James Sankar, Alex Reid August 2013
AARNet submission to the Australian Computer Society Cloud Protocol Discussion Paper James Sankar, Alex Reid August 2013 AARNet, Australia's Academic and Research Network (AARNet) is the not- for- profit
More informationCloud-Based ICT Services Checklist
Cloud-Based ICT Services Checklist Guideline A non-exhaustive list of considerations to be made when evaluating, purchasing, implementing and managing cloud-based ICT services. Keywords: Cloud-based ICT
More informationTelecommunications (Interception and Access) Amendment (Data Retention) Bill 2014
Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 AIIA response to Bill and Explanatory Memorandum January 2015 T 61 2 6281 9400 E W info@aiia.com.au www.aiia.comau About
More informationDIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations
DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations Brussels, October 2015 INTRODUCTION On behalf of the European
More informationInformation Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
More informationAustralian Government Cloud Computing Policy
Australian Government Cloud Computing Policy Maximising the Value of Cloud VERSION 2.0 MAY 2013 AGIMO is part of the Department of Finance and Deregulation Contents Foreword 3 Introduction 4 Australian
More informationReview of the Energy Savings Scheme. Position Paper
Review of the Energy Savings Scheme Position Paper October 2015 Contents Executive summary... 3 Energy Savings Scheme Review Report package... 3 Expanding to gas... 3 Target, penalties and duration...
More informationGuide to the National Safety and Quality Health Service Standards for health service organisation boards
Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian
More informationEmail Protective Marking Standard Implementation Guide for the Australian Government
Email Protective Marking Standard Implementation Guide for the Australian Government May 2012 (V2012.1) Page 1 of 14 Disclaimer The Department of Finance and Deregulation (Finance) has prepared this document
More informationOpen Certification Framework. Vision Statement
Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption
More informationAustralian Government Cloud Computing Policy
Australian Government Cloud Computing Policy Maximising the Value of Cloud VERSION 2.1 JULY 2013 AGIMO is part of the Department of Finance and Deregulation Contents Foreword 3 Introduction 4 Policy 5
More informationAustralian National Audit Office. Report on Results of a Performance Audit of Contract Management Arrangements within the ANAO
Australian National Audit Office Report on Results of a Performance Audit of Contract Management Arrangements within the ANAO Commonwealth of Australia 2002 ISBN 0 642 80678 0 10 December 2002 Dear Mr
More informationNSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015
NSW Government Data Centre & Cloud Readiness Assessment Services Standard v1.0 June 2015 ICT Services Office of Finance & Services McKell Building 2-24 Rawson Place SYDNEY NSW 2000 standards@finance.nsw.gov.au
More informationSubmission on the draft National Primary Health Care Strategic Framework October 2012
Submission on the draft National Primary Health Care Strategic Framework October 2012 Council of Social Service of NSW (NCOSS) 66 Albion Street, Surry Hills 2010 Ph: 02 9211 2599 Fax: 9281 1968 email:
More informationCouncil of Australian Governments Business Advisory Forum Canberra, 6 December 2012 Communiqué
Council of Australian Governments Business Advisory Forum Canberra, 6 December 2012 Communiqué The second meeting of the Business Advisory Forum to the Council of Australian Governments (COAG), convened
More informationNSW Data & Information Custodianship Policy. June 2013 v1.0
NSW Data & Information Custodianship Policy June 2013 v1.0 CONTENTS 1. PURPOSE... 4 2. INTRODUCTION... 4 2.1 Information Management Framework... 4 2.2 Data and information custodianship... 4 2.3 Terms...
More informationUNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public. 2:51 Outsourced Offshore and Cloud Based Computing Arrangements
Defence Security Manual DSM Part 2:51 Outsourced Offshore and Cloud Based Computing Arrangements Version 1 ation date July 2105 Amendment list 23 Optimised for Screen; Print; Screen Reader Releasable to
More informationBerlin, 15 th November 2013. Mark Dunne SaaSAssurance
Berlin, 15 th November 2013 Mark Dunne SaaSAssurance SaaSAssurance guidance to Irish Government on Cloud Adoption Who are SaaSAssurance? Diverse multilingual European team Focus on the here and now Digital
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationSome Specific Parawise Suggestinons. 2. An application which collects and analyzes this data for further consolidation and,
Comments by Amcham India on draft Internet of Things (IoT) Policy released by the Department of Electronics & Information Technology (DeitY), on October 16, 2014 Standards The Draft IoT Policy already
More informationAppendix A: ICT and Information Management Strategy
Appendix A: ICT and Information Management 2014 2019 Head of Information and Business Change Sarah Caulkin October 2014 1 Version Control: Date Version Author Comments 04/08/14 0.1 Jo Harley First draft
More informationGovernment Cloud, Datacentre consolidation & Apps store development A perspective. Andy Macleod. Strategy and Policy Public Sector
Government Cloud, Datacentre consolidation & Apps store development A perspective Andy Macleod Strategy and Policy Public Sector Disclaimer This information is sourced from previous presentations by the
More informationSupplier Assurance Framework Good Practice Guide
Supplier Assurance Framework Good Practice Guide Version 2.0 February 2015 1 P a g e V e r s i o n 2. 0 F e b 1 5 Contents INTRODUCTION... 3 SUPPLIER ASSURANCE FRAMEWORK OVERVIEW... 4 USING THE STATEMENT
More informationData Centre Capacity - The Need For Federal Government Agreements
WHOLE-OF- GOVERNMENT DATA CENTRES STRATEGY. INDUSTRY BEST PRACTICE PRINCIPLES AIIA Comments 29 May 2010 OBJECTIVES AIIA recognises the Federal government has a need at a whole of government level for resilient,
More informationtreasury risk management
Governance, Concise guide Risk to and Compliance treasury risk management KPMG is a leading provider of professional services including audit, tax and advisory. KPMG in Australia has over 5000 partners
More informationChapter 2. Key issues and committee view
Chapter 2 Key issues and committee view 2.1 The submissions received by the inquiry overwhelmingly supported the establishment of the ASBFE Ombudsman position, and its proposed role of supporting small
More informationCloud Procurement Discussion Paper. For Comment
Cloud Procurement Discussion Paper For Comment AUGUST 2014 Acronyms Acronym AGIMO ASD DCaaS MUL IaaS NIST PaaS RFT SaaS SCS Definition Australian Government Information Management Office Australian Signals
More informationMicrosoft Pty Ltd. Australian Financial System Inquiry: Response to request for further submissions
Microsoft Pty Ltd Australian Financial System Inquiry: Response to request for further submissions August 2014 1 Response in relation to Chapter 9 of the Interim Report Microsoft is pleased to respond
More informationDevelopment Proposal. Company Name Pty Ltd
Development Proposal Company Name Pty Ltd TITLE Government Community Cloud DATE 11 July 2011 Development Proposal UberGlobal CONTENTS UberGlobal White Paper: Government Community Cloud 3 Background 3 Perspective
More informationData Communications Company (DCC) price control guidance: process and procedures
Guidance document Contact: Tricia Quinn, Senior Economist Publication date: 27 July 2015 Team: Smarter Metering Email: tricia.quinn@ofgem.gov.uk Overview: The Data and Communications Company (DCC) is required
More informationCorporate Plan 2015-19
Corporate Plan 2015-19 i ii Serving the Australian Parliament The DPS Corporate Plan 2015-2019 This corporate plan lays out the strategic direction for the Department of Parliamentary Services for the
More informationHosted Desktop as a Service
Hosted Desktop as a Service Contents 1 Introduction to Hosted Desktop Service...2 2 Service Definition...3 2.1 Functionality & Features... 3 2.2 Administration... 4 2.3 Access Methods... 4 2.4 Service
More informationITCRA Response. Request for Submissions on the Draft Version of the APP Guideline Chapters A to D and 1 to 5 covering APPs 1 to 5
ITCRA Response Request for Submissions on the Draft Version of the APP Guideline Chapters A to D and 1 to 5 covering APPs 1 to 5 To: The Office of the Australian Information Commission Submitted: 20th
More informationStandard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide
Standard 1 Governance for Safety and Quality in Health Service Organisations Safety and Quality Improvement Guide 1 1 1October 1 2012 ISBN: Print: 978-1-921983-27-6 Electronic: 978-1-921983-28-3 Suggested
More informationIRAP Policy and Procedures up to date as of 16 September 2014.
Australian Signals Directorate Cyber and Information Security Division Information Security Registered Assessors Program Policy and Procedures 09/2014 IRAP Policy and Procedures 09/2014 1 IRAP Policy and
More informationJoint ICT Service ICT Strategy 2014-17
Document History Document Location This document is only valid on the day it was printed. The source of the document will be found in (see footer) Revision History Date of this revision: 19 th May 2014
More informationCloud Computing Strategy. an addendum to the. Queensland Government. ICT Strategy 2013 17. Queensland Government
Department of Science, Information Technology, Innovation and the Arts Queensland Government Cloud Computing Strategy an addendum to the Queensland Government ICT Strategy 2013 17 Supporting Queensland
More informationAGIMO and whole-of-government ICT Policy
AGIMO and whole-of-government ICT Policy Overview DAMA Canberra July 2013 Meeting Brian Catto Andrew McGalliard James Woods ICT Policy Team AGIMO 1 Agenda Who are AGIMO? What is AGIMOs role? APS ICT Strategy
More informationRule change request. 18 September 2013
Reform of the distribution network pricing arrangements under the National Electricity Rules to provide better guidance for setting, and consulting on, cost-reflective distribution network pricing structures
More informationProcurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire
More informationNational Clinical Effectiveness Committee. Prioritisation and Quality Assurance Processes for National Clinical Audit. June 2015
National Clinical Effectiveness Committee Prioritisation and Quality Assurance Processes for National Clinical Audit June 2015 0 P age Table of Contents Glossary of Terms... 2 Purpose of this prioritisation
More informationBig Data Strategy Issues Paper
Big Data Strategy Issues Paper MARCH 2013 Contents 1. Introduction 3 1.1 Where are we now? 3 1.2 Why a big data strategy? 4 2. Opportunities for Australian Government agencies 5 2.1 What the future looks
More informationNSW Government. Cloud Services Policy and Guidelines
NSW Government Cloud Services Policy and Guidelines August 2013 1 CONTENTS 1. Introduction 2 1.1 Policy statement 3 1.2 Purpose 3 1.3 Scope 3 1.4 Responsibility 3 2. Cloud services for NSW Government 4
More informationNetwork Rail Infrastructure Projects Joint Relationship Management Plan
Network Rail Infrastructure Projects Joint Relationship Management Plan Project Title Project Number [ ] [ ] Revision: Date: Description: Author [ ] Approved on behalf of Network Rail Approved on behalf
More informationManaging Governments Shared Platforms Business Case
Managing Governments Shared Platforms Business Case Version Control Version Date Edited By V1.0 17 March 2015 BDO 2 Managing Governments Shared Platforms - Business Case Executive Summary Harnessing the
More informationKCC Technology Strategy 2015-2018
KCC Technology Strategy 2015-2018 Contents 1 Foreword... 3 2 Executive Summary... 4 3 Why a Technology Strategy... 6 4 Technology Roadmap and Key Initiatives 8 5 Self Service and Access... 11 6 Doing Things
More informationGuide to Integrated Strategic Asset Management
Guide to Integrated Strategic Asset Management Issue date: 14 November 2011 Acknowledgements This guide is based on the Australasian Procurement and Construction Council Inc. s (APCC) publication, Asset
More informationREPORT BY THE COMPTROLLER AND AUDITOR GENERAL HC 535 SESSION 2013-14 5 JULY 2013. Department for Culture, Media & Sport. The rural broadband programme
REPORT BY THE COMPTROLLER AND AUDITOR GENERAL HC 535 SESSION 2013-14 5 JULY 2013 Department for Culture, Media & Sport The rural broadband programme 4 Key facts The rural broadband programme Key facts
More informationHKCS RESPONSE COMMONLY ACCEPTED AUDIT OR ASSESSMENT MECHANISM TO CERTIFY INFORMATION SECURITY STANDARDS
Hong Kong Computer Society Room 1915, 19/F, China Merchants Tower, Shun Tak Centre, 168 Connaught Road Central, Hong Kong Tel: 2834 2228 Fax: 2834 3003 URL: http://www.hkcs.org.hk Email: hkcs@hkcs.org.hk
More informationThe Human Capital Management Systems Business Case A Checklist to assist agencies developing a business case
The Human Capital Management Systems Business Case A Checklist to assist agencies developing a business case Final version for release Human Capital Management See more at psc.nsw.gov.au/hcm Index - Business
More informationNECA response to Industry Engagement in Training Package Development Towards a Contestable Model Discussion Paper
NECA response to Industry Engagement in Training Package Development Towards a Contestable Model Discussion Paper Prepared by: Suresh Manickam Date: 19 th December, 2014 NECA National Office 1 19 th December
More informationEnd user preferences for cloud suppliers
End user preferences for cloud suppliers Claranet research programme For more information: claranet.co.uk - twitter.com/claranet To book an appointment or to discuss our cloud services: Call us: 0845 355
More informationPublished by the National Regulatory System for Community Housing Directorate. Document Identification: 003-04-13/NRSD. Publication date: January 2014
Evidence guidelines Published by the National Regulatory System for Community Housing Directorate. Document Identification: 003-04-13/NRSD Publication date: January 2014 Supported by the Commonwealth Government
More informationSocial impact assessment. Guideline to preparing a social impact management plan
Social impact assessment Guideline to preparing a social impact management plan September 2010 Looking forward. Delivering now. The Department of Infrastructure and Planning leads a coordinated Queensland
More informationDigital Continuity Plan
Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach
More informationVocational Education and Training Reform Submission
Vocational Education and Training Reform Submission Prepared by: Suresh Manickam Date: 23 rd July 2014 Page 1 NECA response to VET reform draft RTO standards As a lead player in the electrical training
More informationBest Practice in Design of Public-Private Partnerships (PPPs) for Social Infrastructure, particularly in Health Care and Education
EMAIL contact@fosterinfrastructure.com WEB www.fosterinfrastructure.com Best Practice in Design of Public-Private Partnerships (PPPs) for Social Infrastructure, particularly in Health Care and Education
More informationUniversity of Brighton Sustainable Procurement Strategy 2011-2015
University of Brighton Sustainable Procurement Strategy 2011-2015 Sustainable procurement in a challenging environment Introduction There is widespread recognition that climate change and the use of dwindling
More informationThe Scottish Wide Area Network Programme
The Scottish Wide Area Network Release: Issued Version: 1.0 Date: 16/03/2015 Author: Andy Williamson Manager Owner: Anne Moises SRO Client: Board Version: Issued 1.0 Page 1 of 8 16/04/2015 Document Location
More informationProposed Consequential and Conforming Amendments to Other ISAs
IFAC Board Exposure Draft November 2012 Comments due: March 14, 2013, 2013 International Standard on Auditing (ISA) 720 (Revised) The Auditor s Responsibilities Relating to Other Information in Documents
More informationThe PMO as a Project Management Integrator, Innovator and Interventionist
Article by Peter Mihailidis, Rad Miletich and Adel Khreich: Peter Mihailidis is an Associate Director with bluevisions, a project and program management consultancy based in Milsons Point in Sydney. Peter
More informationData centre strategies for business growth in a hybrid cloud world
Data centre strategies for business growth in a hybrid cloud world A joint report from Pacnet and CIO Custom Solutions Group October 2014 Introduction The data centre has become an integral part of the
More informationStaying Connected. Hardship policy and program details. 1. Overview
Staying Connected Hardship policy and program details 1. Overview Staying Connected is AGL s national hardship program. Launched in early 2003, the program was developed in consultation with AGL s Customer
More informationMANAGING THE SOFTWARE PUBLISHER AUDIT PROCESS
MANAGING THE SOFTWARE PUBLISHER AUDIT PROCESS 3 THE USE OF BUSINESS SOFTWARE AND SPORTS ARE DEFINITELY QUITE SIMILAR; IF YOU WANT TO PLAY (USE THE SOFTWARE), YOU HAVE TO ACCEPT THE RULES. THIS INCLUDES
More informationVictorian Government Risk Management Framework. March 2015
Victorian Government Risk Management Framework March 2015 This document reproduces parts of the AS/NZS ISO 31000:2099 Risk Management Principles and Guidelines. Permission has been granted by SAI Global
More informationIRCA Briefing note ISO/IEC 20000-1: 2011
IRCA Briefing note ISO/IEC 20000-1: 2011 How to apply for and maintain Training Organization Approval and Training Course Certification IRCA 3000 Contents Introduction 3 Summary of the changes within ISO/IEC
More informationNew Child Development Legislation, Legislation reform Discussion Paper No. 5 Submission from the AISSA
New Child Development Legislation, Legislation reform Discussion Paper No. 5 Submission from the AISSA November, 2012 BACKGROUND The Association of Independent Schools of South Australia (AISSA) represents
More informationBOOSTING THE COMMERCIAL RETURNS FROM RESEARCH
BOOSTING THE COMMERCIAL RETURNS FROM RESEARCH Submission in response to the Discussion Paper November 2014 Page 1 ABOUT RESEARCH AUSTRALIA is an alliance of 160 members and supporters advocating for health
More informationTasmanian Property Management Planning Framework
Tasmanian Property Management Planning Framework Booklet 1 Foreword This information has been developed to provide an introductory explanation of the Tasmanian Property Management Planning Framework (PMPF).
More informationCOMMONWEALTH GOVERNMENT RESPONSE TO THE PRODUCTIVITY COMMISSION INQUIRY: THE MARKET FOR RETAIL TENANCY LEASES IN AUSTRALIA
COMMONWEALTH GOVERNMENT RESPONSE TO THE PRODUCTIVITY COMMISSION INQUIRY: THE MARKET FOR RETAIL TENANCY LEASES IN AUSTRALIA August 2008 SUMMARY 1. The former Treasurer asked the Productivity Commission
More informationRemote Access Service (RAS)
Remote Access Service (RAS) Contents 1 Introduction to Remote Access Service...2 2 Service Definition...3 2.1 Functionality & Features... 3 2.2 Access Methods... 3 3 Differentiators...4 4 Commercials...5
More informationSector Development Ageing, Disability and Home Care Department of Family and Community Services (02) 8270 2218
Copyright in the material is owned by the State of New South Wales. Apart from any use as permitted under the Copyright Act 1968 and/or as explicitly permitted below, all other rights are reserved. You
More informationCONNECTING WITH CONFIDENCE: OPTIMISING AUSTRALIA S DIGITAL FUTURE. AIIA Response
CONNECTING WITH CONFIDENCE: OPTIMISING AUSTRALIA S DIGITAL FUTURE AIIA Response 14 November 2011 INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing
More informationProcurement of Production and Post- Production Services in Australia
Procurement of Production and Post- Production Services in Australia Introduction This document has been developed by The Communications Council in conjunction with the Commercial Producers Council subcommittee
More informationQuick Guide: Meeting ISO 55001 Requirements for Asset Management
Supplement to the IIMM 2011 Quick Guide: Meeting ISO 55001 Requirements for Asset Management Using the International Infrastructure Management Manual (IIMM) ISO 55001: What is required IIMM: How to get
More informationQueensland recordkeeping metadata standard and guideline
Queensland recordkeeping metadata standard and guideline June 2012 Version 1.1 Queensland State Archives Department of Science, Information Technology, Innovation and the Arts Document details Security
More informationSubmission to the Department of Environment Regulation s Draft Guidance Statement on Regulatory Principles December 2014
Submission to the Department of Environment Regulation s Draft Guidance Statement on Regulatory Principles December 2014 Chamber of Commerce and Industry of Western Australia (Inc) About CCI The Chamber
More informationStakeholder category: NATIONAL NETWORK OF COMMUNITY SERVICE PROVIDERS
Name: Organisation: UNITING CARE AUSTRALIA Stakeholder category: NATIONAL NETWORK OF COMMUNITY SERVICE PROVIDERS State/Territory: ACT Contact email address: Response to Options Paper Department of Social
More informationDraft guidelines and measures to improve ICT procurement. Survey results
Draft guidelines and measures to improve ICT procurement Survey results Europe Economics Chancery House 53-64 Chancery Lane London WC2A 1QU Tel: (+44) (0) 20 7831 4717 Fax: (+44) (0) 20 7831 4515 www.europe-economics.com
More informationReview of PIRSA s Cost Recovery Policy and practices, including their application to the Fisheries and Aquaculture Industries Primary Industries and
Review of PIRSA s Cost Recovery Policy and practices, including their application to the Fisheries and Aquaculture Industries Primary Industries and Regions SA 29 July 2015 Contents Executive Summary...
More informationAUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES
AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by
More informationSecond Clinical Safety Review of the Personally Controlled Electronic Health Record (PCEHR) June 2013
Second Clinical Safety Review of the Personally Controlled Electronic Health Record (PCEHR) June 2013 Undertaken by KPMG on behalf of Australian Commission on Safety and Quality in Health Care Contents
More information2013-18 Business Plan. Executive Summary UK Shared Business Services Ltd
2013-18 Business Plan Executive Summary UK Shared Business Services Ltd Published June 2013 Contents I Introduction 3 II Executive Summary 6 Introduction: Geared for Growth in the Service of our Customers
More information6 Cloud strategy formation. 6.1 Towards cloud solutions
6 Cloud strategy formation 6.1 Towards cloud solutions Based on the comprehensive set of information, collected and analysed during the strategic analysis process, the next step in cloud strategy formation
More informationResponse to the European Commission consultation on. European Data Protection Legal Framework
Response to the European Commission consultation on European Data Protection Legal Framework A submission by Acxiom (ID number 02737212854-67) Correspondence Address: Martin-Behaim-Straße 12, 63263 Neu-Isenburg,
More information