View Current

Digital Services Implementation Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) Digital Services are vital to the academic, research and business processes of Western Sydney University (the
University).

(2) This policy formalises the approval processes required to implement or change Digital Services within the University. Having a single formalised implementation process allows the University to ensure the most efficient, effective solutions are used; to prevent multiple systems being purchased with overlapping functionality; and to ensure that the agreed controls put in place by the University are followed.

(3) This policy is to be read in conjunction with the following University policies:

  1. Privacy Policy
  2. Procurement Policy
  3. Records and Archives Management Policy

(4) This policy is to be read in conjunction with the following legislation, which are applicable for all Digital Services:

  1. State Records Act 1998 (NSW)
  2. Privacy Act 1998 (Cth)
  3. Privacy and Personal Information Protection Act 1998 (NSW)
  4. Health Records and Information Privacy Act 2002 (NSW)

(5) This policy should be read in conjunction with the following University processes:

  1. The ITDS Change Management Process (KB0010688, requires Staff Login)
  2. The Risk and Compliance Workbook (KB0012593, requires Staff Login)
  3. Enterprise Architecture Principles (KB000014641, requires Staff Login)

(6) This policy makes reference to the International Standard for Information Security, AS/NZSISO/IEC27002,which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.

Top of Page

Section 2 - Definitions

(7) The following definitions apply for the purpose of this policy:

  1. Authorised User: a person who is a currently enrolled or attending student, a current employee, or a formal supplier, joint venture partner, affiliate or associate of the University who is granted access and provided with authentication credentials by the University. Eduroam users are also Authorised Users.
  2. Digital Services: synonymous with IT Resources; all services (e.g., data, voice, video) delivered through electronic means. This includes the capture, storage, retrieval, transfer, communication and/or dissemination of information electronically and the technologies used in support of these activities. Such technologies encompass systems, software, hardware, communications and network facilities. The method of delivery may be hosted within University IT facilities, externally or a combination. They may be paid or free, subscribed or purchased, provided through a cloud or as a managed service.
  3. Enterprise Pipeline: the process administered by the Project Management Office for the evaluation of University wide proposals for activities over and above business as usual.
  4. Hosting:Housing,serving and maintaining of systems and data. Systems may operate within University IT facilities (on site hosting), outside of University IT facilities using an external vendor (off site hosting), ora combination. If hosting data or Digital Services outside Australia certain contractual arrangements may be required.
  5. IT Environment: a broad term to encompass Digital Services used, provided and/or supported by the University, the staff involved in their delivery and management and the Authorised Users for whom they are provided.
  6. IT Resources: refer to Digital Services.
  7. ITDS: Information Technology and Digital Services
  8. Proposals: Recommendations and supporting documentation for new or changed Digital Services.
  9. SDM: Service Delivery Manager, a role within ITDS that interfaces directly with departments, schools and business groups across the University to help ensure delivery of technology that meets the needs of the business area requesting them.
Top of Page

Section 3 - Policy Statement

(8) To ensure that University Digital Services appropriately reflect the confidentiality, integrity and availability of the data they manage, it is essential that new Digital Services, or significant changes to existing services, are evaluated for compliance with legislation, strategic alignment, University policies, the security and technical environments, and will not cause conflicts with active or pending systems [Ref. ISO 27002 sections 7.2.1, 8.1, 12.1.2, 12.5]. Any capacity or load demands placed on the IT Environment by the new or changed Digital Service(s) must also be assessed and priced as part of the approval process.

(9) The University must also ensure that Digital Services projects are sustainable in terms of the strategic value and operational costs of implementation, as well as ongoing use and maintenance (including licensing, service, or support). The University has limited resources to support Digital Services and must ensure that proposals and projects are properly scoped and funded in line with the University’s Enterprise Pipeline process, and must fit in to overall University priorities.

(10) All Digital Services relating to learning and teaching must also be evaluated for risks to and accessibility for students, including security risks, as required under the Higher Education Standards Framework [Ref. section 3.3.1-.2, 6.2.1e and 7.3.3b]. The evaluation of learning and teaching Digital Services is to be performed in conjunction with the Deputy Vice-Chancellor and Vice-President, Education portfolio.

Top of Page

Section 4 - Procedures

(11) Digital Services proposals should be submitted into the University’s Enterprise Pipeline and will be evaluated through a prioritisation process with consideration to:

  1. the University’s Strategy;
  2. the University's Digital Futures Strategy
  3. the Information Technology and Digital Services Future Now Strategy;
  4. requirements for compliance with legislation and industry standards, including but not limited to privacy considerations; and
  5. security, data retention and architecture principles.

(12) All staff members must:

  1. comply with the Procurement Policy for any activities that involve external suppliers;
  2. actively seek consultation from ITDS, as early in the process as possible for the purpose of ensuring:
    1. alignment with the Enterprise Architecture Principles;
    2. completion of a Risk and Compliance review; and
    3. appropriate data management (e.g. data classification and handling, record retention) Refer to the Records and Archives Management Policy.
  3. seek approvals in line with the Procurement Policy.

(13) Staff implementing a new or improved Digital Services will need to engage with the University’s technical Change Management Process, and may also need to complete a Risk and Compliance Workbook [Ref. ISO 27002 section 12.1.2]:

  1. Introducing a new or altered Digital Service to the University’s IT Environment requires staff to follow the Change Management Process [Ref. ISO 27002 section 12.1.2];
  2. Where the Digital Service is entirely new, staff must ensure that a Risk and Compliance Workbook is completed, attached to the Change Record, and approved prior to implementation approval through the Change Management Process.
  3. Where the Digital Service is being upgraded or otherwise significantly changed, an evaluation of the necessity and timing of a Risk and Compliance Workbook will be made on the Change record. The Risk and Compliance Workbook is available through the University's ServiceNow Knowledge Base (KB0012593— requires staff login).
Top of Page

Section 5 - Guidelines

(14) Nil.