View Current

Computer Systems Implementation Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) Computer systems and software are vital to the academic, research and business processes of the University.

(2) This policy formalises the approval processes required to implement or significantly change computer systems within the University. It is not intended to cover one-off proposals for personal computer based systems and software. Having a single formalised implementation process allows the University to ensure the most efficient, effective solutions are used; to prevent multiple systems being purchased with overlapping functionality; and to ensure that the usual controls put in place by ITDS are not accidentally circumvented or ignored.

(3) This policy is to be read in conjunction with the following University policies:

  1. Privacy Policy
  2. Procurement Policy
Top of Page

Section 2 - Definitions

(4) The following definitions apply for the purpose of this policy.

  1. Authorised User: a person who is an enrolled or attending student, a current employee, or a formal supplier, affiliate or associate of the University who is granted access and provided with authentication Credentials by the University. Eduroam users are also Authorised Users.
  2. Computer System: An information system, including hardware, software, use and support procedures, and data, supporting University business. This forms part of the University's IT Resources.
  3. Hosting: Housing, serving and maintaining of systems and data. Systems may operate within University IT facilities (on site hosting), outside of University IT facilities using an external vendor (off site hosting), or a combination.
  4. ITDS: Information Technology and Digital Services
  5. IT Resources: systems, software, hardware, services, communications and network facilities (including email, internet, and Wi-Fi access), and supporting infrastructure provided by or on behalf of the University.
  6. ITRM: Information Technology Relationship Manager, a role within ITDS that interfaces directly with departments, schools and business groups across the University to help ensure delivery of technology that meets the needs of the business area requesting them.
  7. Privacy Legislation: The laws that determine how and when personal information may be given, accepted, and used by the University. For this policy, these laws include the Privacy Act 1988 (Cth); Privacy and Personal Information Protection Act 1998 (NSW); Health Records and Information Privacy Act 2002 (NSW); and the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth).
  8. Proposals: Recommendations and supporting documentation for new or significantly changed computer systems.
  9. The University IT Environment: a broad term to describe computer, network, server, storage, and application systems used at the University and their interactions. The University IT Environment regularly changes to keep pace with improvements in technology. Any and all IT resources would be considered part of the IT Environment, including those hosted externally by third parties, delivered through the cloud, or 'as-a-service'.
Top of Page

Section 3 - Policy Statement

(5) To ensure that University computer systems and software appropriately reflect the confidentiality, integrity and availability of the data they manage, it is essential that new computer systems and software, or significant changes to existing systems, are evaluated for compliance with legislation, strategic alignment, University policies, the security and technical environments, and will not cause conflicts with active or pending systems [Ref. ISO 27002 sections 7.2.1, 8.1, 12.1.2, 12.5]. Any capacity or load demands placed on University IT Resources by the new or changed computer system(s) must also be assessed and priced as part of the approval process.

(6) The University must also ensure that systems and software projects are sustainable in terms of the strategic value and operational costs of implementation, as well as ongoing use and maintenance (including licensing, service, or support). The University has limited resources to support computer systems and must ensure that proposals and projects are properly scoped and funded, and fit in to overall University priorities.

(7) All computer systems documenting University business are required to comply with the State Records Act 1998, including the standard on digital recordkeeping.

(8) All computer systems must comply with Privacy Legislation and University's Privacy Policy.

Top of Page

Section 4 - Procedures

(9) Staff, or committees, who identify a need for new or improved IT Resources, should contact the Service Desk to be connected with an Information Technology Relationship Manager (ITRM), who will provide advice, assistance and relevant templates to system proposers throughout the proposed project.

(10) ITDS staff assess individual computer system proposals through a prioritisation process in the context of:

  1. the overarching University Strategy;
  2. the University's IT Strategy;
  3. requirements for compliance with legislation and industry standards; and
  4. security and architecture principles.

(11) Staff requesting a new or improved computer system, in collaboration with an ITRM, will develop an Outline Business Case for justification and assessment in the prioritisation process.

(12) Staff implementing a new or improved computer system or service:

  1. Must ensure that the system or service is introduced to the University IT Environment following the Change Management Process [Ref. ISO 27002 section 14.1]
  2. Must ensure that a Risk and Compliance Workbook is completed, attached to the Change Record, and approved prior to implementation approval through the Change Management Process. [Ref. ISO 27002 section 14.1] Risk and Compliance Workbook is available through the University's ServiceNow Knowledge Base (KB0012593 — requires staff login).

(13) All staff members:

  1. are required to involve ITDS staff prior to developing a request for tender, committing to a specific solution or signing a contract, regardless.
  2. must follow the Procurement Policy for all significant IT Resource purchases.
  3. should actively seek consultation from ITDS, as early in the process as possible, on the implementation and approval process for proposed computer systems, and is expected to be consulted. ITDS provides a prioritisation process, and has ITRMs to create avenues of communication and assist in this process.
  4. should actively seek compliance advice from Records and Archives Management Services Unit (RAMS) related to meeting the recordkeeping requirements for their system(s).
Top of Page

Section 5 - Guidelines

(14) This policy is to be read in conjunction with the following acts and processes:

  1. State Records Act 1998 (NSW)
  2. Privacy Act 1988 (Cth)
  3. Privacy and Personal Information Protection Act 1998 (NSW)
  4. Health Records and Information Privacy Act 2002 (NSW)
  5. Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth)
  6. The Change Management Process

(15) This policy makes reference to the International Standard for Information Security, AS/NZS ISO/IEC 27002, which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.