Document Feedback - Review and Comment
Step 1 of 4: Comment on Document
How to make a comment?
1. Use this to open a comment box for your chosen Section, Part, Heading or clause.
2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.
3. Do not open more than one comment box at the same time.
4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.
Important Information
During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:
-
DO NOT jump between web pages/applications while logging comments.
-
DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.
-
DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.
-
DO NOT exit from the interface until you have completed all three stages of the submission process.
(1) The purpose of this Procedure is to: (3) This Procedure applies to: (4) The Procedure supports the IT Asset Policy and should be read in conjunction with the Information Security Policy, IT Hardware and Software Procedure, Purchasing Policy, Contracts Policy and Risk Management Policy. (5) This Procedure does not apply to VU staff and affiliates in all onshore and offshore locations who wish to use cloud storage and sharing services for performing their work at VU. See IT Asset - Cloud Storage Procedure. (7) IT Asset Policy (8) The University’s preferred position is to adopt cloud-based services for all new solutions or during the revision or renewal of existing systems and services provided the investment is fit for purpose, secure and cost-effective. (9) All business and research applications and systems must be selected, managed and utilised in a manner that achieves the objectives of the University and in line with University policies and procedures. (10) The University does not support unnecessary propagation and duplication of multiple systems performing similar functions. (11) Prior to acquiring new solutions, existing internal and external options will be explored to ensure effort is not duplicated. (12) The selection of a new business application must conform to the University’s Purchasing Policy, Contracts Policy and to relevant Operational Health and Safety policies. (13) Any new Software Application must meet certain requirements: (14) During the application assessment process, consultation with Digital and Campus Services, Procurement, Records and Archives Services, Legal Services and Web services team must be undertaken. (15) Proposed solution and technology selections will be fit-for-purpose, deliverable, value for money and aligned to business priorities, strategy and architectural direction. (16) Cloud service providers selected for the delivery of enterprise critical services must undergo a full risk assessment and ensure the provider can meet VU service requirements. (17) All commercial and organisational risks must be addressed, outlining any compliance, contractual and reputational impacts to the University. (18) Selected cloud service providers must be recognised, respected providers who have well-established security management processes and undergo regular auditing. (19) Appropriate contractual arrangements and technical controls will be implemented to ensure vendors comply with legislatures, statutory authorities and regulations. (20) Approval by the business owner supported by an Executive Director or Deputy Vice-Chancellor is required before contracts can be signed. (21) New business applications are required to follow VU approved integration methods and standards and the University’s identification standards and authorisation standards as appropriate. (22) New business applications will provide functionality or be developed to be accessible from anywhere and any device to encourage workplace flexibility and in line with the University’s transformation principles. (23) A support model for all business applications must be in place and provide a high level of availability to meet business needs. (24) A disaster recovery and business continuity plan should be in place and tested to ensure the continuity of business processes in the event of application failure. (25) Business applications will be classified according to the degree of importance to University operations. This classification will inform but is not limited to the amount of resources applied to maintain the application. (26) The table below defines the tier classification scheme: (27) DCS will maintain an inventory of business applications assigned to tiers according to the tier classification scheme. Architectural model diagrams and inventories are to be updated when business applications are proposed, in production and retired. (28) Changes to tier classifications require approval from DCS and is subject to an evaluation to confirm the application meets the required criteria. (29) A business application may still be allocated to a Tier level if it does not meet the criteria. Justifications include value to the University, strategic importance, reputational risk and external compliance. (30) Changes to business systems and applications will only be made in response to business needs and must adhere to the technology change management framework. (31) Scheduled downtime to business applications must not interfere with critical University operations. (32) Cloud service providers must ensure change control processes are in place and that these align with VU’s technology change management practices. (33) A notice of scheduled maintenance to cloud managed services will be made available to VU through the supplier. (34) All business applications should be reviewed at least once every five years to ensure the application continues to support University compliance and business needs and does not present any risks that may impact operations. (35) Business applications deemed unsuitable will undergo appropriate assessment before a new solution is purchased. (36) Business applications and systems that are no longer required, deliver little or no business value or do not align to VU’s strategic vision or objectives will be decommissioned where applicable. (37) A business application or system no longer in use or no longer required should be archived and removed from the University environment. (38) A business application that is approaching “end of life” will need to be retired with a transition plan to either develop or select a new application in line with this Procedure.IT Asset - Business Application Procedure
Section 1 - Summary
Top of PageSection 2 - TEQSA/ASQA/ESOS Alignment
Top of PageSection 3 - Scope
Section 4 - Definitions
Top of PageSection 5 - Policy/Regulation
Section 6 - Procedures
Part A - Summary of Roles and Responsibilities
Roles
Responsibility
Digital and Campus Services (DCS)
Provide consultancy services to VU colleges and departments to assist with solution and technology assessment and selection.
Maintains a master disaster recovery plan aligned with the University’s business continuity plan.
Seeks approvals from the business owner to make appropriate changes to the technical environment where applicable.
Reviews security controls at least once every 12 months. Works closely with the supplier of the product when upgrades are undertaken.
Business Owner
The business owner governs any changes to software applications to determine the impact to University operations.
The business owner is responsible for approving the timing and installation of changes to production applications and notify affected users.
The business owner notifies affected users when a system/application is retired or significant changes are being proposed.Part B - Procedures
Application Selection and Approvals
Integration and Functionality
Support and Service Level
Tier Classification
Classification
Criteria
Tier 1: Enterprise Critical
Business application used widely within the University to provide a major business service/capability or supports University core business operations and has the potential to cause reputational or financial damage.
Tier 2: Business Critical
Business application used by more than one College, Department or Centre to support significant business processes that are critical to one or more business services.
Tier 3: Departmental
Business application used exclusively by a single College, department or Centre to support other business processes with limited impact on University operations in the event of an outage.
Maintenance and Change Control
Business Application Review
Application and System Retirement