View Document

IT Asset - Business Application Procedure

This is the current version of this document. To view historic versions, click on the 'Historic Versions' tab above.

Section 1 - Summary

(1) The purpose of this Procedure is to:

  1. outline the principles that govern the management of Victoria University (VU) Business and Research software applications;
  2. support VU’s preferred position to adopt a cloud-first approach when implementing new applications and systems through the use of cloud computing services; and
  3. establish a framework to ensure the safe, secure and effective adoption of cloud computing services.
Top of Page

Section 2 - TEQSA/ASQA/ESOS Alignment

(2) HESF: Standard 2.1 Facilities and Infrastructure, 7.3 Information Management

Top of Page

Section 3 - Scope

(3) This Procedure applies to:

  1. Victoria University staff and post-graduate students.
  2. The evaluation, procurement and management of business and research applications either in-house or outsourced.

(4) The Procedure supports the IT Asset Policy and should be read in conjunction with the Information Security Policy, IT Hardware and Software Procedure, Purchasing Policy, Contracts Policy and Risk Management Policy.

(5) This Procedure does not apply to VU staff and affiliates in all onshore and offshore locations who wish to use cloud storage and sharing services for performing their work at VU. See IT Asset - Cloud Storage Procedure.

Top of Page

Section 4 - Definitions

(6) Nil.

Top of Page

Section 5 - Policy/Regulation

(7) IT Asset Policy

Top of Page

Section 6 - Procedures

Part A - Summary of Roles and Responsibilities

Roles Responsibility
Digital and Campus Services (DCS) Provide consultancy services to VU colleges and departments to assist with solution and technology assessment and selection.

Maintains a master disaster recovery plan aligned with the University’s business continuity plan.

Seeks approvals from the business owner to make appropriate changes to the technical environment where applicable.

Reviews security controls at least once every 12 months. Works closely with the supplier of the product when upgrades are undertaken.
Business Owner The business owner governs any changes to software applications to determine the impact to University operations.

The business owner is responsible for approving the timing and installation of changes to production applications and notify affected users.

The business owner notifies affected users when a system/application is retired or significant changes are being proposed.

Part B - Procedures

(8) The University’s preferred position is to adopt cloud-based services for all new solutions or during the revision or renewal of existing systems and services provided the investment is fit for purpose, secure and cost-effective.

(9) All business and research applications and systems must be selected, managed and utilised in a manner that achieves the objectives of the University and in line with University policies and procedures.

(10) The University does not support unnecessary propagation and duplication of multiple systems performing similar functions.

(11) Prior to acquiring new solutions, existing internal and external options will be explored to ensure effort is not duplicated.

Application Selection and Approvals

(12) The selection of a new business application must conform to the University’s Purchasing Policy, Contracts Policy and to relevant Operational Health and Safety policies.

(13) Any new Software Application must meet certain requirements:

  1. Functional and technical requirements of the University.
  2. A market comparison assessment must be undertaken to compare similar products.
  3. The application should not duplicate or have significant similarities with existing systems used by the University.
  4. A detailed business case must be developed to ascertain the total cost of ownership over five years including implementation costs.
  5. Where a commercially developed solution is not available in the market and business processes cannot be re-engineered, an internal software development project will be established for funding prioritisation.
  6. Where applicable, a commercially developed solution must be reviewed.
  7. A review will be undertaken by Production Support before a final decision is made.

(14) During the application assessment process, consultation with Digital and Campus Services, Procurement, Records and Archives Services, Legal Services and Web services team must be undertaken.

(15) Proposed solution and technology selections will be fit-for-purpose, deliverable, value for money and aligned to business priorities, strategy and architectural direction.

(16) Cloud service providers selected for the delivery of enterprise critical services must undergo a full risk assessment and ensure the provider can meet VU service requirements.

(17) All commercial and organisational risks must be addressed, outlining any compliance, contractual and reputational impacts to the University.

(18) Selected cloud service providers must be recognised, respected providers who have well-established security management processes and undergo regular auditing.

(19) Appropriate contractual arrangements and technical controls will be implemented to ensure vendors comply with legislatures, statutory authorities and regulations.

(20) Approval by the business owner supported by an Executive Director or Deputy Vice-Chancellor is required before contracts can be signed.

Integration and Functionality

(21) New business applications are required to follow VU approved integration methods and standards and the University’s identification standards and authorisation standards as appropriate.

(22) New business applications will provide functionality or be developed to be accessible from anywhere and any device to encourage workplace flexibility and in line with the University’s transformation principles.

Support and Service Level

(23) A support model for all business applications must be in place and provide a high level of availability to meet business needs.

(24) A disaster recovery and business continuity plan should be in place and tested to ensure the continuity of business processes in the event of application failure.

Tier Classification

(25) Business applications will be classified according to the degree of importance to University operations. This classification will inform but is not limited to the amount of resources applied to maintain the application.

(26) The table below defines the tier classification scheme:

Classification Criteria
Tier 1: Enterprise Critical Business application used widely within the University to provide a major business service/capability or supports University core business operations and has the potential to cause reputational or financial damage.
Tier 2: Business Critical Business application used by more than one College, Department or Centre to support significant business processes that are critical to one or more business services.
Tier 3: Departmental Business application used exclusively by a single College, department or Centre to support other business processes with limited impact on University operations in the event of an outage.

(27) DCS will maintain an inventory of business applications assigned to tiers according to the tier classification scheme. Architectural model diagrams and inventories are to be updated when business applications are proposed, in production and retired.

(28) Changes to tier classifications require approval from DCS and is subject to an evaluation to confirm the application meets the required criteria.

(29) A business application may still be allocated to a Tier level if it does not meet the criteria. Justifications include value to the University, strategic importance, reputational risk and external compliance.

Maintenance and Change Control

(30) Changes to business systems and applications will only be made in response to business needs and must adhere to the technology change management framework.

(31) Scheduled downtime to business applications must not interfere with critical University operations.

(32) Cloud service providers must ensure change control processes are in place and that these align with VU’s technology change management practices.

(33) A notice of scheduled maintenance to cloud managed services will be made available to VU through the supplier.

Business Application Review

(34) All business applications should be reviewed at least once every five years to ensure the application continues to support University compliance and business needs and does not present any risks that may impact operations.

(35) Business applications deemed unsuitable will undergo appropriate assessment before a new solution is purchased.

Application and System Retirement

(36) Business applications and systems that are no longer required, deliver little or no business value or do not align to VU’s strategic vision or objectives will be decommissioned where applicable.

(37) A business application or system no longer in use or no longer required should be archived and removed from the University environment.

(38) A business application that is approaching “end of life” will need to be retired with a transition plan to either develop or select a new application in line with this Procedure.