Applications Attachment 3

8/14/2019 Applications Attachment 3

1/373

Attachment 3 - Services - Applications

Table of Contents

1 Overview ................................................................................................................................2

2 Definitions and acronyms .....................................................................................................3

2.1 Definitions .............................................................................................................3

2.2 Acronyms ..............................................................................................................8

3 Service Requirements ............................................................................................................9

3.1 Included Services ..................................................................................................9

3.2 Anticipated Applications Maintenance, Support and Enhancement Growth

Volumes during the Term .............................................................................14

3.3 Excluded Services and Applications ...................................................................14

4 Support Services ..................................................................................................................15

4.1 Planning and Analysis .........................................................................................15

4.2 Project Management principles ...........................................................................15

4.3 Construction/Development .................................................................................17

4.4 Integration and Testing ........................................................................................17

4.5 Implementation and Migration ............................................................................18

4.6 Emergency Services ............................................................................................18

4.7 Application Warranty ..........................................................................................18

4.8 Continuous Process Improvement .......................................................................19

4.9 Level 2 Service Desk Problem Management Rectification and Resolution ... ....19

4.10 Level 3 Service Desk ........................................................................................21

4.11 Root Cause Analysis ..........................................................................................21

4.12 Training .............................................................................................................224.13 Monitoring and Reporting .................................................................................22

4.14 Local Implementation/Deployment ..................................................................23

4.15 Managed Asset Management ............................................................................23

4.16 Configuration Management/Change Control ....................................................23

4.17 Documentation ..................................................................................................24

4.18 Security Management and Administration ........................................................25

4.19 Business Continuity (BC) .................................................................................27

Pass-through Services and Management..................................................................28

Project Initiation.......................................................................................................28

Event Response Services..........................................................................................29Risk Management.....................................................................................................29

5 Roles and Responsibilities ..................................................................................................31

Application Maintenance, Support and Enhancement Roles and Responsibilities..31

Information Security Roles and Responsibilities.....................................................41

6 Service Level Requirements .............................................................................................373

6.1 SLR and Abatement Commencement ...............................................................373

6.2 Service Level Requirement Classifications ......................................................373

6.3 SLR Details .......................................................................................................373

Page 1


2/373


1 Overview

This attachment defines and describes the Customer's requirements for Services in relation to the

System. The Contractor must provide all of the Services relating to applications maintenance,

support and enhancement (which include those Services described as support Services) specifiedbelow.

Where any part of a particular Service is not included or no detail is provided on such part of the

Service, the Contractor is wholly responsible for the provision of that part of the Service.

This attachment consists of the following sections:

a) Defined Terms. This includes a table of acronyms.

b) Service Requirements. This is a statement of the Customers Service requirements.

c) Support Services. This describes the Services that will underpin and support the fulfilment

of the Customers Service requirements.

d) Roles and Responsibilities. This provides further detail as to the Customers Service

requirements and details the parties roles and responsibilities for Service provision on a

daily basis.

e) Service Level Requirements (SLRs). These are the standards to which the Contractor will

be required to provide the Services, and the principal means by which the parties will

monitor and manage the Services.

Page 2


3/373


2 Definitions and acronyms

2.1 Definitions

In addition to the terms defined in the Contract, the following terms are defined below.

Common Term Definition

AVAILABILITY The percentage of time that a given Service or the Systemis fullyoperational and available when its resources are called upon at a random

point in time. Availability represents a measure of the fraction of time

(expressed as a percentage) during a defined period when the System or

the provided Service is deemed to be equal to or better than a minimum

availability threshold, specified as an MASL in the applicable Service

Levels.

Availability (%) = 100%Unavailability (%)

Where Unavailability is defined as:

Outage Duration x 100%

Schedule TimePre-planned Downtime

Schedule Time = obligatory time for operation of Service or System; and

Downtime = downtime during Schedule Time.

BATCH PROCESSING The processing of non-online applications according to agreedcompletion dates and times.

BUSINESS CONTINUITY

(BC)

How each work unit will function if the facilities in which it operates are

lost due to fire, explosion or other disruption. This includes the

responsibilities of personnel to ensure clear and concise communication

lines are established immediately when an incident impacts on a business

units ability to function and directions for the reporting of Problems tothe relevant authorities both initially and after the Problem has been

Resolved.

BASE OPERATING

ENVIRONMENT (BOE)

The Customers base operating environment including all associated user

and technical Documentation, Updates and New Releases. The BOE

includes Microsoft Windows XP and associated drivers. It excludes the

purchase, licensing and/or creation of standard operating environment

(SOE) and Specialist Software.

CALL A call is counted for each unique Problem involving a separate individualevent that results in opening a Ticket. Calls regarding open Problems,

calls received at the Service Desk that enter the queue and that are

terminated (e.g. user hang up) prior to response, and status calls

regarding open items do not result in opening a Ticket and so are not

counted. For Problems where multiple calls are related to a single point

of failure (that is, calls related to a server Outage), such calls will be

considered as a single call; will not result in opening a separate Ticket;

and will not be aggregated or counted as individual calls for measuring

call volume statistics.

CONTRACT MANAGER The person appointed by the Customer to manage the Contract inaccordance with Attachment 7.

DISASTER An unplanned event that will or is likely to render a key component ofthe System and/or applications unavailable for use by the Customer for a

period of greater than 12 consecutive hours (or less than 12 hours at the

Customers discretion) and the Contractor has not confirmed that

recovery of the System and/or applications will be achieved within the

maximum allowable downtime specified in the BC SLR.

Alternatively, the Customer may at its sole discretion declare a disaster.

Page 3


4/373



DISASTER RECOVERY Ensuring that all parts of the System, including but not limited to,applications, interfaces and network connections are re-established after a

Disaster.

EVENTS Events are situations that generally require immediate increased levels of

resources, response and Problem Rectification and Resolution to be ableto deal with the situation at the time. Some Events are unpredictable and

occur without warning, and some are predictable and can be managed

and planned. They include, but are not limited to:

Special events festivals, sporting events, fetes etc

Emergency situations bush fires, floods, storm damage,

accidents etc

Operational events taskforce formation, civil marches, public

disturbances, crime sites etc

The Sites requiring Services of this nature include, but are not limited to,

the State Emergency Response Centre (SERC), Mobile Response

Units, the Crimes Unit, Covert Operations, Counter Terrorist Areas,

Special Operations, all Regional Operational Policing areas and anyspecial task force which may be set up for a short time period.

Events are independent; therefore there is a possibility that multiple,

simultaneous Events may be declared by the Customer. Events, however,

are NOT Disasters and therefore do not warrant the implementation of a

Disaster Recovery plan.

IMAC (INSTALLATIONS,

MOVES, ADDSAND

CHANGES)

Activities performed as pre-scheduled events to install (this means from

the Customer request until the Customer user is able to begin or continue

normal use), remove, relocate, Update, modify or otherwise reconfigure

the System and/or telecommunications infrastructure components and

applications that are covered by the Services, including but not limited to

activation of data points. IMACs are included in the Services and will be

performed at no additional charge to the Customer. One IMAC is countedfor each unique action that occurs during normal business hours and can

normally be completed within four full-time equivalent (FTE) work

hours. In the event that IMAC-related work must be performed outside of

normal work hours on a Business Day, due to operating/scheduling

constraints, the parties shall mutually agree on how these IMACs will be

handled. Repeat visits to correct Problems that arise or result from

implementing IMACs shall be considered Problems, and will not be

included under the IMAC count. If multiple Updates or reconfigurations

are scheduled for a single piece of equipment, only one IMAC will be

counted, unless the time required is significantly greater than four hours

to complete the work.

LEVEL 1 SERVICE DESK The Service Desk which interfaces with users of the System or Servicesand, where appropriate, a Level 2 Service Desk, with regard to thelogging of Calls and the Rectification and Resolution of Problems.

LEVEL 2 SERVICE DESK The Service Desk to be provided by the Contractor as per thisAttachment, which will liaise with the Level 1 Service Desk (and where

necessary any Level 3 Service Desk) in the process of Rectifying and

Resolving Problems associated with the Services or the System.

LEVEL 3 SERVICE DESK The Service Desk which Rectifies and Resolves Defects or manages theRectification and Resolution of Defects in applications that cause

Problems that cannot be Rectified and/or Resolved by the Level 2 Service

Desk.

Page 4


5/373



MANAGED ASSET Includes Software, applications, hardware, Documentation, facilities,intellectual property and all associated peripherals to be managed by the

Contractor and recorded as part of the Managed Asset register. Managed

Asset includes leased assets.

MEASUREMENT INTERVAL(A.K.A MEASUREMENT

PERIOD)

Any specified period within which the metrics shall be measured andreported on for determining the Contractors performance to the SLRs.

This takes into consideration the impact of continuous outage. For

example, a 28 day month measurement interval for a 99 percent

Minimum Acceptable Service Level for a 24x7 System would allow 6.7

hours of a continuous outage, with no other outages during the month.A

weekly interval would only allow 1.6 hours of a continuous outage.

MINIMUM ACCEPTABLE

SERVICELEVEL (MASL)

The lowest level of acceptable Service performance before service credits

apply for non-performance during a defined period.

OUTAGE An event where the Service or a defined component of the Systembecomes unavailable, excluding scheduled or planned downtime. Each

Outage will be counted incrementally, regardless of whether the same

Problem occurs several times over a Measurement Period. If multiple

users experience the same Problem simultaneously on a single occasion

then this will be counted as only one Outage.

PROBLEM A single event in relation to the System or a Service requiring aContractor response, typically identified by a user making a Call, the

Contractor, a third party or any automated warning system. The Customer

will determine the Severity Level of each reported Problem. Repeat visits

to correct Problems that arise from previously implemented IMACs are

considered Problems, not IMACs, and will not be added to the IMAC

count. The Contractor will provide the Customer with an escalation

procedure (to be approved by the Customer) for Rectification and

Resolution of reported Problems.

PROCEDURES MANUAL A manual describing how the Contractor will perform and deliver theServices, including the provision of Documentation (e.g., processes,

specifications) that provide further details of such activities. This must be

suitable for use by the Customer, such that the Customer can fully

understand, operate and exploit the System and the Services. The

Procedures Manual must include detailed descriptions of:

How the Contractor will provide the Services;

How the Contractor and the Customer will interact;

Communication protocols between account management and

technical personnel;

Quality assurance procedures;

The Contractors interaction with the Customers other ITservice providers, third party vendors and internal support areas;

Change management procedures;

Procedures for initiating requests for Service and project work;

Maintenance windows;

Problem management and escalation procedures; and

Other standards and procedures pertinent to the Customers

interaction with Contractor in obtaining the Services.

Page 5


6/373



PROJECT ESTIMATION

METHODSAND TOOLS

A set of disciplines and techniques that allow an IT professional to

quantify labour and materials to determine schedule and cost, which is

adjusted for risk. Project estimation tools provide a series of questions

that allow the professional to input values to a system. The system

provides a common frame of reference for the Contractor and theCustomer to understand how costs and schedules were derived.

RECTIFY / RECTIFICATION Rectification occurs when the functionality of the System or everyapplication is available to the end user of the System or application such

that business operations can occur with minimal interruption or

impediment. Implementing a satisfactory Workaround is rectification.

Rectification can be achieved even though the root cause of a Problem

has not been Resolved. In some cases, Rectification can only be

achieved by Resolution of the Problem. Rectification is not achieved

until the Customer is satisfied that the Problem has been Rectified.

RELIABILITY The maximum acceptable number of individual Problems includingOutages, failures, batch overruns or dropouts during a Measurement

Interval.RESOLVE / RESOLUTION To repair, replace, reconfigure, re-install, re-route, or otherwise provide a

complete solution to a Problem that returns the System and/or end-user(s)

to non-degraded full functionality. Resolution requires the root cause of

a reported Problem to be identified and also requires the correction of

both the results and the cause of the Problem. A Workstation Problem at

a virtual office/remote access (VORA) Site is considered resolved by

the overnight shipment of a repaired or a replacement Workstation that is

fully operational. Implementing a Workaround is not resolution. Subject

to the next sentence, resolution is achieved when the Contractor has

notified the Customer that the part of the System which caused the

Problem is ready for Acceptance Testing. If the Acceptance Tests are not

passed, then resolution has not been achieved and the same Problem

remains unresolved. In this event, the time between the notification thatthe part of the System which caused the Problem is ready for Acceptance

Testing and its failure to pass the Acceptance Tests is not counted as time

during which resolution was not achieved.

ROOT CAUSE ANALYSIS A Problem analysis process undertaken to identify and quantify theunderlying cause(s) of a Problem, and document the necessary corrective

actions to be taken to prevent recurring Problems/trends which could

result in Problems. This process is further defined in clause 4.11.

SERVICEDESK The centralised mechanism in place to respond to Problems and tocommunicate information regarding the Rectification and Resolution of

Problems.

STANDARD OPERATINGENVIRONMENT (SOE)

The Customer's standard operating environment Software including all

associated user and technical Documentation, Updates and New

Releases.

Page 6


7/373



SEVERITY LEVEL The Customer defined category that identifies the degree of problemimportance and associated Contractor response requirements attributed to

such a problem. Problems are categorised as Severity Level 1 to 3 only,

with Severity Level 4 being specifically related to user inquiries,

assistance, information or non-urgent help. Unless otherwise specified bythe Customer, the Contractor must accept the Severity Level that is

assigned to any Problem by the Level 1 Service Desk.

Severity Level 1: A business critical function is not operational,

impacting major Customer business processes.

Severity Level 2: A major function impacting Customer business

processes is not operational, resulting in disruption to the business.

Severity Level 3: Part of the System is not operational but is not

immediately impacting Customer business functions.

Severity Level 4: User inquiries, assistance, information or non-

urgent help.

SPECIALIST SOFTWARE All of the Software that is not included within the SOE or BOE.

TICKET A unique logical electronic record that the Contractor will create, update,maintain and archive for each Call. A Ticket is used to record all

Customer user/Contractor interaction pertaining to a Problem and all

Contractor-related actions, and corresponding date/time, taken to Rectify

and Resolve a Problem, from the time it is first reported to the Service

Desk until Problem Resolution and closure by the Service Desk. Also, it

is used for application change-control traceability.

VORA Virtual Office/Remote Access (VORA) pertaining to the Customer'sremote users whose offices are either permanently or temporarily located

outside of Customer premises and who connect to the Customer's

network via remote access facilities (that is, VPN, Dial-up) using a laptopor desktop PC, and have different service requirements from the

Customer's IT-managed/staffed business facilities.

WORKAROUND A process established by or approved by the Customer that the Contractoror the Customer can implement as an alternate method of System or

process functionality in the event of a Problem. The alternate method

allows the System or affected process(es) to deliver the Customer an

acceptable level of business operations continuity until Resolution can be

implemented.

Page 7


8/373



WORKSTATION An end-user computing device which comprises the personal computer,laptop computer and notebook computer and other associated peripheral

devices including:

a) USB memory repositories.

b) Printers.

c) Data point.

d) DVDs/CD rewrites.

e) CD jukeboxes.

f) Monitors.

g) Scanners.

h) Plotters.

i) Speakers.

j) Cables.

k) Modems.

l) Mouse.m) Docking Station.

n) Media Libraries.

o) PDAs where connected to the LAN,

and any other devices specified by the Customer.

2.2 Acronyms

Acronym Definition

BC Business Continuity

BIOS Basic Input/Output SystemBITS Business Information & Technology Services department

BOE Base Operation Environment (Operating System)

COTS Commercial Off-The-Shelf

CPU Computer Processing Unit

DR Disaster Recovery

IDS Intrusion Detection System

IMAC Installations, Moves, Adds and Changes

IT Information TechnologyLAN Local-Area Network

LEAP Law Enforcement Assistance Program

MAC Moves, Adds and Changes

MASL Minimum Acceptable Service Level

PDA Personal Digital Assistants

SLR Service Level Requirement

SOE Standard Operation Environment (Approved software)

VPN Virtual Private Network

Page 8


9/373


3 Service Requirements

This section describes the Services. The support Services in the following section also

form part of the Services.

3.1 Included Services

3.1.1 Current applications

The Contractor must fully maintain, support, and enhance all of the Customers current

applications such that the Customer can fully exploit the functions and features of the

System. Current applications are defined as the Customer's applications that are

currently in a production environment or which are scheduled to be introduced into a

production environment and as at the Contract Date are listed in Attachment 1 and

indicated as being "Supported".

Addition and subtraction of applications will be addressed in accordance with thechange control procedures in the Contract.

3.1.2 General responsibilities

In performing the Services, the Contractor must:

a) Comply with the Customer's policies, regulations, and standards as required by

the Contract.

b) Conform to changes in laws, regulations and policies stipulated or otherwise

mandated by applicable Federal, State and Local governments as required by the

Contract.c) Report project progress and overall performance against the applicable Service

Levels as required by the Contract.

d) Meet the Service Levels for the Services in accordance with the SLRs.

e) Perform the Services in accordance with the Procedures Manual as approved by

the Customer.

f) Ensure Availability of the System in accordance with the SLRs.

g) Provide and make appropriate use of the systems or tools (hardware or software)

that are required to provide the Services. This includes:

i. The Customer's approved systems for work authorisation, Problem

Rectification and Resolution and project management processes.

ii. The Customer's approved systems for software quality assurance,

configuration management, and document management.

iii. The Customer's approved tools for software, database and interface,

design, development and testing.

iv. The Customer's approved templates, processes, personal tools for

communication (email, phone, pager, etc.) and general functions (PC for

word processing, spreadsheets, etc.).

Page 9


10/373


h) Provide the Customer with Personnel resources with the required skills and

competencies to provide the Services at the specified Service Levels. This

includes any technical and non-technical training or induction for initially

assigned Personnel, replacement Personnel, or added Personnel.

i) Provide or facilitate agreed technical and non-technical training, or induction

transition activities for the Contractor's Personnel from the Customer's personnel,

or provide required knowledge transfer from the Customer's personnel to the

Contractor's Personnel or from the Contractor's Personnel to the Customer's

personnel.

j) Coordinate with the Customer and third parties who provide IT services to the

Customer (as required by the Customer) prior to any desired or required changes

to the application(s) and application platform(s) being supported by the

Contractor that may affect the operating performance and/or service level

performance of any IT service environments that may be retained by the

Customer or provided by third parties.

k) Specify, implement, and consistently employ across all projects an industry-

recognised standard effort estimation model and methodology for the purposes of

estimating application maintenance, support and enhancement efforts, which

delivers consistently reliable and accurate effort estimation forecasts and is

appropriate to the application(s) being maintained/supported/developed. As a

minimum, the Contractor must use function points as an estimation tool.

l) Provide the Customer with an agreed level of personnel resources with the

required skills and competencies to provide accurate and timely input to BC

activities including contingency planning meetings for such events and

completing any action items resulting from these activities required to be

provided or facilitated by the Contractor in order to meet the Service Levels.

m) Manage and administer backups, recovery and media management related to the

running of applications. Specifically, the Customer requires access to and

recovery of all files (including email) for a minimum period of 7 years from the

creation of such files. The backup and recovery activities include but are not

limited to working with third parties who provide IT services to the Customer to

ensure that the backups and recoveries are successful. In addition, the Contractor

must maintain a current copy of all supported applications. Such copies are to be

made available to the Customer immediately upon request.

3.1.3 Application MaintenanceThe Services include application maintenance, which is all activities associated with

correcting non conforming performance for production application programs and systems

that result in less than 5 working days of effort. These activities include all life-cycle

support activities described above.

Applications maintenance must be provided across all of the Customer's platforms.

Application maintenance activities require the Contractor to ensure that sufficient skilled

resources are available on a full time basis to ensure that all maintenance activities are

completed in a timely manner.

Without limiting the scope of the Contractor's obligations, the Contractor must:

Page 10


11/373


3.1.3.1 Correcting non conforming performance

Repair all applications which are in production, to ensure that they function in

accordance with the Service Levels. Full repair/recovery of the application(s) is to be

completed unless otherwise approved by the Customer (in writing) and is to cover all

files/deliverables, including:

a) Databases.

b) Printed reports.

c) Microfiche.

d) Interface files.

e) Web pages.

3.1.3.2 Preventive Maintenance

Provide preventative maintenance for all applications in production such that no events

occur, which if not addressed proactively, could impact applications in production. Suchevents include:

a) Changing business volumes.

b) Certified vendor patches or bug fixes provided from the vendor for the

Customer's approved and licensed application software.

c) Special testing for events, such as:

Public holidays.

End of financial year.

End of calendar year.

Leap years.

Daylight savings.

3.1.3.3 Adaptive Maintenance

Ensure that application performance is not affected by changes to interfacing

applications, new applications or packages and technical environment changes, which if

not addressed proactively, could impact applications in production. Such events include:

a) Updates of operating software.

b) New/changed equipment.

c) Interface changes.

3.1.3.4 Perfective Maintenance

Ensure that applications operate at peak efficiency with particular focus on areas such

as:

a) System CPU hours.

b) Storage space.

c) Response time.

Page 11


12/373


d) Database performance tuning.

3.1.3.5 Release Packaging

Package all software changes into suitable releases for approved application as

approved by the Customer. This includes all activities associated with providing

software version control, both electronic and manual. All releases must conform to theCustomer's approved risk mitigation strategy. The Contractor must develop an ongoing

process for the implementation of a 12-month rolling application release timetable (with

associated variation mechanism). The ongoing process and the initial 12-month rolling

timetable for each application are to be approved by the nominated Customer

representative.

3.1.4 Technical and End-User Support

The Services include technical and end-user support, which is all necessary expert

technical assistance that is required for the tuning of approved applications and utilities

for optimal System performance. This includes expert Level 2 Service Desk and Level3 Service Desk technical assistance for the Customer's end-users and the Customer's, or

third party's, IT professionals.

3.1.5 Application Enhancement

The Services include application enhancement, which is all life-cycle activities, across

all of the Customer's platforms, associated with:

a) Approved "Minor Enhancements" being enhancements requiring greater than

or equal to 5 days work effort, and less than 25 days work effort; and

b) Approved "Major Enhancements" being enhancements requiring greater than

or equal to 25 days work effort, and less than 60 days work effort.

Application enhancement includes:

a) Minor Enhancements or Major Enhancements to existing applications;

b) The creation of new applications where the time required to completion is

within the bounds of Minor Enhancements or Major Enhancements; and

c) Integration, testing, implementation, and migration support of any applications

developed or modified by a third party, where the work effort involved is

within the bounds of Minor Enhancements or Major Enhancements.

Application enhancement activities are discrete units of non-recurring work to design,develop, build, test and/or implement, install or deploy a solution or deliverable, that do

not otherwise form part of the Services. Typically they require the Customer to undergo

more rigorous approval processes, project management and reporting than maintenance

or support activities.

The Contractor must not undertake any application enhancement activities unless the

Customer has approved a "Change Request" in accordance with the Contract.

All anticipated work effort beyond 60 days will be regarded as a "Development

Project". The Contractor may, or may not be requested to bid for any Development

Project. The Contractor will be required to participate in all activities associated with

"Project Initiation", at no additional cost to the Customer.

Page 12


13/373


Without limiting the scope of the Contractor's obligations, throughout the Term, the

Contractor must:

3.1.5.1 Requirements Definition

Perform requirements definition, which is all activities associated with the assessment

of the Customer's users' requirements which are needed to determine detailedapplication designs. This includes:

a) Conducting interviews, group workshops and surveys.

b) Meeting the Customer's requirements groups and contract management

representatives.

c) Developing functional requirements documents, logical and physical data

models, etc.

d) Undertaking impact analysis to determine BC requirements and the extent of

the impact of the proposed changes, including possible impact to interfacing

systems.

e) Undertaking an "Information System Threat and Risk Assessment", so that

specific security requirements can be documented.

All Documentation produced in the course of these activities is the Customer's property.

3.1.5.2 Design Specifications

Produce application design specifications that meet the Customer's applications

technical architectural standard(s), and identify and describe the most cost-effective

solution to the implementation option under consideration. These activities include:

a) Creating Documentation that specifies all components (including securitycontrols), program modules, data stores, interfaces, interface components and

associated operations procedures for the Customer's technical environment.

b) Obtaining the Customer's oversight and approval through co-ordination with

the appropriate architectural or technical oversight authority and authorised

Development Project governance representatives.

3.1.5.3 Test and Development and Training Environment

Establish a test, development and training environment to fully support the Customer's

current and future application requirements.

Without limiting the scope of the Contractor's obligations, the Contractor must:

a) Obtain and/or provide the necessary application development tools, testing

tools, change and configuration management tools, project management and

reporting tools, and other software (the Test, Development and Training

Environment Components) required to establish and support the Application

Product(s) development and testing environment at agreed Customer Sites.

b) Advise the Customer of appropriate sized hardware requirements, as well as

appropriate license quantities, types and revision levels of application

development, testing and runtime environment software not already owned by

the Customer and available for use.

Page 13


14/373


c) In the event that any components are non-generic or are otherwise proprietary,

restricted and/or unique to the Customer's development environment, comply

with any method for the acquisition and disposition of such components that

the Customer determines to be equitable.

The Contractor is not required to maintain or support the infrastructure of the Test,Development and Training Environment where the Provider of IT services in relation to

the Desktop Tower, or Mainframe Tower (whichever is applicable) is responsible for

maintaining and supporting such infrastructure. In the event that any component of the

Test, Development and Training Environment (including hardware or infrastructure) is

not so supported by another Provider, then the Contractor is required to maintain and

support this component.

The Contractor is required to maintain or support all infrastructure for the Test and

Development environment located in its facilities.

3.2 Anticipated Applications Maintenance, Support and Enhancement Growth

Volumes during the Term

The Contractor must ensure that the Services provided are adequate to meet the

Customer's requirements and the SLRs at all times throughout the Term.

3.3 Excluded Services and Applications

The following services are excluded:

a) COTS licence support and maintenance procurement.

b) Support and maintenance of all applications that the Customer has not

approved.

c) Support and maintenance of all applications not in production as at the Service

Commencement Date or not included as part of the change control process.

d) Specialist application support and maintenance arrangements for Fleetsmart

and BEAMS. The Customer will continue to support these applications via its

existing relationships with third party vendors, however, these may be included

in the future.

e) Services in respect of applications listed in Attachment 1 that are not listed as

"Supported". For the avoidance of doubt, this does not exclude Services inrespect of the interfaces between Not-Supported and Supported (Third Party)

applications and Supported Applications (as those terms are defined in

Attachment 1); only Services in respect of the applications themselves.

Page 14


15/373


4 Support Services

The Contractor must provide the Customer with all support Services (which form part

of the Services) and which are all life cycle activities associated with the provision of

the Services by the Contractor.All support Services are to be provided at no additional cost to the Customer. The

support Services include the following activities:

4.1 Planning and Analysis

Researching new application development trends, products, and services that offer

opportunities to improve the efficiency and effectiveness of the application

environment, as well as for meeting business requirements and delivering new or

improved benefits to government and the broader community.

The Contractor must present such research to the Customer's CIO or the nominated

Customer representative(s) in an agreed, relevant and understandable format.

Such activities include but are not limited to:

a) Investigating and documenting new products and services, such as hardware

components, system software and transmission facilities.

b) Assessing process re-engineering methodologies.

c) Performing operational planning for capacity and performance impact of

researched technologies.

d) Conducting feasibility studies approved by the Customer's CIO or the Customer's

nominated representative for the implementation of new technologies.e) Performing project estimation using commercial Project Estimation Methods and

Tools that can size applications in function points and can categorise applications

as easy, medium or difficult to facilitate function point pricing.

f) Participating in annual technical and business planning sessions with the

Customer to establish standards, architecture and project initiatives.

g) Conducting quarterly technical reviews and workshops for the Customer on

trends and best practices.

h) Participating in the Customer's business continuance planning process.

4.2 Project Management principles

All activities required to establish reasonable plans for performing the required

Software development and for managing enhancements and potential "Development

Projects". This includes the establishment of visibility into actual progress so that

management can take effective actions when enhancement activities or Development

Project performance deviates from the project plans.

4.2.1 Enhancement activities

Support Services in relation to application enhancement include:

Page 15


16/373


a) Providing, maintaining and updating a comprehensive project plan, identifying all

critical path dependencies, staffing resources, major milestones and project

deliverables.

b) Providing weekly status reviews and progress reports.

c) Creating a Personnel plan identifying the Contractor's Personnel assigned to thework.

d) Assigning Personnel who have experience and expertise in the appropriate

application domain and software development to such work.

e) Assigning a project manager to actively manage the performance of the work and

to be responsible for acquiring commitments and developing the project plan for

that project.

f) Sufficiently training project team Personnel to ensure that they perform all

necessary roles and assume all necessary responsibilities.

g) Implementing all tools and processes required to support the provision of theServices. Such tools and processes include:

i. Project management reporting.

ii. Design, coding and testing.

iii. Configuration management.

iv. Quality assurance.

h) Creating a "Statement of Work" for each discrete task which includes:

i. A defined scope of work.

ii. Technical goals and objectives.

iii. Identification of customers and end users.

iv. Standards.

v. Assigned responsibilities.

vi. Cost and schedule constraints.

vii. Dependencies between the project team and other organisations.

viii. Resource constraints and goals.

ix. Planning assumptions.

x. The parties responsibilities.

i) Creating a "Risk Assessment Plan" (RAP) for each discrete task which

identifies the risks associated with the cost, resource, schedule, and technical

aspects of the project. The risks must be analysed and prioritised based on their

potential impact to the project and the RAP must specify contingencies and

mitigation strategies for the risks that are identified.

j) Implementing a Customer approved program change control process that

identifies, evaluates and assesses any change that impacts the work (cost, timing,

risk).

Page 16


17/373


4.2.1.1 Activities

Reviewing the progress and management of each discrete task with the Customer's

senior management (Program and Customer) or nominated representative on a regular

basis as specified by the Customer or otherwise weekly. This includes reviewing and

reporting to the Customer on the following criteria:

a) Completions and progress towards completion of milestones, compared to the

project plan.

b) Funds expended, compared to the project plan.

c) Latest forecast of schedule and expenditures (to end of program).

d) Changes to approved or previously assigned resources.

e) Changes to project plan estimates or assumptions.

f) Conflicts and issues that are not resolvable at lower levels.

g) Software project risks.h) Action items, all of which must be assigned, reviewed, and tracked to closure.

The Contractor must prepare summary reports from each meeting and distribute such

reports to the affected groups and individuals.

4.2.2 Development Projects

The same requirements as listed in Section 4.2.1 apply to development projects. The

Contractor must complete these requirements in such detail as the Customer requires.

The detail required in relation to a development project will be significantly greater

than that required for an enhancement task.

4.3 Construction/Development

All activities associated with the construction and/or development of application

modules. The Contractor must use the information from previous phases as critical

input when constructing and/or developing every application module. The Contractor

can construct an application module by in-house custom development, customisating

commercial off-the-shelf (COTS) products or implementing COTS packages.

4.4 Integration and Testing

All activities necessary to ensure that all individual program components that are

configured with, or added to, the support applications environment work togetherproperly and perform all of the intended functions. This includes application interfaces

to other support applications in production. Such activities include:

a) Performing all appropriate life-cycle integration and development tests (e.g., unit

testing, socialisation, end-to-end testing, stress testing, regression testing, etc.).

b) Selective random independent testing, where the random selection includes some

complex modules (i.e. independent verification and validation testing).

c) User acceptance and quality assurance testing.

d) Maintaining test data.

e) Staging systems before implementation.

Page 17


18/373


f) Performing modifications and performance enhancement adjustments to the

Customer's System and Software and utilities as a result of changes to

architectural standards.

g) Managing the integration lab facility.

4.5 Implementation and Migration

All activities associated with the installation and migration of new and upgraded

components to the Customer's production environment. Such activities include:

a) Installing new or enhanced functions or features.

b) Installing, or assisting third parties with the installation of new or enhanced

configuration and system management tools to operate within the support

application environment.

c) Performing data migration from existing systems to new systems, by either

electronic or manual methods.

d) Delivering all necessary system code and Documentation and user

Documentation.

e) Conducting pre-installation Site surveys.

f) Supporting test to production turnover implementation.

g) Distributing Software to Workstations and installing Software.

h) Conducting tests of documented BC procedures including all activities necessary

for backup and restoration of data and applications.

4.6 Emergency ServicesAll activities necessary to provide application enhancements and maintenance, as

specified above, to support the Customer's user requirements under emergency

conditions while maintaining the Service Levels. Emergency events may increase work

volumes substantially within a short period of time and may persist for a specified or an

indeterminate duration. The Contractor must provide a structured process for

supporting, managing, monitoring and reporting actions related to unanticipated

changes in operational requirements.

4.7 Application Warranty

All activities associated with repairing Defects in Contractor developed productionapplication programs and systems, where such Defects are discovered within 180 days

of the application being placed into a production environment. This includes all

life-cycle support activities described in Section 3.1 above, as well as any activities

necessary to repair Defects to enable applications to perform in accordance with the

documented specifications and operational functionality.

Application warranty services shall be provided at no additional charge to the

Customer, even where such activities amount to minor enhancements. Full correction of

the application(s) Defect is to be completed unless otherwise approved by the

Customer, and the corrected code shall be fully tested to ensure that no regression errors

are introduced. This shall include updating all Documentation and relatedfiles/deliverables, such as:

Page 18


19/373


a) Databases.

b) Printed reports.

c) Technical manuals.

d) Interface files.

e) Web pages.

4.8 Continuous Process Improvement

Establishing, implementing, managing and maintaining a set of processes and

procedures with which the Contractor must continually monitor and analyse its service

delivery methods and procedures. Such processes and procedures must be industry

recognised best practice and must ensure that the Contractor identifies all weaknesses

and opportunities for improvement in its Service delivery methods and procedures. The

Contractor must systematically implement those improvements.

The Contractor must provide quarterly reports on its continuous process improvementactivities and provide the Customer with the opportunity to have input into the process.

The Contractor must extend the benefits of these continuous process improvements to

the Customer through appropriate means such as cost containment or fee reduction, or

improvements to service delivery levels, increased productivity and the reduction in

defects.

4.9 Level 2 Service Desk Problem Management Rectification and Resolution

4.9.1 Level 2 Service Desk

All activities associated with the provision and operation of a Level 2 Service Desk.

A Provider will provide the Level 1 Service Desk to the Customer. This Level 1 Service

Desk will assign and escalate all Problems related to the System or Services to the

Contractor.

As part of the provision and operation of a Level 2 Service Desk, the Contractor must:

a) Provide Level 2 Service Desk support for the System and all of the Services

(including onsite support for Problem Rectification and Resolution).

b) Manage and resolve all Problems (including assignment and escalation to third

parties or the Level 3 Service Desk (if applicable) and provide management,

monitoring and feedback of such Problem Rectification and Resolution activities

to the Level 1 Service Desk).

c) Provide progress feedback to the Level 1 Service Desk during the Rectification

and Resolution process as per the SLRs.

The Level 1 Service Desk will monitor all Problems through to Resolution and will

provide feedback to the affected user(s).

4.9.2 Level 2 Problem Management

As part of the operation of the Level 2 Service Desk, the Contractor must implement

and maintain Problem management policies and procedures that significantly decrease

the number of Problems which occur by Resolving any Defects within theapplication(s) in the System. The Contractor's policies and procedures must address,

Page 19


20/373


and the Contractor must report on, all aspects of its policies and the specific

implementation of those policies with respect to:

a) Problem control.

b) Error control.

c) Proactive prevention of Problems.

d) Identifying Problem trends.

e) Contingency planning and Disaster Recovery.

Without limiting the scope of the support Services or the Contractor's obligations, the

Contractor must:

a) Package and release Updates for all Problems in accordance with approved

change management and configuration management procedures. These include

New Releases necessary for the Rectification and Resolution of Problems,

including Software application configuration and operation errors that have been

escalated by the Customer's Personnel or users (whether through the Service Deskor otherwise).

b) Provide a single point of contact for receiving, logging, and tracking all Problems

escalated to the Contractor's Level 2 Service Desk.

c) Troubleshoot all reported Problems to determine the probable cause of the

reported Problem.

d) Recommend and implement Rectification of each Problem until a permanent

Resolution can be implemented.

e) Track all Problems to Resolution to ensure that all necessary corrective action is

provided through to Resolution.

f) Escalate unknown errors and identified Problem trends in accordance with the

policies and procedures developed for Problem management.

g) Provide progress reports to the Customer throughout the Problem Rectification

and Resolution process, via the Service Desk.

h) Ensure that key application support personnel are able to be reached during off-

shift hours via pagers or cell phones.

4.9.3 Level 2 Problem Monitoring and Reporting

As part of the operation of the Level 2 Service Desk, the Contractor must also provide areporting capability which identifies the following metrics for a specified (ad hoc) time

period or as otherwise required by the Customer:

a) Number of open Tickets.

b) Average age (in hours) of open Tickets until Rectification and Resolution.

c) Percentage of Tickets resolved during the first call.

d) Average time to Rectification and Resolution (in hours) for closed Tickets.

e) Total hours of Contractor resource time expended for closed Tickets.

f) Hours of downtime by application.

Page 20


21/373


g) Number of repeat Calls about the same application. A repeat call is one that is

made after an attempt has been made to Rectify and/or Resolve a Problem.

4.10 Level 3 Service Desk

All activities associated with the provision and operation of a Level 3 Service Desk.

As part of the provision and operation of a Level 3 Service Desk, the Contractor must

support all applications and Services that it directly manages and supports. The Level 3

Service Desk is responsible for all support provided by any third party in relation to an

application that is in (or scheduled to be in) the Customer's production environment.

The Contractor must work closely with any third party that is providing management

and support for such an application.

As part of the operation of the Level 3 Service Desk, the Contractor must also provide a

reporting capability in relation to the support provided by the Level 3 Service Desk

which identifies the following metrics for a specified (ad hoc) time period or as

otherwise required by the Customer:a) Number of open Tickets.

b) Average age (in hours) of open Tickets until Rectification and Resolution.

c) Percentage of Tickets resolved during the first call.

d) Average time to Rectification and Resolution (in hours) for closed Tickets.

e) Total hours of Contractor resource time expended for closed Tickets.

f) Hours of downtime by application.

g) Number of repeat Calls about the same application. A repeat call is one that is

made after an attempt has been made to Rectify and/or Resolve a Problem.

4.11 Root Cause Analysis

All activities associated with the implementation of a process that will cause the

Contractor to understand and prevent recurring Problems/trends which could result in

Problems. Without limiting the scope of the support Services or the Contractor's

obligations, the Contractor must:

a) Ensure that its Personnel on the Service Desk and any other support Personnel have

access to the Problem Rectificationand Resolution database to view the history of

previous application Problems and their Rectifications and Resolutions.

b) Conduct a Root Cause Analysis of all such Problems or failures, including all

Severity Level 1 and Severity Level 2 Problems, within two days of the Problem

occurring unless an alternative timeframe is agreed with the Customer.

c) Assign appropriate resources to identify and remedy such Problems or failures, and

track and report on any consequences of such Problems or failures.

d) Provide the Customer with a written report detailing the cause of and procedure for

correcting such Problems or failures within five days of the Problem occurring.

Provide updates on a monthly basis until the underlying defect resulting in the

Problems or failures is corrected. The Customer reserves the right at its own

discretion to conduct its own review. The results of such reviews must be

implemented by the Contractor.

Page 21


22/373


e) Substantiate to the Customer that all reasonable actions have been taken to prevent

recurrence of such Problem or failure.

Note: These Services are provided in consultation with the Customer and other

Providers.

The Contractor must provide the Customer with access to the raw data used to conductevery Root Cause Analysis. The Customer may, at its own discretion, conduct

independent reviews and analysis of any Problems, failures or the Contractor's Root

Cause Analysis recommendations. The Customer's review outcomes must be actioned

by the Contractor if the Customer requires this to be done.

4.12 Training

All activities associated with the improvement of skills for the Contractor's Personnel

and the Customers IT technical staff (and business managers, at the Customer's sole

option) through education and instruction. Additionally, training includes the initial end-

user training on new and current applications and Services. Training services areprovided to the Customer's end users for improving how-to-use skills related to

systems and applications. Delivery methods that are offered for training include

classroom style and computer-based instruction.

In accordance with the Contract, the Contractor must utilise Personnel with appropriate

skills and knowledge to satisfy all of its Contractual requirements.

4.13 Monitoring and Reporting

All activities associated with ongoing health checks, Service Level performance

reporting, review of error logs, status reporting, and Problem management (ongoing

surveillance, tracking, escalation, Rectification, Resolution, and tracking of Problems)of application enhancement and support activities. These Problem management

activities require the Contractor to integrate and coordinate its Level 2 Service Desk

support Services with the Level 1 Service Desk. All Reports specified in Attachment 6

(Reports) must be provided when required by that Attachment.


Contractor must:

a) Provide monthly Service Level performance reports.

b) Provide monthly staffing utilisation reports.

c) Provide monthly milestone achievement review and performance reports.d) Provide an electronic copy of a consolidated list of applications being maintained

with related information on a monthly basis.

e) Conduct and complete a function count prior to any release using the most recent

International Society of Function Point User Group (IFPUG) standards.

f) Use a Customer approved reporting format and assessment criteria, provide the

Customer with a consolidated list of development and major enhancement

projects in progress, including project status, as required by the Customer or, at a

minimum, on a monthly basis.

Page 22


23/373


4.14 Local Implementation/Deployment

All activities associated with providing support for enhancement of the Customer's

authorised local adaptations of the application development product(s) and providing

on-site deployment and integration of the applications. The Contractor must provide

integration teams that will receive direction from the Customer's business-unit liaisonsfor deployment of the application development product(s). Local

implementation/deployment activities include all the applicable Services described in

Section 3 above, which shall be performed in accordance with the Service Levels and

the parties' defined roles and responsibilities.

4.15 Managed Asset Management

All activities associated with input to and the continuous maintenance of the Managed

Asset register (which is maintained by Provider responsible for the Desktop Tower) for

all of the Customer's Managed Assets. Managed Assets includes, but is not limited to all

applications including Specialist Software which are in, or are scheduled to be in, the

Customer's production environment.


Contractor must:

a) Provide updates to the Managed Asset register database according to defined

procedures.

b) Ensure all inputs to the Managed Asset register are accurate and fully up to date.

c) Track all Managed Assets (by user, location, Managed Asset ID, finances, version

as appropriate) and ensure third party agreements for services are in force as

needed to meet SLRs.

d) Assist the Customer and third parties in auditing the Managed Assets.

e) Coordinate the termination, disposal of and relocation of Managed Assets as

needed/specified by the Customer in accordance with the Customer security

policy (For example, sanitise desktop and server hard disk drives).

f) Advise the Customer in a timely manner of expiration and renewal requirements

for Customer owned software licences and third party support agreements. At a

minimum, such notice is to be given to the Customer three months prior to such

expiration.

g) Report on the Managed Asset register inputs on both an ad hoc and a

defined/structured basis. This includes, but is not limited to tracking ManagedAssets and advising the Customer three months in advance of expiration and

renewal requirements for Contractor-owned software licences.

4.16 Configuration Management/Change Control

All activities necessary to administer and adhere to a standard change management

process for the Services that aligns and complies with the Customer's policies,

procedures and standards, as set out in the Procedures Manual approved by the

Customer. The change management process will include impact analysis, contingencies,

risk management, planning/implementation, approval, post-change review and back-out

processes.

Page 23


24/373


Without limiting the scope of the support Services or the Contractor's obligations, in

making changes to the Services, the Contractor must:

a) Eliminate or minimise disruptions to the Customer's users caused by the

implementation of any change.

b) Without limiting paragraph a), implement changes according to a mutually-agreedschedule between the parties.

c) Eliminate or minimise the number of change back-outs caused by ineffective

change planning or implementation.

d) Eliminate or minimise the number of Problems caused by change.

e) Eliminate or minimise the Outages caused by change.

f) Manage changes to individual components and coordinate changes across all

components that comprise an end-to-end solution to minimise disruption to the

Services and the Customers business.

g) Document all changes to the Services.

h) In conjunction with the Customer (and Customer specified third parties), ensure

that all change management processes facilitate communication, and that tested

back-out plans exist to provide a high degree of success. The Contractor

acknowledges that the stability of the production environment is critical to the

Customer's business. Accordingly, the Contractor must employ all reasonable

safeguards to ensure continuity of the Customer's business operations when

changes to the production environment or the Services are initiated or

implemented.

i) Plan and communicate scheduled changes in advance in accordance with the

Customers business requirements. The Contractor must use the change

management process to plan, coordinate, monitor and communicate the changes

that affect the Services.

4.17 Documentation

All activities associated with the creation and maintenance of the Documentation

relating to the System and the Services and the provision of such Documentation to the

Customer. These activities include maintaining and managing copies of all such

Documentation in a technical library.


Contractor must:

4.17.1 General

Develop, revise, maintain, store, retrieve, reproduce and distribute information in hard

copy and electronic form. The types of documents include:

a) End-user documentation.

b) Standard operating procedures (including but not limited to the Procedures

Manual).

Page 24


25/373


4.17.2 The Procedures Manual

a) Ensure that the Procedures Manual is complete and in such a form that the

Customer can fully understand, operate and exploit the System and the Services.

b) Periodically, and on at least an annual basis, update the Procedures Manual to

reflect changes in operations or procedures. Updates of the Procedures Manual willbe provided to the Customer for review, comment and approval (not to be

unreasonably withheld), provided that the Contractor must incorporate the

reasonable comments or suggestions of the Customer into every revised Procedures

Manual.

c) Perform the Services in accordance with the Procedures Manual.

4.18 Security Management and Administration

4.18.1 Overview

This clause defines and describes the Customer's requirements for the provision ofsecurity services relating to the System and for the System.

4.18.2 Current Environment

The Customer's requirements and the Contractor's obligations for the provision of

security services relating to the System must be read in conjunction with the detail

provided in Attachment 1 (Current Environment).

The Customer creates and manages information that varies in sensitivity from some

that may be made freely available to the public (classified as PUBLIC DOMAIN) to

information that, should a breach of confidentiality occur, could lead to serious injury

or death (classified as HIGHLY PROTECTED).

The classification scheme currently used by the Customer is that defined in the

Commonwealth of Australias Protective Security Manual (2000) for non-national

security classified information.

Previous analysis has identified that both the quantity and geographic distribution of

PROTECTED information across the Customer's network (i.e. the LAN and WAN

environments) is sufficiently great to require security controls for the general network

that will ensure appropriate protection for information classified as PROTECTED.

Workgroups managing HIGHLY PROTECTED information will also require

additional security controls to ensure appropriate protection for information classified

at that level.

The Customer does not currently have access to its security protocol information.

However, as identified in the document Enterprise Security Strategy - Gap Analysis,

the Customer recognises that the current solution is not sufficient to fully meet

Commonwealth Security Standards.

4.18.3 Security Requirements for the current environment

The Contractor must do everything associated with the provision, management and

administration of security of the System as required by the Customer. The Customers

requirements for the provision of security services relating to the System are detailed

below and in section 5 of this Attachment (Roles and Responsibilities). These

requirements are to be fulfilled as part of the core managed services.

Page 25


26/373


Without limiting the scope of these Services or the Contractor's obligations, the

Contractor must:

a) Do everything necessary for maintaining the security of the System.

b) Liaise with and provide relevant information to other persons assigned

responsibility for the security of any part of the Customer's IT environment.

4.18.4 Security Policies & Procedures

As a minimum, the Contractor must fully comply with all aspects of the Customer's

Enterprise Information Security Policy, the following security policies, standards and

guidelines and all policies, procedures and standards in Attachment 9 in all their

interactions with the Customer and in the performance and provision of the Services

(including any security service). Where, in the Customer's Enterprise Information

Security Policy, compliance to the Commonwealth information security policies and

standards is currently discretionary, the Contractor must treat those references as

requiring mandatory compliance.

The following is an adapted extract from the Customer'sEnterprise InformationSecurity Policy with which the Contractor must comply.

The development and management of all Victoria Police information Systems must

be fully compliant with the following policies, standards and guidelines (or their

successors or as amended):

(i) IT&T-14: Information Security Policy (Victorian Government, May 1999);

(ii) IT Network and Application Security Best Practice Statements

(Multimedia Victoria, February 1999);

(iii) Information Technology Code of Practice for Information Security

Management [AS/NZS ISO/IEC 17799:2001] (Standards

Australia/Standards New Zealand);

(iv) Information Security Management Part 2: Specification for Information

Security Management Systems [AS/NZS 7799.2:2003] (Standards

Australia/Standards New Zealand);

(v) Information Security Risk Management Guidelines [HB 231:2004]

(Standards Australia); and

(vi) Guidelines for the Management of IT Security [AS13335 (Set): 2003]

(Standards Australia).

However, as the documents listed above are relatively non-prescriptive, the

information security control measures implemented in relation to the Customer's

information systems must also be fully compliant with the policies, standards and/or

guidelines defined in the following (or their successors or as amended):

(i) Commonwealth Protective Security Manual (2000 edition, Attorney

Generals Department, Commonwealth of Australia);

(ii) ACSI 33: The Australian Government Information Technology Security

Manual: (2004 edition, Defence Signals Directorate [DSD], Department of

Defence, Commonwealth of Australia);

Page 26


27/373


(iii) Gateway Certification Guide (Ver. 3 2004 edition, Defence Signals

Directorate [DSD], Department of Defence, Commonwealth of Australia);

(iv) Security Equipment Catalogue, Security Construction and Equipment

Committee (SCEC), Commonwealth of Australia; and

(v) Key Management Plan Guidance [July 2003] (Information Security Group,

Defence Signals Directorate).

4.19 Business Continuity (BC)

All activities associated with the provision to the Customer of BC support, including

BC planning and strategy development, strategy implementation, capability testing,

rehearsals and ongoing management of BC for each component of the System. In

undertaking such activities, the Contractor must take into account and minimise their

impact on all other elements of the Customer's IT environment. The Customer will

retain responsibility for Business Continuity for non-IT resources within each of its

individual business units. The Contractor must coordinate its BC activities with those of

third parties who provide similar services to the Customer in relation to other parts of

the Customer's IT environment and consistently meet or exceed the BC SLRs.

Without limiting the scope of the support Services or the Contractor's obligations in

accordance with the Customer's policies, procedures and standards, the Contractor

must:

a) Appoint and maintain an on call (24x7) BC Manager to manage ongoing BC

requirements including preparation activities, capability testing and emergency

response. The Contractor's BC manager will be expected to liaise directly with the

Customer's BITS BC Coordinator.b) Provide recovery of IT resources, within the System, in timeframes that meet the

Recovery Time Objectives (RTO), including restoration from backups stored offsite,

as specified in SLRs.

c) Ensure the continuance of electronic communication with other departments,

agencies and jurisdictions in the event of an emergency.

d) Undertake a 6 monthly test of BC procedures.

e) Report on the outcomes of the test as soon as practicable after the test. Before,

during and after rehearsals and tests, the Contractor must provide advice, analysis

and suggestions for improvement, and implement improved BC processes (where

shortfalls are identified).

f) Ensure minimum downtime and data loss.

g) Maintain data integrity, including security and access rights.

h) Maintain network security.

i) Minimise any negative impact on the Customers business operation.

j) Maintain the Customer's users' satisfaction.

k) Ensure that all BC documents are current and valid.

l) Ensure that the Contractor's staff involved in recovery procedures are fully trainedin the requirements of the plans.

Page 27


28/373


The Customer may at its sole discretion review the outcomes of BC testing and reviews.

The Contractor must implement the Customer's recommendations made as an outcome

of such reviews.

4.19.1 Contractor Reporting

The Contractor must report to the Customer any incidents related to the mandatoryrequirements such as raising of alarms, security breaches etc. Additional details of this

reporting will be specified by the Customer.

Pass-through Services and Management

All activities associated with managing Third Party Contracts. Without limiting the

scope of the support Services or the Contractor's obligations, the Contractor must on-

charge directly to the Customer amounts invoiced by a third party contractor under a

managed Third Party Contract, without adding any margin or mark-up. The Contractor

must also provide commercial and technical management of the third party contractors

specified by the Customer.

Project Initiation

All activities necessary for the Contractor to comply with the procedures in Attachment

19 and the Procedures Manual when initiating, assessing or implementing projects.

These activities relate to all projects, including those that the Contractor may be

required to undertake, be engaged for as a development project, or in support of a third

party engaged for a development project.

Project initiation activities include, but are not limited to:

a) Developing an initial project plan, identifying all critical path dependencies,

staffing resources, major milestones and project deliverables.

b) Developing reporting requirements.

c) Creating a development project Personnel plan identifying the Personnel assigned

to the development project.

d) Identifying any project inhibitors and mitigation strategies to ensure that the

project can be undertaken in a viable manner.

e) Developing RFT evaluation criteria.

f) Creating a development project Statement of Work (SOW) which includes:

i. A defined scope of work.ii. Technical goals and objectives.

iii. Identification of customers and end users.

iv. Standards.

v. Assigned responsibilities.

vi. Cost and schedule constraints.

vii. Dependencies between the development project team and other

organisations.

viii. Resource constraints and goals.

Page 28


29/373


ix. Planning assumptions.

x. The parties responsibilities.

g) Creating a development project Risk Assessment Plan (RAP) which identifies

the risks associated with the cost, resource, schedule, and technical aspects of the

project. The risks must be analysed and prioritised based on their potential impactto the project and contingencies and mitigation strategies for the risks that are

identified must be detailed.

h) Designing a project change control process that identifies, evaluates, assesses any

change that impacts the development project (including any impact on cost,

timing, or risk).

Event Response Services

All activities necessary to support the Customer during an Event. This includes

assistance with the delivery, configuration, installation and connection of hardware and

Software to communication service providers in nominated short time periods. It alsomay include the Contractor being obliged to provide fast responses, Rectifying and

Resolving Problems within short timeframes and, in relation to the System, and

providing dedicated onsite assistance. The Contractor must be able to cater for multiple

simultaneous Events.


Contractor must:

a) Make available resources (Personnel and equipment) that can be activated when

the Customer declares an Event.

b) Provide support on an as needed basis to deal with an Event to the Customer's

satisfaction.

c) Cooperate with and provide resources and Services (as part of the support

Services) to any Provider of Event related services to the Customer.

Risk Management

All activities associated with minimising the Customer's risk that is associated with the

Services. Such activities include the Contractor developing, implementing and

maintaining a thorough risk mitigation plan for provision of the Services that aligns

with the Customers policies, procedures and standards. The risk mitigation plan must

be approved by the Customer and must adequately address the issues of risk

identification (being anything that has the potential to impede the Customer or theContractor from achieving its objectives) and risk classification (i.e. the likelihood and

consequence of each risk). It must also involve the Contractor actively tracking and

mitigating each risk throughout the Term.

The risk mitigation and management activities are in addition to the Contractor's BC

obligations.


Contractor must actively:

a) Identify and prioritise organisational, operational and strategic risk.

b) Adopt an integrated approach to risk management that involves all relevantinternal and external stakeholders including support from the Customers senior

Page 29


30/373


management.

c) Ensure risk management becomes part of day to day management.

d) Provide Personnel with the policies, procedures and training necessary to manage

risks.

e) Develop appropriate strategies to ensure that identified risks and options fortreatment are communicated to stakeholders at all levels.

f) Monitor its strategic risk profile and achieve continuous improvement in risk

management.

g) Prepare reports on the risk management strategy and its implementation, as and

when required by the Customer, in a form that the Customer can submit to VMIA

to satisfy the Customer's obligations under the Financial Management Act 1994

and Victorian Managed Insurance Authority Act 1996.

Page 30


31/373


5 Roles and Responsibilities

Application Maintenance, Support and Enhancement Roles and

Responsibilities

The following table identifies the underlying roles and responsibilities associated with

the provision of the Services (including all required Updates). An X is placed in the

column under the party that will be primarily responsible for performing the task. The

Customer's responsibilities are indicated in the column labelled "Customer". The

Customer is designated the responsible party for performing tasks which must be

performed by the Contractor or a third party where the Customer has retained

provisioning or management responsibility.

Where no detail is provided on a specific part of a Service, the Contractor is wholly

responsible for the provision of that part of the Service, unless otherwise advised by the

Customer.

Application Maintenance, Support and Enhancement

Roles and Responsibilities

Contractor Customer

1. Application Maintenance

1.1 Define maintenance and support policies and procedures. X

1.2 Approve maintenance and support policies and

procedures.

X

1.3 Dispatch technicians to the point-of-service location, ifrequired.

X

1.4 Perform diagnostics on hardware, Software, peripheralsand services (as appropriate).

X

1.5 Install manufacturer field change orders, service packs,

firmware and software maintenance New Releases, BIOS

Updates, etc.

X

1.6 Perform Software distribution and version control, both

electronic and manual.

X

1.7 Perform code efficiency and stress testing. X

1.8 Replace defective parts and systems, including preventive

maintenance according to the manufacturers publishedmean- time-between rates.

X

1.9 Perform routine system management on support

applications such as system tuning.

X

1.10 Provide preventive maintenance. X

1.11 Provide adaptive maintenance. X

1.12 Provide perfective maintenance. X

1.13 Provide release packaging of Software changes. X

1.14 Approve release packaging of Software changes. X

Page 31


32/373




Contractor Customer

1.15 Establish the priority of service requests. X

2. Technical and End User Support

2.1 Define technical support policies and procedures. X

2.2 Approve technical support policies and procedures. X

2.3 Test, install and tune technical environment hardware,

Software, peripherals and services.

X

2.4 Manage hardware, Software, peripherals, and Services to

optimise Service Levels and minimise the Customer'sresource requirements.

X

2.5 Perform system backups in accordance with established

procedures.

X

2.6 Coordinate Level 2 Service Desk interaction and responsewith the Level 1 Service Desk.

X

2.7 Provide Level 2 Service Desk technical assistance and

production support.

X

2.8 Coordinate Level 3 Service Desk interaction and response

with the Level 1 Service Desk and the Level 2 ServiceDesk.

X

2.9 Provide Level 3 Service Desk technical assistance and

production support.

X

3. Applications Enhancement

3.1 Requirements Definition

3.1.1 Define requirements determination standards. X

3.1.2 Coordinate end-user interaction with the Level 1 Service

Desk.

X

3.1.3 Conduct interviews, group workshops and surveys to

determine user requirements.

X

3.1.4 Meet with the Customer's requirements groups and

representatives.

X

3.1.5 Serve on appropriate requirements groups and panels. X

3.1.6 Determine software Update conversion requirements for

COTS hardware and software.

X

3.1.7 Document all requirements in required formats (e.g.,system specifications, data models, and network design

schematics).

X

3.1.8 Approve all requirements documents. X

3.1.9 Recommend System and user acceptance test criteria. X

3.1.10 Approve System and user acceptance test criteria. X

3.2 Design Specification

Page 32


33/373




Contractor Customer

3.2.1 Design and configure

Applications Attachment 3

Documents

Transcript of Applications Attachment 3