Applications Attachment 3
-
Upload
sanjeevrao007 -
Category
Documents
-
view
214 -
download
0
Transcript of Applications Attachment 3
-
8/14/2019 Applications Attachment 3
1/373
Attachment 3 - Services - Applications
Table of Contents
1 Overview ................................................................................................................................2
2 Definitions and acronyms .....................................................................................................3
2.1 Definitions .............................................................................................................3
2.2 Acronyms ..............................................................................................................8
3 Service Requirements ............................................................................................................9
3.1 Included Services ..................................................................................................9
3.2 Anticipated Applications Maintenance, Support and Enhancement Growth
Volumes during the Term .............................................................................14
3.3 Excluded Services and Applications ...................................................................14
4 Support Services ..................................................................................................................15
4.1 Planning and Analysis .........................................................................................15
4.2 Project Management principles ...........................................................................15
4.3 Construction/Development .................................................................................17
4.4 Integration and Testing ........................................................................................17
4.5 Implementation and Migration ............................................................................18
4.6 Emergency Services ............................................................................................18
4.7 Application Warranty ..........................................................................................18
4.8 Continuous Process Improvement .......................................................................19
4.9 Level 2 Service Desk Problem Management Rectification and Resolution ... ....19
4.10 Level 3 Service Desk ........................................................................................21
4.11 Root Cause Analysis ..........................................................................................21
4.12 Training .............................................................................................................224.13 Monitoring and Reporting .................................................................................22
4.14 Local Implementation/Deployment ..................................................................23
4.15 Managed Asset Management ............................................................................23
4.16 Configuration Management/Change Control ....................................................23
4.17 Documentation ..................................................................................................24
4.18 Security Management and Administration ........................................................25
4.19 Business Continuity (BC) .................................................................................27
Pass-through Services and Management..................................................................28
Project Initiation.......................................................................................................28
Event Response Services..........................................................................................29Risk Management.....................................................................................................29
5 Roles and Responsibilities ..................................................................................................31
Application Maintenance, Support and Enhancement Roles and Responsibilities..31
Information Security Roles and Responsibilities.....................................................41
6 Service Level Requirements .............................................................................................373
6.1 SLR and Abatement Commencement ...............................................................373
6.2 Service Level Requirement Classifications ......................................................373
6.3 SLR Details .......................................................................................................373
Page 1
-
8/14/2019 Applications Attachment 3
2/373
Attachment 3 - Services - Applications
1 Overview
This attachment defines and describes the Customer's requirements for Services in relation to the
System. The Contractor must provide all of the Services relating to applications maintenance,
support and enhancement (which include those Services described as support Services) specifiedbelow.
Where any part of a particular Service is not included or no detail is provided on such part of the
Service, the Contractor is wholly responsible for the provision of that part of the Service.
This attachment consists of the following sections:
a) Defined Terms. This includes a table of acronyms.
b) Service Requirements. This is a statement of the Customers Service requirements.
c) Support Services. This describes the Services that will underpin and support the fulfilment
of the Customers Service requirements.
d) Roles and Responsibilities. This provides further detail as to the Customers Service
requirements and details the parties roles and responsibilities for Service provision on a
daily basis.
e) Service Level Requirements (SLRs). These are the standards to which the Contractor will
be required to provide the Services, and the principal means by which the parties will
monitor and manage the Services.
Page 2
-
8/14/2019 Applications Attachment 3
3/373
Attachment 3 - Services - Applications
2 Definitions and acronyms
2.1 Definitions
In addition to the terms defined in the Contract, the following terms are defined below.
Common Term Definition
AVAILABILITY The percentage of time that a given Service or the Systemis fullyoperational and available when its resources are called upon at a random
point in time. Availability represents a measure of the fraction of time
(expressed as a percentage) during a defined period when the System or
the provided Service is deemed to be equal to or better than a minimum
availability threshold, specified as an MASL in the applicable Service
Levels.
Availability (%) = 100%Unavailability (%)
Where Unavailability is defined as:
Outage Duration x 100%
Schedule TimePre-planned Downtime
Schedule Time = obligatory time for operation of Service or System; and
Downtime = downtime during Schedule Time.
BATCH PROCESSING The processing of non-online applications according to agreedcompletion dates and times.
BUSINESS CONTINUITY
(BC)
How each work unit will function if the facilities in which it operates are
lost due to fire, explosion or other disruption. This includes the
responsibilities of personnel to ensure clear and concise communication
lines are established immediately when an incident impacts on a business
units ability to function and directions for the reporting of Problems tothe relevant authorities both initially and after the Problem has been
Resolved.
BASE OPERATING
ENVIRONMENT (BOE)
The Customers base operating environment including all associated user
and technical Documentation, Updates and New Releases. The BOE
includes Microsoft Windows XP and associated drivers. It excludes the
purchase, licensing and/or creation of standard operating environment
(SOE) and Specialist Software.
CALL A call is counted for each unique Problem involving a separate individualevent that results in opening a Ticket. Calls regarding open Problems,
calls received at the Service Desk that enter the queue and that are
terminated (e.g. user hang up) prior to response, and status calls
regarding open items do not result in opening a Ticket and so are not
counted. For Problems where multiple calls are related to a single point
of failure (that is, calls related to a server Outage), such calls will be
considered as a single call; will not result in opening a separate Ticket;
and will not be aggregated or counted as individual calls for measuring
call volume statistics.
CONTRACT MANAGER The person appointed by the Customer to manage the Contract inaccordance with Attachment 7.
DISASTER An unplanned event that will or is likely to render a key component ofthe System and/or applications unavailable for use by the Customer for a
period of greater than 12 consecutive hours (or less than 12 hours at the
Customers discretion) and the Contractor has not confirmed that
recovery of the System and/or applications will be achieved within the
maximum allowable downtime specified in the BC SLR.
Alternatively, the Customer may at its sole discretion declare a disaster.
Page 3
-
8/14/2019 Applications Attachment 3
4/373
Attachment 3 - Services - Applications
Common Term Definition
DISASTER RECOVERY Ensuring that all parts of the System, including but not limited to,applications, interfaces and network connections are re-established after a
Disaster.
EVENTS Events are situations that generally require immediate increased levels of
resources, response and Problem Rectification and Resolution to be ableto deal with the situation at the time. Some Events are unpredictable and
occur without warning, and some are predictable and can be managed
and planned. They include, but are not limited to:
Special events festivals, sporting events, fetes etc
Emergency situations bush fires, floods, storm damage,
accidents etc
Operational events taskforce formation, civil marches, public
disturbances, crime sites etc
The Sites requiring Services of this nature include, but are not limited to,
the State Emergency Response Centre (SERC), Mobile Response
Units, the Crimes Unit, Covert Operations, Counter Terrorist Areas,
Special Operations, all Regional Operational Policing areas and anyspecial task force which may be set up for a short time period.
Events are independent; therefore there is a possibility that multiple,
simultaneous Events may be declared by the Customer. Events, however,
are NOT Disasters and therefore do not warrant the implementation of a
Disaster Recovery plan.
IMAC (INSTALLATIONS,
MOVES, ADDSAND
CHANGES)
Activities performed as pre-scheduled events to install (this means from
the Customer request until the Customer user is able to begin or continue
normal use), remove, relocate, Update, modify or otherwise reconfigure
the System and/or telecommunications infrastructure components and
applications that are covered by the Services, including but not limited to
activation of data points. IMACs are included in the Services and will be
performed at no additional charge to the Customer. One IMAC is countedfor each unique action that occurs during normal business hours and can
normally be completed within four full-time equivalent (FTE) work
hours. In the event that IMAC-related work must be performed outside of
normal work hours on a Business Day, due to operating/scheduling
constraints, the parties shall mutually agree on how these IMACs will be
handled. Repeat visits to correct Problems that arise or result from
implementing IMACs shall be considered Problems, and will not be
included under the IMAC count. If multiple Updates or reconfigurations
are scheduled for a single piece of equipment, only one IMAC will be
counted, unless the time required is significantly greater than four hours
to complete the work.
LEVEL 1 SERVICE DESK The Service Desk which interfaces with users of the System or Servicesand, where appropriate, a Level 2 Service Desk, with regard to thelogging of Calls and the Rectification and Resolution of Problems.
LEVEL 2 SERVICE DESK The Service Desk to be provided by the Contractor as per thisAttachment, which will liaise with the Level 1 Service Desk (and where
necessary any Level 3 Service Desk) in the process of Rectifying and
Resolving Problems associated with the Services or the System.
LEVEL 3 SERVICE DESK The Service Desk which Rectifies and Resolves Defects or manages theRectification and Resolution of Defects in applications that cause
Problems that cannot be Rectified and/or Resolved by the Level 2 Service
Desk.
Page 4
-
8/14/2019 Applications Attachment 3
5/373
Attachment 3 - Services - Applications
Common Term Definition
MANAGED ASSET Includes Software, applications, hardware, Documentation, facilities,intellectual property and all associated peripherals to be managed by the
Contractor and recorded as part of the Managed Asset register. Managed
Asset includes leased assets.
MEASUREMENT INTERVAL(A.K.A MEASUREMENT
PERIOD)
Any specified period within which the metrics shall be measured andreported on for determining the Contractors performance to the SLRs.
This takes into consideration the impact of continuous outage. For
example, a 28 day month measurement interval for a 99 percent
Minimum Acceptable Service Level for a 24x7 System would allow 6.7
hours of a continuous outage, with no other outages during the month.A
weekly interval would only allow 1.6 hours of a continuous outage.
MINIMUM ACCEPTABLE
SERVICELEVEL (MASL)
The lowest level of acceptable Service performance before service credits
apply for non-performance during a defined period.
OUTAGE An event where the Service or a defined component of the Systembecomes unavailable, excluding scheduled or planned downtime. Each
Outage will be counted incrementally, regardless of whether the same
Problem occurs several times over a Measurement Period. If multiple
users experience the same Problem simultaneously on a single occasion
then this will be counted as only one Outage.
PROBLEM A single event in relation to the System or a Service requiring aContractor response, typically identified by a user making a Call, the
Contractor, a third party or any automated warning system. The Customer
will determine the Severity Level of each reported Problem. Repeat visits
to correct Problems that arise from previously implemented IMACs are
considered Problems, not IMACs, and will not be added to the IMAC
count. The Contractor will provide the Customer with an escalation
procedure (to be approved by the Customer) for Rectification and
Resolution of reported Problems.
PROCEDURES MANUAL A manual describing how the Contractor will perform and deliver theServices, including the provision of Documentation (e.g., processes,
specifications) that provide further details of such activities. This must be
suitable for use by the Customer, such that the Customer can fully
understand, operate and exploit the System and the Services. The
Procedures Manual must include detailed descriptions of:
How the Contractor will provide the Services;
How the Contractor and the Customer will interact;
Communication protocols between account management and
technical personnel;
Quality assurance procedures;
The Contractors interaction with the Customers other ITservice providers, third party vendors and internal support areas;
Change management procedures;
Procedures for initiating requests for Service and project work;
Maintenance windows;
Problem management and escalation procedures; and
Other standards and procedures pertinent to the Customers
interaction with Contractor in obtaining the Services.
Page 5
-
8/14/2019 Applications Attachment 3
6/373
Attachment 3 - Services - Applications
Common Term Definition
PROJECT ESTIMATION
METHODSAND TOOLS
A set of disciplines and techniques that allow an IT professional to
quantify labour and materials to determine schedule and cost, which is
adjusted for risk. Project estimation tools provide a series of questions
that allow the professional to input values to a system. The system
provides a common frame of reference for the Contractor and theCustomer to understand how costs and schedules were derived.
RECTIFY / RECTIFICATION Rectification occurs when the functionality of the System or everyapplication is available to the end user of the System or application such
that business operations can occur with minimal interruption or
impediment. Implementing a satisfactory Workaround is rectification.
Rectification can be achieved even though the root cause of a Problem
has not been Resolved. In some cases, Rectification can only be
achieved by Resolution of the Problem. Rectification is not achieved
until the Customer is satisfied that the Problem has been Rectified.
RELIABILITY The maximum acceptable number of individual Problems includingOutages, failures, batch overruns or dropouts during a Measurement
Interval.RESOLVE / RESOLUTION To repair, replace, reconfigure, re-install, re-route, or otherwise provide a
complete solution to a Problem that returns the System and/or end-user(s)
to non-degraded full functionality. Resolution requires the root cause of
a reported Problem to be identified and also requires the correction of
both the results and the cause of the Problem. A Workstation Problem at
a virtual office/remote access (VORA) Site is considered resolved by
the overnight shipment of a repaired or a replacement Workstation that is
fully operational. Implementing a Workaround is not resolution. Subject
to the next sentence, resolution is achieved when the Contractor has
notified the Customer that the part of the System which caused the
Problem is ready for Acceptance Testing. If the Acceptance Tests are not
passed, then resolution has not been achieved and the same Problem
remains unresolved. In this event, the time between the notification thatthe part of the System which caused the Problem is ready for Acceptance
Testing and its failure to pass the Acceptance Tests is not counted as time
during which resolution was not achieved.
ROOT CAUSE ANALYSIS A Problem analysis process undertaken to identify and quantify theunderlying cause(s) of a Problem, and document the necessary corrective
actions to be taken to prevent recurring Problems/trends which could
result in Problems. This process is further defined in clause 4.11.
SERVICEDESK The centralised mechanism in place to respond to Problems and tocommunicate information regarding the Rectification and Resolution of
Problems.
STANDARD OPERATINGENVIRONMENT (SOE)
The Customer's standard operating environment Software including all
associated user and technical Documentation, Updates and New
Releases.
Page 6
-
8/14/2019 Applications Attachment 3
7/373
Attachment 3 - Services - Applications
Common Term Definition
SEVERITY LEVEL The Customer defined category that identifies the degree of problemimportance and associated Contractor response requirements attributed to
such a problem. Problems are categorised as Severity Level 1 to 3 only,
with Severity Level 4 being specifically related to user inquiries,
assistance, information or non-urgent help. Unless otherwise specified bythe Customer, the Contractor must accept the Severity Level that is
assigned to any Problem by the Level 1 Service Desk.
Severity Level 1: A business critical function is not operational,
impacting major Customer business processes.
Severity Level 2: A major function impacting Customer business
processes is not operational, resulting in disruption to the business.
Severity Level 3: Part of the System is not operational but is not
immediately impacting Customer business functions.
Severity Level 4: User inquiries, assistance, information or non-
urgent help.
SPECIALIST SOFTWARE All of the Software that is not included within the SOE or BOE.
TICKET A unique logical electronic record that the Contractor will create, update,maintain and archive for each Call. A Ticket is used to record all
Customer user/Contractor interaction pertaining to a Problem and all
Contractor-related actions, and corresponding date/time, taken to Rectify
and Resolve a Problem, from the time it is first reported to the Service
Desk until Problem Resolution and closure by the Service Desk. Also, it
is used for application change-control traceability.
VORA Virtual Office/Remote Access (VORA) pertaining to the Customer'sremote users whose offices are either permanently or temporarily located
outside of Customer premises and who connect to the Customer's
network via remote access facilities (that is, VPN, Dial-up) using a laptopor desktop PC, and have different service requirements from the
Customer's IT-managed/staffed business facilities.
WORKAROUND A process established by or approved by the Customer that the Contractoror the Customer can implement as an alternate method of System or
process functionality in the event of a Problem. The alternate method
allows the System or affected process(es) to deliver the Customer an
acceptable level of business operations continuity until Resolution can be
implemented.
Page 7
-
8/14/2019 Applications Attachment 3
8/373
Attachment 3 - Services - Applications
Common Term Definition
WORKSTATION An end-user computing device which comprises the personal computer,laptop computer and notebook computer and other associated peripheral
devices including:
a) USB memory repositories.
b) Printers.
c) Data point.
d) DVDs/CD rewrites.
e) CD jukeboxes.
f) Monitors.
g) Scanners.
h) Plotters.
i) Speakers.
j) Cables.
k) Modems.
l) Mouse.m) Docking Station.
n) Media Libraries.
o) PDAs where connected to the LAN,
and any other devices specified by the Customer.
2.2 Acronyms
Acronym Definition
BC Business Continuity
BIOS Basic Input/Output SystemBITS Business Information & Technology Services department
BOE Base Operation Environment (Operating System)
COTS Commercial Off-The-Shelf
CPU Computer Processing Unit
DR Disaster Recovery
IDS Intrusion Detection System
IMAC Installations, Moves, Adds and Changes
IT Information TechnologyLAN Local-Area Network
LEAP Law Enforcement Assistance Program
MAC Moves, Adds and Changes
MASL Minimum Acceptable Service Level
PDA Personal Digital Assistants
SLR Service Level Requirement
SOE Standard Operation Environment (Approved software)
VPN Virtual Private Network
Page 8
-
8/14/2019 Applications Attachment 3
9/373
Attachment 3 - Services - Applications
3 Service Requirements
This section describes the Services. The support Services in the following section also
form part of the Services.
3.1 Included Services
3.1.1 Current applications
The Contractor must fully maintain, support, and enhance all of the Customers current
applications such that the Customer can fully exploit the functions and features of the
System. Current applications are defined as the Customer's applications that are
currently in a production environment or which are scheduled to be introduced into a
production environment and as at the Contract Date are listed in Attachment 1 and
indicated as being "Supported".
Addition and subtraction of applications will be addressed in accordance with thechange control procedures in the Contract.
3.1.2 General responsibilities
In performing the Services, the Contractor must:
a) Comply with the Customer's policies, regulations, and standards as required by
the Contract.
b) Conform to changes in laws, regulations and policies stipulated or otherwise
mandated by applicable Federal, State and Local governments as required by the
Contract.c) Report project progress and overall performance against the applicable Service
Levels as required by the Contract.
d) Meet the Service Levels for the Services in accordance with the SLRs.
e) Perform the Services in accordance with the Procedures Manual as approved by
the Customer.
f) Ensure Availability of the System in accordance with the SLRs.
g) Provide and make appropriate use of the systems or tools (hardware or software)
that are required to provide the Services. This includes:
i. The Customer's approved systems for work authorisation, Problem
Rectification and Resolution and project management processes.
ii. The Customer's approved systems for software quality assurance,
configuration management, and document management.
iii. The Customer's approved tools for software, database and interface,
design, development and testing.
iv. The Customer's approved templates, processes, personal tools for
communication (email, phone, pager, etc.) and general functions (PC for
word processing, spreadsheets, etc.).
Page 9
-
8/14/2019 Applications Attachment 3
10/373
Attachment 3 - Services - Applications
h) Provide the Customer with Personnel resources with the required skills and
competencies to provide the Services at the specified Service Levels. This
includes any technical and non-technical training or induction for initially
assigned Personnel, replacement Personnel, or added Personnel.
i) Provide or facilitate agreed technical and non-technical training, or induction
transition activities for the Contractor's Personnel from the Customer's personnel,
or provide required knowledge transfer from the Customer's personnel to the
Contractor's Personnel or from the Contractor's Personnel to the Customer's
personnel.
j) Coordinate with the Customer and third parties who provide IT services to the
Customer (as required by the Customer) prior to any desired or required changes
to the application(s) and application platform(s) being supported by the
Contractor that may affect the operating performance and/or service level
performance of any IT service environments that may be retained by the
Customer or provided by third parties.
k) Specify, implement, and consistently employ across all projects an industry-
recognised standard effort estimation model and methodology for the purposes of
estimating application maintenance, support and enhancement efforts, which
delivers consistently reliable and accurate effort estimation forecasts and is
appropriate to the application(s) being maintained/supported/developed. As a
minimum, the Contractor must use function points as an estimation tool.
l) Provide the Customer with an agreed level of personnel resources with the
required skills and competencies to provide accurate and timely input to BC
activities including contingency planning meetings for such events and
completing any action items resulting from these activities required to be
provided or facilitated by the Contractor in order to meet the Service Levels.
m) Manage and administer backups, recovery and media management related to the
running of applications. Specifically, the Customer requires access to and
recovery of all files (including email) for a minimum period of 7 years from the
creation of such files. The backup and recovery activities include but are not
limited to working with third parties who provide IT services to the Customer to
ensure that the backups and recoveries are successful. In addition, the Contractor
must maintain a current copy of all supported applications. Such copies are to be
made available to the Customer immediately upon request.
3.1.3 Application MaintenanceThe Services include application maintenance, which is all activities associated with
correcting non conforming performance for production application programs and systems
that result in less than 5 working days of effort. These activities include all life-cycle
support activities described above.
Applications maintenance must be provided across all of the Customer's platforms.
Application maintenance activities require the Contractor to ensure that sufficient skilled
resources are available on a full time basis to ensure that all maintenance activities are
completed in a timely manner.
Without limiting the scope of the Contractor's obligations, the Contractor must:
Page 10
-
8/14/2019 Applications Attachment 3
11/373
Attachment 3 - Services - Applications
3.1.3.1 Correcting non conforming performance
Repair all applications which are in production, to ensure that they function in
accordance with the Service Levels. Full repair/recovery of the application(s) is to be
completed unless otherwise approved by the Customer (in writing) and is to cover all
files/deliverables, including:
a) Databases.
b) Printed reports.
c) Microfiche.
d) Interface files.
e) Web pages.
3.1.3.2 Preventive Maintenance
Provide preventative maintenance for all applications in production such that no events
occur, which if not addressed proactively, could impact applications in production. Suchevents include:
a) Changing business volumes.
b) Certified vendor patches or bug fixes provided from the vendor for the
Customer's approved and licensed application software.
c) Special testing for events, such as:
Public holidays.
End of financial year.
End of calendar year.
Leap years.
Daylight savings.
3.1.3.3 Adaptive Maintenance
Ensure that application performance is not affected by changes to interfacing
applications, new applications or packages and technical environment changes, which if
not addressed proactively, could impact applications in production. Such events include:
a) Updates of operating software.
b) New/changed equipment.
c) Interface changes.
3.1.3.4 Perfective Maintenance
Ensure that applications operate at peak efficiency with particular focus on areas such
as:
a) System CPU hours.
b) Storage space.
c) Response time.
Page 11
-
8/14/2019 Applications Attachment 3
12/373
Attachment 3 - Services - Applications
d) Database performance tuning.
3.1.3.5 Release Packaging
Package all software changes into suitable releases for approved application as
approved by the Customer. This includes all activities associated with providing
software version control, both electronic and manual. All releases must conform to theCustomer's approved risk mitigation strategy. The Contractor must develop an ongoing
process for the implementation of a 12-month rolling application release timetable (with
associated variation mechanism). The ongoing process and the initial 12-month rolling
timetable for each application are to be approved by the nominated Customer
representative.
3.1.4 Technical and End-User Support
The Services include technical and end-user support, which is all necessary expert
technical assistance that is required for the tuning of approved applications and utilities
for optimal System performance. This includes expert Level 2 Service Desk and Level3 Service Desk technical assistance for the Customer's end-users and the Customer's, or
third party's, IT professionals.
3.1.5 Application Enhancement
The Services include application enhancement, which is all life-cycle activities, across
all of the Customer's platforms, associated with:
a) Approved "Minor Enhancements" being enhancements requiring greater than
or equal to 5 days work effort, and less than 25 days work effort; and
b) Approved "Major Enhancements" being enhancements requiring greater than
or equal to 25 days work effort, and less than 60 days work effort.
Application enhancement includes:
a) Minor Enhancements or Major Enhancements to existing applications;
b) The creation of new applications where the time required to completion is
within the bounds of Minor Enhancements or Major Enhancements; and
c) Integration, testing, implementation, and migration support of any applications
developed or modified by a third party, where the work effort involved is
within the bounds of Minor Enhancements or Major Enhancements.
Application enhancement activities are discrete units of non-recurring work to design,develop, build, test and/or implement, install or deploy a solution or deliverable, that do
not otherwise form part of the Services. Typically they require the Customer to undergo
more rigorous approval processes, project management and reporting than maintenance
or support activities.
The Contractor must not undertake any application enhancement activities unless the
Customer has approved a "Change Request" in accordance with the Contract.
All anticipated work effort beyond 60 days will be regarded as a "Development
Project". The Contractor may, or may not be requested to bid for any Development
Project. The Contractor will be required to participate in all activities associated with
"Project Initiation", at no additional cost to the Customer.
Page 12
-
8/14/2019 Applications Attachment 3
13/373
Attachment 3 - Services - Applications
Without limiting the scope of the Contractor's obligations, throughout the Term, the
Contractor must:
3.1.5.1 Requirements Definition
Perform requirements definition, which is all activities associated with the assessment
of the Customer's users' requirements which are needed to determine detailedapplication designs. This includes:
a) Conducting interviews, group workshops and surveys.
b) Meeting the Customer's requirements groups and contract management
representatives.
c) Developing functional requirements documents, logical and physical data
models, etc.
d) Undertaking impact analysis to determine BC requirements and the extent of
the impact of the proposed changes, including possible impact to interfacing
systems.
e) Undertaking an "Information System Threat and Risk Assessment", so that
specific security requirements can be documented.
All Documentation produced in the course of these activities is the Customer's property.
3.1.5.2 Design Specifications
Produce application design specifications that meet the Customer's applications
technical architectural standard(s), and identify and describe the most cost-effective
solution to the implementation option under consideration. These activities include:
a) Creating Documentation that specifies all components (including securitycontrols), program modules, data stores, interfaces, interface components and
associated operations procedures for the Customer's technical environment.
b) Obtaining the Customer's oversight and approval through co-ordination with
the appropriate architectural or technical oversight authority and authorised
Development Project governance representatives.
3.1.5.3 Test and Development and Training Environment
Establish a test, development and training environment to fully support the Customer's
current and future application requirements.
Without limiting the scope of the Contractor's obligations, the Contractor must:
a) Obtain and/or provide the necessary application development tools, testing
tools, change and configuration management tools, project management and
reporting tools, and other software (the Test, Development and Training
Environment Components) required to establish and support the Application
Product(s) development and testing environment at agreed Customer Sites.
b) Advise the Customer of appropriate sized hardware requirements, as well as
appropriate license quantities, types and revision levels of application
development, testing and runtime environment software not already owned by
the Customer and available for use.
Page 13
-
8/14/2019 Applications Attachment 3
14/373
Attachment 3 - Services - Applications
c) In the event that any components are non-generic or are otherwise proprietary,
restricted and/or unique to the Customer's development environment, comply
with any method for the acquisition and disposition of such components that
the Customer determines to be equitable.
The Contractor is not required to maintain or support the infrastructure of the Test,Development and Training Environment where the Provider of IT services in relation to
the Desktop Tower, or Mainframe Tower (whichever is applicable) is responsible for
maintaining and supporting such infrastructure. In the event that any component of the
Test, Development and Training Environment (including hardware or infrastructure) is
not so supported by another Provider, then the Contractor is required to maintain and
support this component.
The Contractor is required to maintain or support all infrastructure for the Test and
Development environment located in its facilities.
3.2 Anticipated Applications Maintenance, Support and Enhancement Growth
Volumes during the Term
The Contractor must ensure that the Services provided are adequate to meet the
Customer's requirements and the SLRs at all times throughout the Term.
3.3 Excluded Services and Applications
The following services are excluded:
a) COTS licence support and maintenance procurement.
b) Support and maintenance of all applications that the Customer has not
approved.
c) Support and maintenance of all applications not in production as at the Service
Commencement Date or not included as part of the change control process.
d) Specialist application support and maintenance arrangements for Fleetsmart
and BEAMS. The Customer will continue to support these applications via its
existing relationships with third party vendors, however, these may be included
in the future.
e) Services in respect of applications listed in Attachment 1 that are not listed as
"Supported". For the avoidance of doubt, this does not exclude Services inrespect of the interfaces between Not-Supported and Supported (Third Party)
applications and Supported Applications (as those terms are defined in
Attachment 1); only Services in respect of the applications themselves.
Page 14
-
8/14/2019 Applications Attachment 3
15/373
Attachment 3 - Services - Applications
4 Support Services
The Contractor must provide the Customer with all support Services (which form part
of the Services) and which are all life cycle activities associated with the provision of
the Services by the Contractor.All support Services are to be provided at no additional cost to the Customer. The
support Services include the following activities:
4.1 Planning and Analysis
Researching new application development trends, products, and services that offer
opportunities to improve the efficiency and effectiveness of the application
environment, as well as for meeting business requirements and delivering new or
improved benefits to government and the broader community.
The Contractor must present such research to the Customer's CIO or the nominated
Customer representative(s) in an agreed, relevant and understandable format.
Such activities include but are not limited to:
a) Investigating and documenting new products and services, such as hardware
components, system software and transmission facilities.
b) Assessing process re-engineering methodologies.
c) Performing operational planning for capacity and performance impact of
researched technologies.
d) Conducting feasibility studies approved by the Customer's CIO or the Customer's
nominated representative for the implementation of new technologies.e) Performing project estimation using commercial Project Estimation Methods and
Tools that can size applications in function points and can categorise applications
as easy, medium or difficult to facilitate function point pricing.
f) Participating in annual technical and business planning sessions with the
Customer to establish standards, architecture and project initiatives.
g) Conducting quarterly technical reviews and workshops for the Customer on
trends and best practices.
h) Participating in the Customer's business continuance planning process.
4.2 Project Management principles
All activities required to establish reasonable plans for performing the required
Software development and for managing enhancements and potential "Development
Projects". This includes the establishment of visibility into actual progress so that
management can take effective actions when enhancement activities or Development
Project performance deviates from the project plans.
4.2.1 Enhancement activities
Support Services in relation to application enhancement include:
Page 15
-
8/14/2019 Applications Attachment 3
16/373
Attachment 3 - Services - Applications
a) Providing, maintaining and updating a comprehensive project plan, identifying all
critical path dependencies, staffing resources, major milestones and project
deliverables.
b) Providing weekly status reviews and progress reports.
c) Creating a Personnel plan identifying the Contractor's Personnel assigned to thework.
d) Assigning Personnel who have experience and expertise in the appropriate
application domain and software development to such work.
e) Assigning a project manager to actively manage the performance of the work and
to be responsible for acquiring commitments and developing the project plan for
that project.
f) Sufficiently training project team Personnel to ensure that they perform all
necessary roles and assume all necessary responsibilities.
g) Implementing all tools and processes required to support the provision of theServices. Such tools and processes include:
i. Project management reporting.
ii. Design, coding and testing.
iii. Configuration management.
iv. Quality assurance.
h) Creating a "Statement of Work" for each discrete task which includes:
i. A defined scope of work.
ii. Technical goals and objectives.
iii. Identification of customers and end users.
iv. Standards.
v. Assigned responsibilities.
vi. Cost and schedule constraints.
vii. Dependencies between the project team and other organisations.
viii. Resource constraints and goals.
ix. Planning assumptions.
x. The parties responsibilities.
i) Creating a "Risk Assessment Plan" (RAP) for each discrete task which
identifies the risks associated with the cost, resource, schedule, and technical
aspects of the project. The risks must be analysed and prioritised based on their
potential impact to the project and the RAP must specify contingencies and
mitigation strategies for the risks that are identified.
j) Implementing a Customer approved program change control process that
identifies, evaluates and assesses any change that impacts the work (cost, timing,
risk).
Page 16
-
8/14/2019 Applications Attachment 3
17/373
Attachment 3 - Services - Applications
4.2.1.1 Activities
Reviewing the progress and management of each discrete task with the Customer's
senior management (Program and Customer) or nominated representative on a regular
basis as specified by the Customer or otherwise weekly. This includes reviewing and
reporting to the Customer on the following criteria:
a) Completions and progress towards completion of milestones, compared to the
project plan.
b) Funds expended, compared to the project plan.
c) Latest forecast of schedule and expenditures (to end of program).
d) Changes to approved or previously assigned resources.
e) Changes to project plan estimates or assumptions.
f) Conflicts and issues that are not resolvable at lower levels.
g) Software project risks.h) Action items, all of which must be assigned, reviewed, and tracked to closure.
The Contractor must prepare summary reports from each meeting and distribute such
reports to the affected groups and individuals.
4.2.2 Development Projects
The same requirements as listed in Section 4.2.1 apply to development projects. The
Contractor must complete these requirements in such detail as the Customer requires.
The detail required in relation to a development project will be significantly greater
than that required for an enhancement task.
4.3 Construction/Development
All activities associated with the construction and/or development of application
modules. The Contractor must use the information from previous phases as critical
input when constructing and/or developing every application module. The Contractor
can construct an application module by in-house custom development, customisating
commercial off-the-shelf (COTS) products or implementing COTS packages.
4.4 Integration and Testing
All activities necessary to ensure that all individual program components that are
configured with, or added to, the support applications environment work togetherproperly and perform all of the intended functions. This includes application interfaces
to other support applications in production. Such activities include:
a) Performing all appropriate life-cycle integration and development tests (e.g., unit
testing, socialisation, end-to-end testing, stress testing, regression testing, etc.).
b) Selective random independent testing, where the random selection includes some
complex modules (i.e. independent verification and validation testing).
c) User acceptance and quality assurance testing.
d) Maintaining test data.
e) Staging systems before implementation.
Page 17
-
8/14/2019 Applications Attachment 3
18/373
Attachment 3 - Services - Applications
f) Performing modifications and performance enhancement adjustments to the
Customer's System and Software and utilities as a result of changes to
architectural standards.
g) Managing the integration lab facility.
4.5 Implementation and Migration
All activities associated with the installation and migration of new and upgraded
components to the Customer's production environment. Such activities include:
a) Installing new or enhanced functions or features.
b) Installing, or assisting third parties with the installation of new or enhanced
configuration and system management tools to operate within the support
application environment.
c) Performing data migration from existing systems to new systems, by either
electronic or manual methods.
d) Delivering all necessary system code and Documentation and user
Documentation.
e) Conducting pre-installation Site surveys.
f) Supporting test to production turnover implementation.
g) Distributing Software to Workstations and installing Software.
h) Conducting tests of documented BC procedures including all activities necessary
for backup and restoration of data and applications.
4.6 Emergency ServicesAll activities necessary to provide application enhancements and maintenance, as
specified above, to support the Customer's user requirements under emergency
conditions while maintaining the Service Levels. Emergency events may increase work
volumes substantially within a short period of time and may persist for a specified or an
indeterminate duration. The Contractor must provide a structured process for
supporting, managing, monitoring and reporting actions related to unanticipated
changes in operational requirements.
4.7 Application Warranty
All activities associated with repairing Defects in Contractor developed productionapplication programs and systems, where such Defects are discovered within 180 days
of the application being placed into a production environment. This includes all
life-cycle support activities described in Section 3.1 above, as well as any activities
necessary to repair Defects to enable applications to perform in accordance with the
documented specifications and operational functionality.
Application warranty services shall be provided at no additional charge to the
Customer, even where such activities amount to minor enhancements. Full correction of
the application(s) Defect is to be completed unless otherwise approved by the
Customer, and the corrected code shall be fully tested to ensure that no regression errors
are introduced. This shall include updating all Documentation and relatedfiles/deliverables, such as:
Page 18
-
8/14/2019 Applications Attachment 3
19/373
Attachment 3 - Services - Applications
a) Databases.
b) Printed reports.
c) Technical manuals.
d) Interface files.
e) Web pages.
4.8 Continuous Process Improvement
Establishing, implementing, managing and maintaining a set of processes and
procedures with which the Contractor must continually monitor and analyse its service
delivery methods and procedures. Such processes and procedures must be industry
recognised best practice and must ensure that the Contractor identifies all weaknesses
and opportunities for improvement in its Service delivery methods and procedures. The
Contractor must systematically implement those improvements.
The Contractor must provide quarterly reports on its continuous process improvementactivities and provide the Customer with the opportunity to have input into the process.
The Contractor must extend the benefits of these continuous process improvements to
the Customer through appropriate means such as cost containment or fee reduction, or
improvements to service delivery levels, increased productivity and the reduction in
defects.
4.9 Level 2 Service Desk Problem Management Rectification and Resolution
4.9.1 Level 2 Service Desk
All activities associated with the provision and operation of a Level 2 Service Desk.
A Provider will provide the Level 1 Service Desk to the Customer. This Level 1 Service
Desk will assign and escalate all Problems related to the System or Services to the
Contractor.
As part of the provision and operation of a Level 2 Service Desk, the Contractor must:
a) Provide Level 2 Service Desk support for the System and all of the Services
(including onsite support for Problem Rectification and Resolution).
b) Manage and resolve all Problems (including assignment and escalation to third
parties or the Level 3 Service Desk (if applicable) and provide management,
monitoring and feedback of such Problem Rectification and Resolution activities
to the Level 1 Service Desk).
c) Provide progress feedback to the Level 1 Service Desk during the Rectification
and Resolution process as per the SLRs.
The Level 1 Service Desk will monitor all Problems through to Resolution and will
provide feedback to the affected user(s).
4.9.2 Level 2 Problem Management
As part of the operation of the Level 2 Service Desk, the Contractor must implement
and maintain Problem management policies and procedures that significantly decrease
the number of Problems which occur by Resolving any Defects within theapplication(s) in the System. The Contractor's policies and procedures must address,
Page 19
-
8/14/2019 Applications Attachment 3
20/373
Attachment 3 - Services - Applications
and the Contractor must report on, all aspects of its policies and the specific
implementation of those policies with respect to:
a) Problem control.
b) Error control.
c) Proactive prevention of Problems.
d) Identifying Problem trends.
e) Contingency planning and Disaster Recovery.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
a) Package and release Updates for all Problems in accordance with approved
change management and configuration management procedures. These include
New Releases necessary for the Rectification and Resolution of Problems,
including Software application configuration and operation errors that have been
escalated by the Customer's Personnel or users (whether through the Service Deskor otherwise).
b) Provide a single point of contact for receiving, logging, and tracking all Problems
escalated to the Contractor's Level 2 Service Desk.
c) Troubleshoot all reported Problems to determine the probable cause of the
reported Problem.
d) Recommend and implement Rectification of each Problem until a permanent
Resolution can be implemented.
e) Track all Problems to Resolution to ensure that all necessary corrective action is
provided through to Resolution.
f) Escalate unknown errors and identified Problem trends in accordance with the
policies and procedures developed for Problem management.
g) Provide progress reports to the Customer throughout the Problem Rectification
and Resolution process, via the Service Desk.
h) Ensure that key application support personnel are able to be reached during off-
shift hours via pagers or cell phones.
4.9.3 Level 2 Problem Monitoring and Reporting
As part of the operation of the Level 2 Service Desk, the Contractor must also provide areporting capability which identifies the following metrics for a specified (ad hoc) time
period or as otherwise required by the Customer:
a) Number of open Tickets.
b) Average age (in hours) of open Tickets until Rectification and Resolution.
c) Percentage of Tickets resolved during the first call.
d) Average time to Rectification and Resolution (in hours) for closed Tickets.
e) Total hours of Contractor resource time expended for closed Tickets.
f) Hours of downtime by application.
Page 20
-
8/14/2019 Applications Attachment 3
21/373
Attachment 3 - Services - Applications
g) Number of repeat Calls about the same application. A repeat call is one that is
made after an attempt has been made to Rectify and/or Resolve a Problem.
4.10 Level 3 Service Desk
All activities associated with the provision and operation of a Level 3 Service Desk.
As part of the provision and operation of a Level 3 Service Desk, the Contractor must
support all applications and Services that it directly manages and supports. The Level 3
Service Desk is responsible for all support provided by any third party in relation to an
application that is in (or scheduled to be in) the Customer's production environment.
The Contractor must work closely with any third party that is providing management
and support for such an application.
As part of the operation of the Level 3 Service Desk, the Contractor must also provide a
reporting capability in relation to the support provided by the Level 3 Service Desk
which identifies the following metrics for a specified (ad hoc) time period or as
otherwise required by the Customer:a) Number of open Tickets.
b) Average age (in hours) of open Tickets until Rectification and Resolution.
c) Percentage of Tickets resolved during the first call.
d) Average time to Rectification and Resolution (in hours) for closed Tickets.
e) Total hours of Contractor resource time expended for closed Tickets.
f) Hours of downtime by application.
g) Number of repeat Calls about the same application. A repeat call is one that is
made after an attempt has been made to Rectify and/or Resolve a Problem.
4.11 Root Cause Analysis
All activities associated with the implementation of a process that will cause the
Contractor to understand and prevent recurring Problems/trends which could result in
Problems. Without limiting the scope of the support Services or the Contractor's
obligations, the Contractor must:
a) Ensure that its Personnel on the Service Desk and any other support Personnel have
access to the Problem Rectificationand Resolution database to view the history of
previous application Problems and their Rectifications and Resolutions.
b) Conduct a Root Cause Analysis of all such Problems or failures, including all
Severity Level 1 and Severity Level 2 Problems, within two days of the Problem
occurring unless an alternative timeframe is agreed with the Customer.
c) Assign appropriate resources to identify and remedy such Problems or failures, and
track and report on any consequences of such Problems or failures.
d) Provide the Customer with a written report detailing the cause of and procedure for
correcting such Problems or failures within five days of the Problem occurring.
Provide updates on a monthly basis until the underlying defect resulting in the
Problems or failures is corrected. The Customer reserves the right at its own
discretion to conduct its own review. The results of such reviews must be
implemented by the Contractor.
Page 21
-
8/14/2019 Applications Attachment 3
22/373
Attachment 3 - Services - Applications
e) Substantiate to the Customer that all reasonable actions have been taken to prevent
recurrence of such Problem or failure.
Note: These Services are provided in consultation with the Customer and other
Providers.
The Contractor must provide the Customer with access to the raw data used to conductevery Root Cause Analysis. The Customer may, at its own discretion, conduct
independent reviews and analysis of any Problems, failures or the Contractor's Root
Cause Analysis recommendations. The Customer's review outcomes must be actioned
by the Contractor if the Customer requires this to be done.
4.12 Training
All activities associated with the improvement of skills for the Contractor's Personnel
and the Customers IT technical staff (and business managers, at the Customer's sole
option) through education and instruction. Additionally, training includes the initial end-
user training on new and current applications and Services. Training services areprovided to the Customer's end users for improving how-to-use skills related to
systems and applications. Delivery methods that are offered for training include
classroom style and computer-based instruction.
In accordance with the Contract, the Contractor must utilise Personnel with appropriate
skills and knowledge to satisfy all of its Contractual requirements.
4.13 Monitoring and Reporting
All activities associated with ongoing health checks, Service Level performance
reporting, review of error logs, status reporting, and Problem management (ongoing
surveillance, tracking, escalation, Rectification, Resolution, and tracking of Problems)of application enhancement and support activities. These Problem management
activities require the Contractor to integrate and coordinate its Level 2 Service Desk
support Services with the Level 1 Service Desk. All Reports specified in Attachment 6
(Reports) must be provided when required by that Attachment.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
a) Provide monthly Service Level performance reports.
b) Provide monthly staffing utilisation reports.
c) Provide monthly milestone achievement review and performance reports.d) Provide an electronic copy of a consolidated list of applications being maintained
with related information on a monthly basis.
e) Conduct and complete a function count prior to any release using the most recent
International Society of Function Point User Group (IFPUG) standards.
f) Use a Customer approved reporting format and assessment criteria, provide the
Customer with a consolidated list of development and major enhancement
projects in progress, including project status, as required by the Customer or, at a
minimum, on a monthly basis.
Page 22
-
8/14/2019 Applications Attachment 3
23/373
Attachment 3 - Services - Applications
4.14 Local Implementation/Deployment
All activities associated with providing support for enhancement of the Customer's
authorised local adaptations of the application development product(s) and providing
on-site deployment and integration of the applications. The Contractor must provide
integration teams that will receive direction from the Customer's business-unit liaisonsfor deployment of the application development product(s). Local
implementation/deployment activities include all the applicable Services described in
Section 3 above, which shall be performed in accordance with the Service Levels and
the parties' defined roles and responsibilities.
4.15 Managed Asset Management
All activities associated with input to and the continuous maintenance of the Managed
Asset register (which is maintained by Provider responsible for the Desktop Tower) for
all of the Customer's Managed Assets. Managed Assets includes, but is not limited to all
applications including Specialist Software which are in, or are scheduled to be in, the
Customer's production environment.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
a) Provide updates to the Managed Asset register database according to defined
procedures.
b) Ensure all inputs to the Managed Asset register are accurate and fully up to date.
c) Track all Managed Assets (by user, location, Managed Asset ID, finances, version
as appropriate) and ensure third party agreements for services are in force as
needed to meet SLRs.
d) Assist the Customer and third parties in auditing the Managed Assets.
e) Coordinate the termination, disposal of and relocation of Managed Assets as
needed/specified by the Customer in accordance with the Customer security
policy (For example, sanitise desktop and server hard disk drives).
f) Advise the Customer in a timely manner of expiration and renewal requirements
for Customer owned software licences and third party support agreements. At a
minimum, such notice is to be given to the Customer three months prior to such
expiration.
g) Report on the Managed Asset register inputs on both an ad hoc and a
defined/structured basis. This includes, but is not limited to tracking ManagedAssets and advising the Customer three months in advance of expiration and
renewal requirements for Contractor-owned software licences.
4.16 Configuration Management/Change Control
All activities necessary to administer and adhere to a standard change management
process for the Services that aligns and complies with the Customer's policies,
procedures and standards, as set out in the Procedures Manual approved by the
Customer. The change management process will include impact analysis, contingencies,
risk management, planning/implementation, approval, post-change review and back-out
processes.
Page 23
-
8/14/2019 Applications Attachment 3
24/373
Attachment 3 - Services - Applications
Without limiting the scope of the support Services or the Contractor's obligations, in
making changes to the Services, the Contractor must:
a) Eliminate or minimise disruptions to the Customer's users caused by the
implementation of any change.
b) Without limiting paragraph a), implement changes according to a mutually-agreedschedule between the parties.
c) Eliminate or minimise the number of change back-outs caused by ineffective
change planning or implementation.
d) Eliminate or minimise the number of Problems caused by change.
e) Eliminate or minimise the Outages caused by change.
f) Manage changes to individual components and coordinate changes across all
components that comprise an end-to-end solution to minimise disruption to the
Services and the Customers business.
g) Document all changes to the Services.
h) In conjunction with the Customer (and Customer specified third parties), ensure
that all change management processes facilitate communication, and that tested
back-out plans exist to provide a high degree of success. The Contractor
acknowledges that the stability of the production environment is critical to the
Customer's business. Accordingly, the Contractor must employ all reasonable
safeguards to ensure continuity of the Customer's business operations when
changes to the production environment or the Services are initiated or
implemented.
i) Plan and communicate scheduled changes in advance in accordance with the
Customers business requirements. The Contractor must use the change
management process to plan, coordinate, monitor and communicate the changes
that affect the Services.
4.17 Documentation
All activities associated with the creation and maintenance of the Documentation
relating to the System and the Services and the provision of such Documentation to the
Customer. These activities include maintaining and managing copies of all such
Documentation in a technical library.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
4.17.1 General
Develop, revise, maintain, store, retrieve, reproduce and distribute information in hard
copy and electronic form. The types of documents include:
a) End-user documentation.
b) Standard operating procedures (including but not limited to the Procedures
Manual).
Page 24
-
8/14/2019 Applications Attachment 3
25/373
Attachment 3 - Services - Applications
4.17.2 The Procedures Manual
a) Ensure that the Procedures Manual is complete and in such a form that the
Customer can fully understand, operate and exploit the System and the Services.
b) Periodically, and on at least an annual basis, update the Procedures Manual to
reflect changes in operations or procedures. Updates of the Procedures Manual willbe provided to the Customer for review, comment and approval (not to be
unreasonably withheld), provided that the Contractor must incorporate the
reasonable comments or suggestions of the Customer into every revised Procedures
Manual.
c) Perform the Services in accordance with the Procedures Manual.
4.18 Security Management and Administration
4.18.1 Overview
This clause defines and describes the Customer's requirements for the provision ofsecurity services relating to the System and for the System.
4.18.2 Current Environment
The Customer's requirements and the Contractor's obligations for the provision of
security services relating to the System must be read in conjunction with the detail
provided in Attachment 1 (Current Environment).
The Customer creates and manages information that varies in sensitivity from some
that may be made freely available to the public (classified as PUBLIC DOMAIN) to
information that, should a breach of confidentiality occur, could lead to serious injury
or death (classified as HIGHLY PROTECTED).
The classification scheme currently used by the Customer is that defined in the
Commonwealth of Australias Protective Security Manual (2000) for non-national
security classified information.
Previous analysis has identified that both the quantity and geographic distribution of
PROTECTED information across the Customer's network (i.e. the LAN and WAN
environments) is sufficiently great to require security controls for the general network
that will ensure appropriate protection for information classified as PROTECTED.
Workgroups managing HIGHLY PROTECTED information will also require
additional security controls to ensure appropriate protection for information classified
at that level.
The Customer does not currently have access to its security protocol information.
However, as identified in the document Enterprise Security Strategy - Gap Analysis,
the Customer recognises that the current solution is not sufficient to fully meet
Commonwealth Security Standards.
4.18.3 Security Requirements for the current environment
The Contractor must do everything associated with the provision, management and
administration of security of the System as required by the Customer. The Customers
requirements for the provision of security services relating to the System are detailed
below and in section 5 of this Attachment (Roles and Responsibilities). These
requirements are to be fulfilled as part of the core managed services.
Page 25
-
8/14/2019 Applications Attachment 3
26/373
Attachment 3 - Services - Applications
Without limiting the scope of these Services or the Contractor's obligations, the
Contractor must:
a) Do everything necessary for maintaining the security of the System.
b) Liaise with and provide relevant information to other persons assigned
responsibility for the security of any part of the Customer's IT environment.
4.18.4 Security Policies & Procedures
As a minimum, the Contractor must fully comply with all aspects of the Customer's
Enterprise Information Security Policy, the following security policies, standards and
guidelines and all policies, procedures and standards in Attachment 9 in all their
interactions with the Customer and in the performance and provision of the Services
(including any security service). Where, in the Customer's Enterprise Information
Security Policy, compliance to the Commonwealth information security policies and
standards is currently discretionary, the Contractor must treat those references as
requiring mandatory compliance.
The following is an adapted extract from the Customer'sEnterprise InformationSecurity Policy with which the Contractor must comply.
The development and management of all Victoria Police information Systems must
be fully compliant with the following policies, standards and guidelines (or their
successors or as amended):
(i) IT&T-14: Information Security Policy (Victorian Government, May 1999);
(ii) IT Network and Application Security Best Practice Statements
(Multimedia Victoria, February 1999);
(iii) Information Technology Code of Practice for Information Security
Management [AS/NZS ISO/IEC 17799:2001] (Standards
Australia/Standards New Zealand);
(iv) Information Security Management Part 2: Specification for Information
Security Management Systems [AS/NZS 7799.2:2003] (Standards
Australia/Standards New Zealand);
(v) Information Security Risk Management Guidelines [HB 231:2004]
(Standards Australia); and
(vi) Guidelines for the Management of IT Security [AS13335 (Set): 2003]
(Standards Australia).
However, as the documents listed above are relatively non-prescriptive, the
information security control measures implemented in relation to the Customer's
information systems must also be fully compliant with the policies, standards and/or
guidelines defined in the following (or their successors or as amended):
(i) Commonwealth Protective Security Manual (2000 edition, Attorney
Generals Department, Commonwealth of Australia);
(ii) ACSI 33: The Australian Government Information Technology Security
Manual: (2004 edition, Defence Signals Directorate [DSD], Department of
Defence, Commonwealth of Australia);
Page 26
-
8/14/2019 Applications Attachment 3
27/373
Attachment 3 - Services - Applications
(iii) Gateway Certification Guide (Ver. 3 2004 edition, Defence Signals
Directorate [DSD], Department of Defence, Commonwealth of Australia);
(iv) Security Equipment Catalogue, Security Construction and Equipment
Committee (SCEC), Commonwealth of Australia; and
(v) Key Management Plan Guidance [July 2003] (Information Security Group,
Defence Signals Directorate).
4.19 Business Continuity (BC)
All activities associated with the provision to the Customer of BC support, including
BC planning and strategy development, strategy implementation, capability testing,
rehearsals and ongoing management of BC for each component of the System. In
undertaking such activities, the Contractor must take into account and minimise their
impact on all other elements of the Customer's IT environment. The Customer will
retain responsibility for Business Continuity for non-IT resources within each of its
individual business units. The Contractor must coordinate its BC activities with those of
third parties who provide similar services to the Customer in relation to other parts of
the Customer's IT environment and consistently meet or exceed the BC SLRs.
Without limiting the scope of the support Services or the Contractor's obligations in
accordance with the Customer's policies, procedures and standards, the Contractor
must:
a) Appoint and maintain an on call (24x7) BC Manager to manage ongoing BC
requirements including preparation activities, capability testing and emergency
response. The Contractor's BC manager will be expected to liaise directly with the
Customer's BITS BC Coordinator.b) Provide recovery of IT resources, within the System, in timeframes that meet the
Recovery Time Objectives (RTO), including restoration from backups stored offsite,
as specified in SLRs.
c) Ensure the continuance of electronic communication with other departments,
agencies and jurisdictions in the event of an emergency.
d) Undertake a 6 monthly test of BC procedures.
e) Report on the outcomes of the test as soon as practicable after the test. Before,
during and after rehearsals and tests, the Contractor must provide advice, analysis
and suggestions for improvement, and implement improved BC processes (where
shortfalls are identified).
f) Ensure minimum downtime and data loss.
g) Maintain data integrity, including security and access rights.
h) Maintain network security.
i) Minimise any negative impact on the Customers business operation.
j) Maintain the Customer's users' satisfaction.
k) Ensure that all BC documents are current and valid.
l) Ensure that the Contractor's staff involved in recovery procedures are fully trainedin the requirements of the plans.
Page 27
-
8/14/2019 Applications Attachment 3
28/373
Attachment 3 - Services - Applications
The Customer may at its sole discretion review the outcomes of BC testing and reviews.
The Contractor must implement the Customer's recommendations made as an outcome
of such reviews.
4.19.1 Contractor Reporting
The Contractor must report to the Customer any incidents related to the mandatoryrequirements such as raising of alarms, security breaches etc. Additional details of this
reporting will be specified by the Customer.
Pass-through Services and Management
All activities associated with managing Third Party Contracts. Without limiting the
scope of the support Services or the Contractor's obligations, the Contractor must on-
charge directly to the Customer amounts invoiced by a third party contractor under a
managed Third Party Contract, without adding any margin or mark-up. The Contractor
must also provide commercial and technical management of the third party contractors
specified by the Customer.
Project Initiation
All activities necessary for the Contractor to comply with the procedures in Attachment
19 and the Procedures Manual when initiating, assessing or implementing projects.
These activities relate to all projects, including those that the Contractor may be
required to undertake, be engaged for as a development project, or in support of a third
party engaged for a development project.
Project initiation activities include, but are not limited to:
a) Developing an initial project plan, identifying all critical path dependencies,
staffing resources, major milestones and project deliverables.
b) Developing reporting requirements.
c) Creating a development project Personnel plan identifying the Personnel assigned
to the development project.
d) Identifying any project inhibitors and mitigation strategies to ensure that the
project can be undertaken in a viable manner.
e) Developing RFT evaluation criteria.
f) Creating a development project Statement of Work (SOW) which includes:
i. A defined scope of work.ii. Technical goals and objectives.
iii. Identification of customers and end users.
iv. Standards.
v. Assigned responsibilities.
vi. Cost and schedule constraints.
vii. Dependencies between the development project team and other
organisations.
viii. Resource constraints and goals.
Page 28
-
8/14/2019 Applications Attachment 3
29/373
Attachment 3 - Services - Applications
ix. Planning assumptions.
x. The parties responsibilities.
g) Creating a development project Risk Assessment Plan (RAP) which identifies
the risks associated with the cost, resource, schedule, and technical aspects of the
project. The risks must be analysed and prioritised based on their potential impactto the project and contingencies and mitigation strategies for the risks that are
identified must be detailed.
h) Designing a project change control process that identifies, evaluates, assesses any
change that impacts the development project (including any impact on cost,
timing, or risk).
Event Response Services
All activities necessary to support the Customer during an Event. This includes
assistance with the delivery, configuration, installation and connection of hardware and
Software to communication service providers in nominated short time periods. It alsomay include the Contractor being obliged to provide fast responses, Rectifying and
Resolving Problems within short timeframes and, in relation to the System, and
providing dedicated onsite assistance. The Contractor must be able to cater for multiple
simultaneous Events.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
a) Make available resources (Personnel and equipment) that can be activated when
the Customer declares an Event.
b) Provide support on an as needed basis to deal with an Event to the Customer's
satisfaction.
c) Cooperate with and provide resources and Services (as part of the support
Services) to any Provider of Event related services to the Customer.
Risk Management
All activities associated with minimising the Customer's risk that is associated with the
Services. Such activities include the Contractor developing, implementing and
maintaining a thorough risk mitigation plan for provision of the Services that aligns
with the Customers policies, procedures and standards. The risk mitigation plan must
be approved by the Customer and must adequately address the issues of risk
identification (being anything that has the potential to impede the Customer or theContractor from achieving its objectives) and risk classification (i.e. the likelihood and
consequence of each risk). It must also involve the Contractor actively tracking and
mitigating each risk throughout the Term.
The risk mitigation and management activities are in addition to the Contractor's BC
obligations.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must actively:
a) Identify and prioritise organisational, operational and strategic risk.
b) Adopt an integrated approach to risk management that involves all relevantinternal and external stakeholders including support from the Customers senior
Page 29
-
8/14/2019 Applications Attachment 3
30/373
Attachment 3 - Services - Applications
management.
c) Ensure risk management becomes part of day to day management.
d) Provide Personnel with the policies, procedures and training necessary to manage
risks.
e) Develop appropriate strategies to ensure that identified risks and options fortreatment are communicated to stakeholders at all levels.
f) Monitor its strategic risk profile and achieve continuous improvement in risk
management.
g) Prepare reports on the risk management strategy and its implementation, as and
when required by the Customer, in a form that the Customer can submit to VMIA
to satisfy the Customer's obligations under the Financial Management Act 1994
and Victorian Managed Insurance Authority Act 1996.
Page 30
-
8/14/2019 Applications Attachment 3
31/373
Attachment 3 - Services - Applications
5 Roles and Responsibilities
Application Maintenance, Support and Enhancement Roles and
Responsibilities
The following table identifies the underlying roles and responsibilities associated with
the provision of the Services (including all required Updates). An X is placed in the
column under the party that will be primarily responsible for performing the task. The
Customer's responsibilities are indicated in the column labelled "Customer". The
Customer is designated the responsible party for performing tasks which must be
performed by the Contractor or a third party where the Customer has retained
provisioning or management responsibility.
Where no detail is provided on a specific part of a Service, the Contractor is wholly
responsible for the provision of that part of the Service, unless otherwise advised by the
Customer.
Application Maintenance, Support and Enhancement
Roles and Responsibilities
Contractor Customer
1. Application Maintenance
1.1 Define maintenance and support policies and procedures. X
1.2 Approve maintenance and support policies and
procedures.
X
1.3 Dispatch technicians to the point-of-service location, ifrequired.
X
1.4 Perform diagnostics on hardware, Software, peripheralsand services (as appropriate).
X
1.5 Install manufacturer field change orders, service packs,
firmware and software maintenance New Releases, BIOS
Updates, etc.
X
1.6 Perform Software distribution and version control, both
electronic and manual.
X
1.7 Perform code efficiency and stress testing. X
1.8 Replace defective parts and systems, including preventive
maintenance according to the manufacturers publishedmean- time-between rates.
X
1.9 Perform routine system management on support
applications such as system tuning.
X
1.10 Provide preventive maintenance. X
1.11 Provide adaptive maintenance. X
1.12 Provide perfective maintenance. X
1.13 Provide release packaging of Software changes. X
1.14 Approve release packaging of Software changes. X
Page 31
-
8/14/2019 Applications Attachment 3
32/373
Attachment 3 - Services - Applications
Application Maintenance, Support and Enhancement
Roles and Responsibilities
Contractor Customer
1.15 Establish the priority of service requests. X
2. Technical and End User Support
2.1 Define technical support policies and procedures. X
2.2 Approve technical support policies and procedures. X
2.3 Test, install and tune technical environment hardware,
Software, peripherals and services.
X
2.4 Manage hardware, Software, peripherals, and Services to
optimise Service Levels and minimise the Customer'sresource requirements.
X
2.5 Perform system backups in accordance with established
procedures.
X
2.6 Coordinate Level 2 Service Desk interaction and responsewith the Level 1 Service Desk.
X
2.7 Provide Level 2 Service Desk technical assistance and
production support.
X
2.8 Coordinate Level 3 Service Desk interaction and response
with the Level 1 Service Desk and the Level 2 ServiceDesk.
X
2.9 Provide Level 3 Service Desk technical assistance and
production support.
X
3. Applications Enhancement
3.1 Requirements Definition
3.1.1 Define requirements determination standards. X
3.1.2 Coordinate end-user interaction with the Level 1 Service
Desk.
X
3.1.3 Conduct interviews, group workshops and surveys to
determine user requirements.
X
3.1.4 Meet with the Customer's requirements groups and
representatives.
X
3.1.5 Serve on appropriate requirements groups and panels. X
3.1.6 Determine software Update conversion requirements for
COTS hardware and software.
X
3.1.7 Document all requirements in required formats (e.g.,system specifications, data models, and network design
schematics).
X
3.1.8 Approve all requirements documents. X
3.1.9 Recommend System and user acceptance test criteria. X
3.1.10 Approve System and user acceptance test criteria. X
3.2 Design Specification
Page 32
-
8/14/2019 Applications Attachment 3
33/373
Attachment 3 - Services - Applications
Application Maintenance, Support and Enhancement
Roles and Responsibilities
Contractor Customer
3.2.1 Design and configure