NSW Government

Personal Safety Solutions Standard

V1.0

June 2016

Personal Safety Solutions Standard

CONTENTS

1. CONTEXT 3

1.1. Background 3

1.2. Purpose 3

1.3. Scope and application 3

1.4. Policy context 3

1.5. The ICT Services Catalogue 4

2. KEY PRINCIPLES 4

3. REQUIREMENTS 5

3.1. Personal Safety Solutions 5

3.2. Service level and complexity 5

3.3. Requirements tables 5

3.3.1 Use Cases / Scenarios 5

3.3.2 Use Cases Requirements Table 6

3.4. Elements of Standard 7

3.4.1. Configuration management 7

3.4.2. Service management 9

APPENDIX A – DEFINITIONS 12

APPENDIX B – ABBREVIATIONS 13

APPENDIX C – REFERENCES 14

APPENDIX D – STANDARDS 15

Developing technical standards 15

Management and implementation 15

Personal Safety Solutions Standard

1. CONTEXT

1.1. Background This is a technical standard developed through the NSW ICT Procurement and Technical Standards Working Group. This standard contains technical and functional requirements that agencies should consider when procuring ICT services for Personal Safety Solutions.

By defining the necessary and common elements across agencies, the standard provides an opportunity to leverage the buying power of Government as a whole, improve procurement efficiency and increase interoperability.

1.2. PurposeThe purpose of this standard is to assist NSW Government agencies to develop, procure and implement Personal Safety solutions and tools, as well as take full advantage of their benefits. This standard also helps agencies procure in a strategic manner that reflects the NSW Government’s priorities as outlined in the NSW Government ICT Strategy.

This standard details the issues that need to be considered so each agency can identify the available options that best suit their business requirements, helping agencies achieve value for money through cost savings and improved flexibility of service offerings.

1.3. Scope and applicationThis standard applies to all NSW Government departments, statutory bodies and shared service providers. It does not apply to state owned corporations, but is recommended for their adoption.

For the purposes of this standard, Personal Safety Solutions means providing the capability for the consumer to provision solutions for fixed or portable/mobile duress/personal safety of included personnel.

See Appendix A for definitions of the above elements of this standard.

This standard sets out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW ICT Services Catalogue. Agencies should consider any specific operational or regulatory factors that impact their requirements, and specific requirements they have in addition to those detailed in this standard.

1.4. Policy contextThe NSW Government ICT Strategy and Digital+ 2016 – Final Update set out the Government’s plan to: build capability across the NSW public sector to deliver better, more customer-focused services that are available anywhere, anytime; and to derive increased value from the Government’s annual investment in ICT.

Developing whole of NSW Government ICT technical standards is a key initiative of the NSW Government ICT Strategy, driven by the ICT Procurement and Technical Standards Working Group. These standards leverage principles defined in the NSW Government ICT Strategy and the NSW Government Cloud Policy, and they support the NSW ICT Services Catalogue.

The standards set out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW ICT Services Catalogue. This helps achieve consistency across service offerings, emphasising a move to as a service sourcing strategies in line with the NSW Government ICT Strategy, and it signals government procurement priorities to industry.

Personal Safety Solutions Standard

Solutions should also assist agencies in their alignment with the NSW Government Enterprise Architecture (NSW GEA), which encompasses all aspects of enterprise architecture activity at the business, information, application and technology infrastructure layers. The NSW GEA is about providing direction and practical guidance to accelerate the development of agency EA capability and enabling a common, intra and inter agency approach to the design of digital government.

This standard should be applied along with existing NSW Government policies and guidance, including the NSW Digital Information Security Policy. More information on the process for the development of standards that populate the ICT Services Catalogue is in Appendix D – Standards.

1.5. The ICT Services CatalogueThis catalogue provides suppliers with a showcase for their products and services, and an opportunity to outline how their offerings meet or exceed standard government requirements. The standards, together with supplier service offerings, help to reduce red tape and duplication of effort by allowing suppliers to submit service details only once against the standards. The offerings are then available to all potential buyers, simplifying procurement processes for government agencies.

Implementing this category management approach will embed common approaches, technologies and systems to maintain currency, improve interoperability and provide better value ICT investment across NSW Government.

2. KEY PRINCIPLESWith Personal Safety Solutions, the consumer does not need to concern themselves with the individual components and elements that make up a solution but rather focus upon ensuring that the solution meets the capabilities for which it has been sourced.

End-to-end digital: Personal safety solutions should enable end-to-end digital business processes and management.

Control technical diversity: Personal safety solutions should help control technical diversity to minimise costs associated with maintaining expertise in and connectivity between multiple operating environments.

Technology currency: Solutions should be designed to maintain technology currency for key systems, and to maintain a pace that aligns with business context and risk profile.

Data quality: Data should possess characteristics indicating data quality, including in relation to: accessibility, the institutional environment, relevance, timeliness, accuracy, coherence and interpretability (see the NSW Government Standard for Data Quality Reporting for more details).

Facilitating as a service: Public safety solutions should facilitate the agency transition to as a service, and ensure agency alignment with broader NSW ICT Strategy.

Interoperability: Public safety solutions should meet applicable recognised open standards across the requirements outlined in this document.

Business continuity: Public safety solutions should meet business continuity requirements, particularly with transition in and out (see the NSW Digital Information Security Policy; ISO 27031-2011 and ISO 22301:2012 Societal security – Business Continuity management system requirements for more guidance).

Personal Safety Solutions Standard

3. REQUIREMENTS

3.1. Personal Safety SolutionsWhen considering any aspect of Personal Safety Solutions (as defined in this standard) an agency must consider the Service Management aspects of the service(s) on offer. Definitions for items discussed below can be found in Appendix A – Definitions.

3.2. Service level and complexityPersonal Safety Solutions can be provided in a range of ways. For example, the supplier of the service may manage some of the service or environment during the course of the contract, or the supplier of the service may manage the entire service for course of the contract.

3.3. Requirements tablesThe following tables set out the recommended business and technical requirements for the provision of Personal Safety services to NSW Government. They provide a consistent approach for all NSW Government agencies regardless of their size. Explanations for each element of the following use cases are provided in section 3.4.

3.3.1 Use Cases / Scenarios

Defined perimeterWithin a campus for example a Hospital, University, Correctional Centres, office complex where security is only required within the confines of the campus (as defined by Agency). This will include but not limited to the immediate surrounds such as car parks, gardens and will cover public, staff and limited access (areas such as roof spaces, lift wells and other controlled access areas) spaces. Ease of alert activation (appropriate dedicated device or ‘app’ style activation) and location (including floor in multi-floor building) identification. Dedicated response centre(s) with appropriate service agreements to first responder (agency internal, police and emergency services, other third party) organisations as required of the situation.

Limitless perimeterNo defined boundaries for security response requirements. Ease of alert activation (appropriate dedicated device or ‘app’ style activation) and location (including floor in multi-floor building) identification. Dedicated response centre(s) with appropriate service agreements to first responder (agency internal, police and emergency services, other third party) organisations as required of the situation.

Key to table requirements:

Required Optional, but beneficial

Personal Safety Solutions Standard

3.3.2 Use Cases Requirements Table

‘Use cases’ for Personal Safety Solutions that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns.

Fit f

or p

urpo

se d

evic

e

Pers

onal

Saf

ety

Wor

kflow

Pers

onal

Saf

ety

Tele

com

mun

icati

ons

Pers

onal

Saf

ety

Fixe

d De

vice

s

Pers

onal

Saf

ety

Wid

e Ar

ea

Devi

ces

Pers

onal

Saf

ety

Cam

pus

(mob

ile) d

evic

es

Pers

onal

Saf

ety

Brin

g Yo

ur

Ow

n De

vice

/ ‘Ap

p’

Pers

on D

own/

No

mov

emen

t

Wea

rabl

e au

dio/

vide

o ca

paci

ty

Tim

e de

laye

d al

ert e

vent

tr

igge

r

Loss

of C

onne

ctivi

ty A

lert

Com

miss

ioni

ng S

ervi

ces

Testi

ng S

ervi

ces

Self-

Serv

ice

Adm

inist

ratio

n

Full

Serv

ice

Adm

inist

ratio

n

Clou

d-co

mpl

iant

hos

ting

faci

lity

NSW

Gov

ernm

ent D

ata

Cent

re

Serv

ice

Leve

l Man

agem

ent

Mul

ti-se

rvic

e br

oker

pro

visio

n

Inci

dent

Man

agem

ent S

yste

m

Inte

grati

on

Audi

t and

Rep

ortin

g fu

nctio

nalit

y

Defined perimeter Limitless perimeter

6

Personal Safety Solutions Standard

3.4. Elements of Standard

3.4.1. Configuration management

Fit for purpose deviceAny device (whether personal and mobile or fixed) must be fit for the purpose that it is both designed for and procured for. Elements of consideration (as appropriate for the environment(s) they are likely to be used in) should include as a minimum robust; water resistant; multi alarm types (i.e. manually and/or automatically set); repeatable, consistent and accurate location of device; guaranteed alert notification (traceable and deliverable through path diversity); in-device communications (speech and/or text); full logging and reporting in both real-time and historical.

Solutions need to be able to provide information about response/reaction times; acknowledgement of alert; information about location and time of alert must be logged and retained for an appropriate period of time as required by relevant legislation.

Personal Safety WorkflowSolutions must demonstrate the ability to have automated and editable workflow capability to allow configurable options to best suit customer needs and requirements. Workflows should be capable of passing through both technology and human elements and being able to use alternative paths (both technological and human) should the need arise. In providing responses, suppliers should be able to demonstrate how their solution and capabilities will achieve the requirements of this element.

Example technology devices that solutions should be able to interact with include but are not limited to handheld and/or base station devices; location based fixed devices; ‘control room’ systems and solutions; applications and/or ‘apps’; servers (and/or associated infrastructure); 2 way radio; 3G or 4G mobile networks; annunciators; pagers.

Personal Safety TelecommunicationsSolutions must support 2 or more telecommunications options and be able to seamlessly use (defined as no human intervention) the alternative path(s) as appropriate to the situation and/or circumstances to ensure communications to the required end-point is achieved within defined timeframes. Forms of telecommunications can include but are not necessarily limited to 2G, 3G, 4G (or future enhancements); NBN capable; fixed data/voice circuits; and WiFi. Other forms of telecommunications connectivity should be specifically identified by the provider in any market engagement.

Personal Safety fixed devicesAny device that is fixed in location with ability to provide alerting to defined contact centre/alert point. Optionally have the ability to provide additional situational information (audio or video) to assist first responder(s) better deal with emergency situation(s). Device(s) to be restorable to pre-alert status without the need for a service technician and/or tool(s)/instrument(s). Solutions should be able to be fitted into existing fixed spaces as well as new spaces within fixed locations. Any special (facilities or other) requirements are to be identified in any market engagement.

Fixed solutions (eg wall or similar mounted) can optionally have audio and video capacity. All features of the device (eg audio or video capable) and any potential limitations should be described in any response to market engagement(s).

Personal Safety wide area devicesDevices that can be used anywhere (for the purpose of this standard – within Australia). Any exclusion areas/locations must be specifically stated otherwise it is to be considered full coverage exists. Solutions need to provide as a minimum the following features: bi-directional messaging capabilities; be capable of supporting multiple telecommunications modes (as defined in Personal Safety Telecommunications element); push button activation; water/drop resistant; sterilisable;

7

Personal Safety Solutions Standard

camera/bar-code scanner; real time location system (RTLS) and Global Positioning System (GPS) tracking. Solutions should also be able to pinpoint the location of the wearer/holder of the device in a multi-storey building. Any limitations on signal/response should be indicated in any market engagement, for example solution won’t work below ground or in areas with walls of a certain material and/or thickness.

Personal Safety campus (mobile) devicesDevices that can be used anywhere within the defined location/campus. Any exclusion areas (eg controlled spaces) must be specifically stated otherwise it is to be considered full coverage exists for campus. Solutions need to provide as a minimum the following features: bi-directional messaging capabilities; be capable of supporting multiple telecommunications modes (as defined in Personal Safety Telecommunications element); push button activation; person down/no movement detection; water/drop resistant; sterilisable; camera/bar-code scanner; real time location system (RTLS) and Global Positioning System (GPS) tracking; geo-fence entry/exit controls.

Personal Safety Bring Your Own Device (BYOD) / ‘app’ solutionsSolutions that address this requirement should be able to contact a defined contact centre either by digital means (e-mail/SMS/Instant Messaging/Video call or Social Media) or via a voice call to a pre-defined phone number as part of any service. Solutions should be able to provide real-time location services based on settings within the device originating the call. Solutions should be able to operate on popular operating systems (Android, iOS, Windows). Once activated, solutions should be able to provide real-time streaming of audio and/or video services to the contact centre.

Person Down/No Movement DetectionDevices that meet this element must be able to detect that the wearer/holder is either in ‘person down’ and/or no movement. Any suppliers that address this element must be able to describe and demonstrate the extent to which their solution achieves this together with any known limitations in any response to a market engagement.

Wearable audio/video capacitySolutions that are not fixed ideally should be available in a wearable configuration and be capable of providing audio (as a minimum) and (ideally) video streaming. The solution should not impede the ability of the wearer to perform any normal functions. All features of the device (eg audio or video capable) and any potential limitations should be described in any response to market engagement(s).

Time delayed alert event triggerIn certain circumstances, it is necessary for auto-activation after a specified time. For example, a case worker visiting a client, they set an event to auto-trigger if no termination instruction is sent after 30minutes. Any responses to a market engagement should specify under what circumstances their solution could meet this requirement, how it would activate/de-activate and whether there are limitations of the system.

Loss of Connectivity AlertWhen a device loses signal/communication to ‘its base’ the device/app should send an appropriate alert/message to the wearer/holder that communication is no longer available.

Commissioning ServicesServices that assist the customer in transitioning to the ‘as a service’ environment. For the purposes of this standard, commissioning services will include design services – ensuring the service is designed to deliver the required outcomes; commissioning services – ensuring the service is commissioned in accordance with the design and customer requirements; transition services – ensuring services are transitioned to the service from their existing environment(s). Any response to a market engagement should provide a complete list of commissioning services that a customer can take advantage of.

Testing servicesProvision of testing services that comply with international testing standards that can be made up of testing systems that require human intervention or not; professional services to perform and/or

8

Personal Safety Solutions Standard

manage testing of ICT environments. In responding to any market engagement, suppliers should be able to provide a full list with appropriate rate cards of all services they are able to offer within this element of this standard.

3.4.2. Service managementAll service management elements must be delivered to an ITIL based service management methodology unless specified otherwise either by an agency or the Service provider.

Self-service administrationThe ability to automatically provision and de-provision for all agency resources within the solution, together with other appropriate administration and management tasks that can be delegated from the Service provider that do not impinge on the solution being provided to other customers.

Full-service administration and supportAll provisioning, de-provisioning, together with all other administration and management tasks required to operate the solution(s) are provided as part of the service offering. The only exception will be Service Management of the provider which remains the sole responsibility of the initiating agency.

Cloud compliant hosting facilityAll relevant cloud services for the solution may be provisioned from a compliant hosting facility. Compliant hosting is defined as having the following attributes and/or capabilities:

The location of the hosting facility must be identified either by name and/or location (city and country) in any response.

The hosting location cannot be changed without first informing the agency concerned.

The service provider undertakes, maintains and provides access to SSAE 16 Service Organization Control (SOC) Type II reports (or equivalent) for the services and facilities in scope for the engagement.

The hosting facility must comply with minimum Tier 3, as defined by the Uptime Institute, ANSI TIA-942, or an equivalent industry standard.

The hosting facility must be certified against ISO 27001; compliance with the following international standards is desirable:

o ISO 9001

o ISO 27002

o ISO 20000-1:2011

o ISO 14001

Other desirable certifications may include, but are not limited to:

o PCI-DSS v3.0 or later

o Australian Signals Directorate

o ASIO-T4

o Uptime Institute

o CSA

Also consider contractual obligations relating to the service provider allowing security assessments and treatment of outcomes as agreed with the client.

If the hosting facilities changes to a location that is deemed unacceptable either to NSW Government or to the agency and/or loses attributes and/or capabilities identified above, the agency may need to consider termination of services.

9

Personal Safety Solutions Standard

NSW Government Data CentreAll relevant services for the solution may be provisioned from one or both NSW Government Data Centre (GovDC). Depending on the service offering and agency requirements, it may be possible to ‘burst’ some elements of services to other location(s) subject to agreement with the commissioning agency.

Burst data centres must be deemed ‘compliant’. If the ‘burst’ data centre facilities change to a location that is deemed unacceptable either to NSW Government or to the agency, the agency may need to re-examine the ‘burst’ service or the full service.

Service level management

Agencies will retain ultimate responsibility for service level management in any solutions engagement, which would ordinarily be covered by a SLA. Agencies, service-brokers and solution providers need to agree all SLA reporting and other related activities as part of any transition-in process. Considerations should include as a minimum service performance/response times/uptime and response to disruptions.

Multi-service broker provision

Any solution provider must work within the confines of a multi-service provider environment where either the agency or nominated provider will perform broker service provision. This will be defined as one provider being made accountable for the provision of all associated services, whether these are provided by the provider itself, or other third-party providers.

Incident Management System IntegrationSolutions should have the ability to integrate with an Agency’s Incident Management System(s) as appropriate. Responses to any market engagement should provide full details of integration options; systems that know they can integrate with together with any known limitations/exclusions.

Audit and Reporting functionalitySolutions should be able to provide appropriate audit and reporting functions. All responses to market engagements should provide full details of what their solution can provide in respect of audit and reporting functionality.

10

Personal Safety Solutions Standard

DOCUMENT CONTROL

Document historyStatus: Final

Version: 1.0

Approved by: Executive Director, ICT Policy and Innovation

Approved on: 1 June 2016

Issued by: Department of Finance, Services & Innovation

Contact: ICT and Digital Government Division, Department of Finance, Services & Innovation

Email: standards@finance.nsw.gov.au

Telephone: (02) 9372 7445

Review This standard will be reviewed as required.

11

Personal Safety Solutions Standard

APPENDIX A – DEFINITIONS

Term Description

As a service (aaS) As a service – Refers to how the solution is provided. “As a service” usually refers to services that are delivered via the cloud rather than locally or on-site, although this is not always the case.

As a service solution components are usually funded from an operating expenditure budget unlike capital intensive ICT infrastructure and equipment.

12

Personal Safety Solutions Standard

APPENDIX B – ABBREVIATIONS

aaS As a service

AIIA Australian Information Industry Association

AISA Australian Information Security Association

ASIO Australian Secret Intelligence Organisation

CSA Canadian Standards Association

GovDC Government Data Centre

ICT Information & Communication Technology

ISO/TC International Organization for Standardization / Technical Committee

IT Information Technology

ITIL Information Technology Infrastructure Library

OS Operating System

PTS Procurement & Technical Standards

SLA Service Level Agreement

13

Personal Safety Solutions Standard

APPENDIX C – REFERENCES Agencies should have regard to the following statutes, NSW Government policies and standards:

AS/NZS ISO 31000 Risk management – Principles and guidelines ISO 27031-2011 Information technology – Security techniques – Guidelines for information and

communication technology readiness for business continuity ISO 22301:2012 Societal security – Business Continuity management system requirements ISO 27001 Information technology – Security techniques – Information security management systems

– Requirements Copyright Act 1968 Digital+ 2016 – Final Update Electronic Transactions Act 2000 Government Information (Public Access) Act 2009 Health Records and Information Privacy Act 2002 NSW Government Digital Information Security Policy NSW Government Open Data Policy NSW Government Cloud Policy NSW Government Standard for Data Quality Reporting NSW Government ICT Strategy NSW Government ICT Technical Standards – Mobility Standard NSW Government Information Classification and Labelling Guidelines NSW Procurement: Small and Medium Enterprises Policy Framework Privacy and Personal Information Protection Act 1998 Public Finance and Audit Act 1983 Public Interest Disclosures Act 1994 State Records Act 1998 TPP 09-05 - Internal Audit and Risk Management Policy for the NSW Public Sector International Protection Marking (IP Code) Standards

14

Personal Safety Solutions Standard

APPENDIX D – STANDARDS

Developing technical standardsDevelopment of a standard begins with identifying the need for a new standard, which is followed by the development of the standard in consultation with the industry and expert groups, including the Australian Information Industry Association (AIIA).

The following diagram outlines the process.

The ICT Procurement and Technical Standards Working Group (PTS Working Group) is chaired by the Department of Finance, Services & Innovation and includes senior representation from across NSW Government.

Agencies engage with the PTS Working Group concerning services for inclusion in the ICT Services Catalogue. This drives the development of technical standards, where none exist. The PTS Working Group has the leading role in reviewing and endorsing the technical standards developed in response to agencies’ requirements.

The PTS Working Group is supported by two sub-groups responsible for the areas of Telecommunications and Services and Solutions. The sub-groups are responsible for initial development and review of standards relating to their areas of responsibility.

Management and implementationThere is scope to modify standards through the NSW Government ICT governance arrangements as necessary. Standards are designed to add value, augment and be complementary to, other guidance, and they are continually improved and updated.

This standard does not affect or override the responsibilities of an agency or any employee regarding the management and disposal of information, data, and assets. Standards in ICT procurement must also address business requirements for service delivery.

NSW Procurement facilitates the implementation of the standards by applying them to the goods and services made available through the ICT Services Catalogue.

15

Need for new or amended standard

identified

Standard developed (Industry/agencies

consulted)

Standard approved and released by PTS

Working Group

Market engagement for services which meet the standard

Services added to Catalogue

Business requirements change