NSW Government

End User Computing Standard

Version 1.0

October 2014

End User Computing Standard

CONTENTS

1. CONTEXT 3

1.1 Background 3

1.2 Purpose 3

1.3 Scope and application 3

1.4 Policy context 3

1.5 The ICT Service Catalogue 4

2. KEY PRINCIPLES 4

3. STANDARD 4

3.1 Use case / scenarios 4

3.2 End User Computing Standard elements 9

3.2.1 Configuration management 9

3.2.1 Security management 10

3.2.2 Service management 11

4. DOCUMENT ISSUE 12

APPENDIX A – Definitions 14

APPENDIX B – References 15

APPENDIX C – Background on standards 16

Developing standards 16

Management and implementation 16

End User Computing Standard

1. CONTEXT

1.1 BackgroundThis End User Computing Standard is a technical standard developed through the NSW Government ICT Procurement and Technical Standards Working Group (PTS Working Group).

The standard defines minimum government requirements for end user computing services.

1.2 PurposeThe purpose of this standard is to provide technical guidance to NSW Government agencies when implementing end user computing internally and when they are procuring these services.

It details the issues that need to be considered so each agency can identify the available options that best suit their business requirements, ensuring agencies can take full advantage of the benefits of end user computing services.

1.3 Scope and applicationFor the purposes of this standard, end user computing describes all devices traditionally associated with computing use within government and industry including desktops, notebooks (including high-end tablet devices), and thin-client terminals. It can also include mobility devices, such as smartphones and ‘consumer’ type tablet devices.

The standard applies to end user computing solutions across NSW Government agencies. The standard does not exhaustively cover all agency specific considerations, and agencies may need to asses any specific requirements they have in addition to those detailed here.

1.4 Policy contextThe NSW Government ICT Strategy sets out the Government’s plan to build capability across the NSW public sector to deliver better, more customer-focused services that are available anywhere, anytime, and derive better value from the Government’s annual investment in ICT.

Developing whole of NSW Government ICT technical standards is a key initiative of the NSW Government ICT Strategy, driven by the ICT Procurement and Technical Standards Working Group. These standards leverage principles defined in the NSW Government ICT Strategy and the NSW Government Cloud Policy and Guidelines, and they support the NSW ICT Service Catalogue.

The standards set out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW Service Catalogue. This helps achieve consistency across service offerings, emphasising a move to as a service sourcing strategies in line with the NSW Government ICT Strategy, and it signals government procurement priorities to industry.

This standard should be applied along with existing standards, policies and guidance that make up the NSW Information Management Framework, as set out in the Information Management: A Common Approach, and including the NSW Digital Information Security Policy.

NSW Government agencies must carefully consider their obligations to manage government data and information. Contract arrangements and business processes should address requirements for data security, privacy, access, storage, management, retention and disposal. ICT systems and services should support data exchange, portability and interoperability.

End User Computing Standard

More information on the development of standards for the ICT Service Catalogue is at Appendix C – Background on standards.

1.5 The ICT Service CatalogueThe ICT Service Catalogue provides suppliers with a showcase for their products and services, and an opportunity to outline how their offerings meet or exceed standard government requirements.

The standards, together with supplier service offerings in the ICT Service Catalogue, help to reduce red tape and duplication of effort by allowing suppliers to submit service details once. The offerings are then available to all potential buyers, simplifying procurement processes for government agencies.

2. KEY PRINCIPLESThe following principles guide the development and implementation of this standard.

Facilitating as a service: Specification of end user computing environments should support agencies in moving to as a service sourcing models.

Interoperability: Meeting this standard should help agencies achieve application and hardware interoperability, ensuring that agency computing environments enable appropriate information sharing across devices and applications.

Mobile and flexible: The end user environment should support modern office work practices including flexible arrangements, activity based working and hot desking.

Vendor / operating environment agnostic: Determining end user computing environments should be vendor and operating system agnostic. Devices such as laptops, notebooks, thin-clients should be able to connect to and access the network. The network must be fully compatible with widely used operating environments.

3. STANDARD

3.1 Use case / scenarios This section provides a more detailed description of the recommended business and technical requirements for NSW Government. It provides a consistent approach for all NSW Government agencies regardless of their size.

End User Computing Standard

Use Case / Scenarios – SILVER

Requirements for ‘Silver’ level service to support messaging, collaboration and unified communication solutions are listed in the table below.

Use Case / Scenarios

Configuration management

Tier

0 a

pplic

ation

s

Tier

1 a

pplic

ation

s

Tier

2 a

pplic

ation

s

Tier

3 a

pplic

ation

s

Tier

4 a

pplic

ation

s

Disa

ster

reco

very

Data

repl

icati

on

Audi

ting

& in

vesti

gatio

n

Mov

es ,

addi

tions

& c

hang

es

Perf

orm

ance

& la

tenc

y

Rem

ote

man

agem

ent /

Re

mot

e w

ipe

Appl

icati

on p

acka

ging

BYO

D ca

pabi

lity

Back

up &

rest

ore

Devi

ce h

ygie

ne

Task Worker ? ?

Knowledge (Office) Worker

Knowledge (Mobile) Worker

Field (Mobile) Worker

5

End User Computing Standard

Use Case / Scenarios

Security management Service management

Ons

hore

/ off

shor

e m

anag

emen

t

Pass

wor

d p

rote

ction

/ U

ser a

uthe

ntica

tion

Info

rmati

on

clas

sifica

tion

and

labe

lling

Role

-bas

ed se

curit

y

Self-

serv

ice

adm

inist

ratio

n

Full

serv

ice

adm

inist

ratio

n

Com

plia

nt d

ata

cent

re

Gove

rnm

ent D

ata

Cent

re

Serv

ice

leve

l m

anag

emen

t

Mul

ti-se

rvic

e br

oker

pr

ovisi

on

Task Worker

Knowledge (Office) Worker

Knowledge (Mobile) Worker

Field (Mobile) Worker

6

End User Computing Standard

Use Case / Scenarios – GOLD Requirements for ‘Gold’ level service to support end user computing solutions are listed in the table below.

Use Case / Scenario

Configuration management

Tier

0 a

pplic

ation

s

Tier

1 a

pplic

ation

s

Tier

2 a

pplic

ation

s

Tier

3 a

pplic

ation

s

Tier

4 a

pplic

ation

s

Disa

ster

reco

very

Data

repl

icati

on

Audi

ting

& in

vesti

gatio

n

Mov

es, a

dditi

ons &

cha

nges

Perf

orm

ance

& la

tenc

y

Rem

ote

man

agem

ent /

re

mot

e w

ipe

Appl

icati

on p

acka

ging

BYO

D ca

pabi

lity

Back

up &

rest

ore

Devi

ce h

ygie

ne

Task Worker ? ?

Knowledge (Office) Worker

Knowledge (Mobile) Worker

Field (Mobile) Worker

7

End User Computing Standard

Use Case / Scenario

Security management Service management

Ons

hore

/offs

hore

m

anag

emen

t

Pass

wor

d p

rote

ction

/ U

ser a

uthe

ntica

tion

Info

rmati

on

clas

sifica

tion

&

labe

lling

Role

-bas

ed se

curit

y

Self-

serv

ice

adm

inist

ratio

n

Full

serv

ice

adm

inist

ratio

n

Any

com

plia

nt d

ata

cent

re

NSW

Gov

ernm

ent D

ata

Cent

re

Serv

ice

leve

l m

anag

emen

t

Mul

ti-se

rvic

e br

oker

pr

ovisi

on

Task Worker

Knowledge (Office) Worker

Knowledge (Mobile) Worker

Field (Mobile) Worker

8

End User Computing Standard

3.2 End User Computing Standard elementsRefer to Appendix A – Definitions for guidance on service levels, worker types and defined terms in this document.

3.2.1 Configuration managementTier 0 applicationsApplications that are embedded in the operating system (either physical or virtual), examples are browser (other browsers may be included as Tier 1 applications) and operating system management tools.

Tier 1 applicationsApplications that are used by all ‘worker’ types and universally across all areas of government and industry. Examples include browsers (including browser plug-ins for commonly used solutions), hygiene products and office productivity suites including word processing, spreadsheets, and presentation tools. These are ordinarily supplier-provided applications.

Tier 2 applicationsCommercial-Off-The-Shelf (COTS) applications that are used by many ‘worker’ types but not universally across all areas of government and industry. Examples include project management applications and high-end graphics tools. These are ordinarily supplier-provided applications.

Tier 3 applicationsCOTS applications that are used by specialist ‘worker’ types but not universally across all areas of government and industry. Examples include CAD (Computer Aided Design) applications, specialised engineering, human resources and financial tools. These are ordinarily agency-supplied applications.

Tier 4 applicationsSpecialised in-house developed applications and/or legacy applications used by certain business units for specific purposes, often developed to deliver specialised services. Used by many ‘worker’ types but not universally. These are ordinarily agency-supplied applications.

Disaster recovery

The solution is to have appropriate levels of disaster recovery built in to minimise downtime or disruption to the service. This element could include anything from a duplicated solution that is available immediately if the primary site fails, to a fully documented process for restoring services within Service Level Agreement (SLA) defined times.

Data replication

Solution providers must not change any data replication parameters and/or locations without prior written consent from agencies concerned. All data storage locations must be known to agencies and changes agreed before they occur. If data is replicated to a location that has not been approved, the service may be terminated for breach.

Auditing and investigation

All elements of end user computing solution(s) must provide the agency(s), the Auditor General and/or any other statutory body with the authority to do so the ability to audit and/or conduct investigations of the agency environment within the solution.

Moves, additions and changes

For ‘Silver’ level solution offerings, moves, additions and changes remain the responsibility of the commissioning agency. For ‘Gold’ level solution offerings this is be the sole responsibility of the

9

End User Computing Standard

solution provider, unless otherwise agreed and included in the Service Level Agreement (SLA) for the service.

Performance and latency

The solution will provide appropriate built-in redundancy to achieve agency required levels of service. Typically this may be not less than 99.99% availability during operating hours, and for most agencies this would be a minimum 7:00am-7:00pm Monday to Friday. Some agencies may have a requirement for 24 hours, 7 days per week (eg. Police and Emergency Services, Health, Transport). Bandwidth and latency expectations are to be defined and agreed up front.

Remote management / Wipe

All solutions must support the ability for remote management (and where appropriate remote wipe) capabilities of end-point devices.

Application packaging

As appropriate solutions need to provide the ability for non-standard applications (generally those belonging to ‘Tier 3’ and ‘Tier 4’, or similar) to be packaged for rapid and non-human invention remote deployment. The method will be defined upfront by the solution provider.

BYOD capability

Any end user computing solution needs to allow for the potential of agencies allowing staff (and/or other engaged human resources) to provide and use non-agency provided (but agency approved) devices that are capable of meeting minimum specifications as prevailing from time-to-time.

Solution providers are expected to be able to include a full list (that is updated as appropriate) of all device types, operating systems and/or other requirements that meet minimum standards for the purposes of accessing the solution provided.

Device hygiene

All devices, including bring your own device (BYOD), must have appropriate and up-to-date ‘hygiene’ solutions installed. Device hygiene includes, but is not limited to, anti-virus, anti-spam, anti-spyware. For agency and/or service provider issued devices, this will be provided by the agency service provider, for BYOD this must be provided by the device owner and will meet agreed minimum agency/service provider requirements.

Backup and restore

Services are capable of being backed up and restored of data and configuration settings. The owner of BYO devices are responsible for any backing up and restoring of configuration settings of their device.

Agencies need to establish rules and/or guidelines for locations they consider acceptable for backing up agency data and agency-related configuration files. Agency data must only be backed up to approved locations.

3.2.1 Security managementDevices must comply with minimum security standards as determined by agency security policies. They must also be compliant with agency Information Security Management Systems (ISMSs) and assist agencies in the implementation and maintenance of minimum controls under the NSW Government Digital Information Security Policy.

Onshore/offshore management

All solution providers must be able to articulate where their services will be provided from, including any remote support services. For example, if the provider has a ‘follow the sun’ support model, the locations of each of their support sites around the globe need to be identified. Any changes to these need to be communicated to the customer agency promptly and if this causes issues, the agency has the right to cancel the service with appropriate notification.

10

End User Computing Standard

Password protection / User authentication

All implementations must support password authentication – (numeric / alphanumeric or similar) End User Computing

Setting Value

Minimum password length 7 characters

Maximum password attempts 4 attempts

Forbidden passwords Popular:

Eg. password, department

Repetitive:

Eg. 0000000, 2222222

Sequential:

Eg. 1234567, 4567890

Password History Not allowed to use previous x passwords

Security time-out x minutes

Information classification and labelling

If sensitive information is being stored or transferred using the devices then agencies must have regard to compliance with the NSW Government Classification and Labelling Guidelines. Devices need to be enabled to apply security classifications and dissemination limiting markers (DLMs) to sensitive content.

End User Computing environments also need to implement control and handling requirements relevant to the level of sensitivity of the device content, as set out in the NSW Government Information Classification and Labelling Guidelines.

Role-based securitySolutions should offer the ability to have ‘role based’ security elements either for all users or defined sub-sets. The ability to allow this should be clearly identified by any potential solution provider.

3.2.2 Service managementAll service management elements are assumed to be delivered to an ITIL (Information Technology Infrastructure Library) based service management methodology, unless otherwise specified either by an agency or the service provider.

Self-service administration

The ability to automatically provision and de-provision for all agency resources within the system, together with other appropriate administration and management tasks that can be delegated from the service provider that do not impinge on the solution being provided to other customers.

Full-service administration

All provisioning, de-provisioning, together with all other administration and management tasks required to operate the environment, are provided as part of the service offering. The only exception will be service management of the provider which remains the sole responsibility of the initiating agency.

Any compliant data centre

11

End User Computing Standard

All relevant services for the solution to be provisioned from a compliant data centre. A compliant data centre is defined as having the following attributes and/or capabilities:

The location of the data centre must be identified either by name and/or location (city and country) in any response

The data centre location cannot be changed without first informing the agency(s) concerned

The facility must comply with minimum Tier III

The facility must be certified against the following international standards:

o ISO9001

o ISO27001

o ISO2000

o ISO14001

and other relevant certification including but not limited to:

o PCI-DSS

o ASD

o ASIO-T4

o Uptime Institute

o CSA.

If the data centre facilities changes to a location that is deemed unacceptable either to NSW Government or to the agency and/or loses attributes and/or capabilities identified above, the agency may need to examine termination of services.

NSW Government Data Centre

All relevant services for the solution to be provisioned from one or both NSW Government Data Centre (GovDC). Depending on the service offering and agency requirements, it may be possible to ‘burst’ some elements of services to other location(s) subject to agreement with the commissioning agency.

Burst data centres must be deemed ‘Compliant’. If the ‘burst’ data centre facilities change to a location that is deemed unacceptable either to NSW Government or to the agency, the agency may need to re-examine the ‘burst’ service or the full service.

Service level management

Agencies will retain ultimate responsibility for service level management in any solutions engagement, which would ordinarily be covered by a SLA. Agencies, service-brokers and solution providers need to agree all SLA reporting and other related activities as part of any transition-in process.

Multi-service broker provision

Any solution provider must work within the confines of a multi-service provider environment where either the agency or nominated provider will perform broker service provision. This will be defined as one provider being made accountable for the provision of all associated services, whether these are provided by the provider itself, or other third-party providers.

4. DOCUMENT ISSUEThis document is issued by the Office of Finance and Services.

For more information call (02) 9372 7445 or email standards@finance.nsw.gov.au

12

End User Computing Standard

This standard will be reviewed in twelve months or earlier in response to post-implementation feedback from agencies.

13

End User Computing Standard

APPENDIX A – Definitions Service support levels

Bronze Service – Not defined at this time.

Silver Service – All End User Computing administration, management and/or related support services that can be delegated from the solution provider to the agency’s internal ICT teams are delegated and these services are not provided by the solution provider.

Gold Service – All End User Computing administration, management and/or related support services are optionally provided by the solution provider in addition to appropriate services being managed by the agency (as allowed by the solution’s construct).

Platinum Service – Not defined at this time.

Use Case / Scenario descriptions

Use Case / Scenario Description

Task Worker Fixed location based worker. Performs a limited set of tasks. Refer to Worker Type – Details in NSW Government Worker Type description.

Knowledge (Office) Worker

Primarily fixed location based worker (however some mobility may be required). Performs a variety of high intensity tasks using information from various sources. Refer to Worker Type – Details in NSW Government Worker Type description.

Knowledge (Mobile) Worker

Various locations, often at short notice and always connected. Performs a variety of high-intensity tasks, using information from various sources. Refer to Worker Type – Details in NSW Government Worker Type description.

Field (Mobile) WorkerMostly in the field, rarely in the office and always connected. Performs a variety of tasks. Refer to Worker Type – Details in NSW Government Worker Type description.

Other definitions

Desktop – A computer that is designed to stay in one place, and typically not powered by an internal battery.

End User Computing – Describes all uses of computers, and in the context of this standard, covers all devices traditionally associated with computing use, that is Desktop, Notebook (including high-end Tablet devices), Thin-Client terminals and devices. It can also include Smartphones and Tablet devices.

Notebook – A lightweight personal computer, and in the context of this standard, this also includes variations, such as laptop computers.

Smartphone – A mobile phone that performs many of the functions of a computer, typically having a touchscreen interface, internet access, and an operating system capable of running downloaded applications.

Thin-Client – A client machine that relies on the server to perform data processing. Either a dedicated thin client terminal or a regular PC with thin client software is used to send keyboard and mouse input to the server and receive screen output in return.

Tablet – A small computer which is ordinarily used through touching the screen rather than via a keyboard.

14

End User Computing Standard

APPENDIX B – References

Agencies should have regard to the following statutes, NSW Government policies and standards:

AS/NZS ISO 31000 Risk management – Principles and guidelines Electronic Transactions Act 2000 Government Information (Information Commissioner) Act 2009 Government Information (Public Access) Act 2009 Health Records and Information Privacy Act 2002 M2012-15 Digital Information Security Policy NSW Government Open Data Policy NSW Government Cloud Services Policy and Guidelines NSW Government ICT Strategy NSW Government ICT Technical Standards – Mobility Standard TPP 09-05 - Internal Audit and Risk Management Policy for the NSW Public Sector NSW Government Digital Information Security Policy NSW Government Information Classification and Labelling Guidelines Privacy and Personal Information Protection Act 1998 Public Finance and Audit Act 1983 Public Interest Disclosures Act 1994 NSW Procurement: Small and Medium Enterprises Policy Framework State Records Act 1998 Copyright Act 1968 Copyright Amendment Act 2006

15

End User Computing Standard

APPENDIX C – Background on standards

Developing standardsDevelopment of a standard begins with identifying the need for a new standard, which is followed by the development of the standard in consultation with the industry and experts groups, including the Australian Information Industry Association (AIIA).

The following diagram outlines the process.

The ICT Procurement and Technical Standards Working Group (PTS Working Group) is chaired by the Office of Finance and Services and includes senior representation from across NSW Government.

Agencies engage with the PTS Working Group concerning services for inclusion in the ICT Service Catalogue. This drives the development of technical standards, where none exist. The PTS Working Group has the leading role in reviewing and endorsing the technical standards developed in response to agencies’ requirements.

The PTS Working Group is supported by two sub-groups responsible for the areas of Telecommunications and Services and Solutions. The sub-groups are responsible for initial development and review of standards relating to their areas of responsibility

Management and implementationThere is scope to modify standards through the NSW Government ICT governance arrangements as necessary. Standards are designed to add value, augment and be complementary to, other guidance, and they are continually improved and updated.

This standard does not affect or override the responsibilities of an agency or any employee regarding the management and disposal of information, data, and assets. Standards in ICT procurement must also address business requirements for service delivery.

NSW Procurement facilitates the implementation of the standards by applying them to the goods and services made available through the ICT Service Catalogue.

16

Need for new or amended standard

identified

Standard developed (Industry/agencies

consulted)

Standard approved and released by PTS

Working Group

Market engagement for services which meet the standard

Services added to Catalogue

Business requirements change