Professional Documents
Culture Documents
Table of Contents
1 Overview................................................................................................................................2
2 Definitions and acronyms.....................................................................................................3
2.1 Definitions.............................................................................................................3
2.2 Acronyms..............................................................................................................8
3 Service Requirements............................................................................................................9
3.1 Included Services..................................................................................................9
3.2 Anticipated Applications Maintenance, Support and Enhancement Growth
Volumes during the Term.............................................................................14
3.3 Excluded Services and Applications...................................................................14
4 Support Services..................................................................................................................15
4.1 Planning and Analysis.........................................................................................15
4.2 Project Management principles...........................................................................15
4.3 Construction/Development.................................................................................17
4.4 Integration and Testing........................................................................................17
4.5 Implementation and Migration............................................................................18
4.6 Emergency Services............................................................................................18
4.7 Application Warranty..........................................................................................18
4.8 Continuous Process Improvement.......................................................................19
4.9 Level 2 Service Desk Problem Management Rectification and Resolution.......19
4.10 Level 3 Service Desk........................................................................................21
4.11 Root Cause Analysis..........................................................................................21
4.12 Training.............................................................................................................22
4.13 Monitoring and Reporting.................................................................................22
4.14 Local Implementation/Deployment..................................................................23
4.15 Managed Asset Management............................................................................23
4.16 Configuration Management/Change Control....................................................23
4.17 Documentation..................................................................................................24
4.18 Security Management and Administration........................................................25
4.19 Business Continuity (BC).................................................................................27
Pass-through Services and Management..................................................................28
Project Initiation.......................................................................................................28
Event Response Services..........................................................................................29
Risk Management.....................................................................................................29
5 Roles and Responsibilities..................................................................................................31
Application Maintenance, Support and Enhancement Roles and Responsibilities..31
Information Security Roles and Responsibilities.....................................................41
6 Service Level Requirements.............................................................................................373
6.1 SLR and Abatement Commencement...............................................................373
6.2 Service Level Requirement Classifications......................................................373
6.3 SLR Details.......................................................................................................373
Page 1
Attachment 3 - Services - Applications
1 Overview
This attachment defines and describes the Customer's requirements for Services in relation to the
System. The Contractor must provide all of the Services relating to applications maintenance,
support and enhancement (which include those Services described as support Services) specified
below.
Where any part of a particular Service is not included or no detail is provided on such part of the
Service, the Contractor is wholly responsible for the provision of that part of the Service.
Page 2
Attachment 3 - Services - Applications
Page 3
Attachment 3 - Services - Applications
Page 4
Attachment 3 - Services - Applications
Page 5
Attachment 3 - Services - Applications
Page 6
Attachment 3 - Services - Applications
TICKET A unique logical electronic record that the Contractor will create, update,
maintain and archive for each Call. A Ticket is used to record all
Customer user/Contractor interaction pertaining to a Problem and all
Contractor-related actions, and corresponding date/time, taken to Rectify
and Resolve a Problem, from the time it is first reported to the Service
Desk until Problem Resolution and closure by the Service Desk. Also, it
is used for application change-control traceability.
VORA Virtual Office/Remote Access (VORA) pertaining to the Customer's
remote users whose offices are either permanently or temporarily located
outside of Customer premises and who connect to the Customer's
network via remote access facilities (that is, VPN, Dial-up) using a laptop
or desktop PC, and have different service requirements from the
Customer's IT-managed/staffed business facilities.
WORKAROUND A process established by or approved by the Customer that the Contractor
or the Customer can implement as an alternate method of System or
process functionality in the event of a Problem. The alternate method
allows the System or affected process(es) to deliver the Customer an
acceptable level of business operations continuity until Resolution can be
implemented.
Page 7
Attachment 3 - Services - Applications
2.2 Acronyms
Acronym Definition
BC Business Continuity
BIOS Basic Input/Output System
BITS Business Information & Technology Services department
BOE Base Operation Environment (Operating System)
COTS Commercial Off-The-Shelf
CPU Computer Processing Unit
DR Disaster Recovery
IDS Intrusion Detection System
IMAC Installations, Moves, Adds and Changes
IT Information Technology
LAN Local-Area Network
LEAP Law Enforcement Assistance Program
MAC Moves, Adds and Changes
MASL Minimum Acceptable Service Level
PDA Personal Digital Assistants
SLR Service Level Requirement
SOE Standard Operation Environment (Approved software)
VPN Virtual Private Network
Page 8
Attachment 3 - Services - Applications
3 Service Requirements
This section describes the Services. The support Services in the following section also
form part of the Services.
g) Provide and make appropriate use of the systems or tools (hardware or software)
that are required to provide the Services. This includes:
i. The Customer's approved systems for work authorisation, Problem
Rectification and Resolution and project management processes.
ii. The Customer's approved systems for software quality assurance,
configuration management, and document management.
iii. The Customer's approved tools for software, database and interface,
design, development and testing.
iv. The Customer's approved templates, processes, personal tools for
communication (email, phone, pager, etc.) and general functions (PC for
word processing, spreadsheets, etc.).
Page 9
Attachment 3 - Services - Applications
h) Provide the Customer with Personnel resources with the required skills and
competencies to provide the Services at the specified Service Levels. This
includes any technical and non-technical training or induction for initially
assigned Personnel, replacement Personnel, or added Personnel.
i) Provide or facilitate agreed technical and non-technical training, or induction
transition activities for the Contractor's Personnel from the Customer's personnel,
or provide required knowledge transfer from the Customer's personnel to the
Contractor's Personnel or from the Contractor's Personnel to the Customer's
personnel.
j) Coordinate with the Customer and third parties who provide IT services to the
Customer (as required by the Customer) prior to any desired or required changes
to the application(s) and application platform(s) being supported by the
Contractor that may affect the operating performance and/or service level
performance of any IT service environments that may be retained by the
Customer or provided by third parties.
k) Specify, implement, and consistently employ across all projects an industry-
recognised standard effort estimation model and methodology for the purposes of
estimating application maintenance, support and enhancement efforts, which
delivers consistently reliable and accurate effort estimation forecasts and is
appropriate to the application(s) being maintained/supported/developed. As a
minimum, the Contractor must use function points as an estimation tool.
l) Provide the Customer with an agreed level of personnel resources with the
required skills and competencies to provide accurate and timely input to BC
activities including contingency planning meetings for such events and
completing any action items resulting from these activities required to be
provided or facilitated by the Contractor in order to meet the Service Levels.
m) Manage and administer backups, recovery and media management related to the
running of applications. Specifically, the Customer requires access to and
recovery of all files (including email) for a minimum period of 7 years from the
creation of such files. The backup and recovery activities include but are not
limited to working with third parties who provide IT services to the Customer to
ensure that the backups and recoveries are successful. In addition, the Contractor
must maintain a current copy of all supported applications. Such copies are to be
made available to the Customer immediately upon request.
Page 10
Attachment 3 - Services - Applications
Page 11
Attachment 3 - Services - Applications
Page 12
Attachment 3 - Services - Applications
Without limiting the scope of the Contractor's obligations, throughout the Term, the
Contractor must:
Page 13
Attachment 3 - Services - Applications
c) In the event that any components are non-generic or are otherwise proprietary,
restricted and/or unique to the Customer's development environment, comply
with any method for the acquisition and disposition of such components that
the Customer determines to be equitable.
The Contractor is not required to maintain or support the infrastructure of the Test,
Development and Training Environment where the Provider of IT services in relation to
the Desktop Tower, or Mainframe Tower (whichever is applicable) is responsible for
maintaining and supporting such infrastructure. In the event that any component of the
Test, Development and Training Environment (including hardware or infrastructure) is
not so supported by another Provider, then the Contractor is required to maintain and
support this component.
The Contractor is required to maintain or support all infrastructure for the Test and
Development environment located in its facilities.
Page 14
Attachment 3 - Services - Applications
4 Support Services
The Contractor must provide the Customer with all support Services (which form part
of the Services) and which are all life cycle activities associated with the provision of
the Services by the Contractor.
All support Services are to be provided at no additional cost to the Customer. The
support Services include the following activities:
Page 15
Attachment 3 - Services - Applications
Page 16
Attachment 3 - Services - Applications
4.2.1.1 Activities
Reviewing the progress and management of each discrete task with the Customer's
senior management (Program and Customer) or nominated representative on a regular
basis as specified by the Customer or otherwise weekly. This includes reviewing and
reporting to the Customer on the following criteria:
a) Completions and progress towards completion of milestones, compared to the
project plan.
b) Funds expended, compared to the project plan.
c) Latest forecast of schedule and expenditures (to end of program).
d) Changes to approved or previously assigned resources.
e) Changes to project plan estimates or assumptions.
f) Conflicts and issues that are not resolvable at lower levels.
g) Software project risks.
h) Action items, all of which must be assigned, reviewed, and tracked to closure.
The Contractor must prepare summary reports from each meeting and distribute such
reports to the affected groups and individuals.
4.3 Construction/Development
All activities associated with the construction and/or development of application
modules. The Contractor must use the information from previous phases as critical
input when constructing and/or developing every application module. The Contractor
can construct an application module by in-house custom development, customisating
commercial off-the-shelf (COTS) products or implementing COTS packages.
Page 17
Attachment 3 - Services - Applications
Page 18
Attachment 3 - Services - Applications
a) Databases.
b) Printed reports.
c) Technical manuals.
d) Interface files.
e) Web pages.
Page 19
Attachment 3 - Services - Applications
and the Contractor must report on, all aspects of its policies and the specific
implementation of those policies with respect to:
a) Problem control.
b) Error control.
c) Proactive prevention of Problems.
d) Identifying Problem trends.
e) Contingency planning and Disaster Recovery.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
a) Package and release Updates for all Problems in accordance with approved
change management and configuration management procedures. These include
New Releases necessary for the Rectification and Resolution of Problems,
including Software application configuration and operation errors that have been
escalated by the Customer's Personnel or users (whether through the Service Desk
or otherwise).
b) Provide a single point of contact for receiving, logging, and tracking all Problems
escalated to the Contractor's Level 2 Service Desk.
c) Troubleshoot all reported Problems to determine the probable cause of the
reported Problem.
d) Recommend and implement Rectification of each Problem until a permanent
Resolution can be implemented.
e) Track all Problems to Resolution to ensure that all necessary corrective action is
provided through to Resolution.
f) Escalate unknown errors and identified Problem trends in accordance with the
policies and procedures developed for Problem management.
g) Provide progress reports to the Customer throughout the Problem Rectification
and Resolution process, via the Service Desk.
h) Ensure that key application support personnel are able to be reached during off-
shift hours via pagers or cell phones.
Page 20
Attachment 3 - Services - Applications
g) Number of repeat Calls about the same application. A repeat call is one that is
made after an attempt has been made to Rectify and/or Resolve a Problem.
Page 21
Attachment 3 - Services - Applications
e) Substantiate to the Customer that all reasonable actions have been taken to prevent
recurrence of such Problem or failure.
Note: These Services are provided in consultation with the Customer and other
Providers.
The Contractor must provide the Customer with access to the raw data used to conduct
every Root Cause Analysis. The Customer may, at its own discretion, conduct
independent reviews and analysis of any Problems, failures or the Contractor's Root
Cause Analysis recommendations. The Customer's review outcomes must be actioned
by the Contractor if the Customer requires this to be done.
4.12 Training
All activities associated with the improvement of skills for the Contractor's Personnel
and the Customer’s IT technical staff (and business managers, at the Customer's sole
option) through education and instruction. Additionally, training includes the initial end-
user training on new and current applications and Services. Training services are
provided to the Customer's end users for improving “how-to-use” skills related to
systems and applications. Delivery methods that are offered for training include
classroom style and computer-based instruction.
In accordance with the Contract, the Contractor must utilise Personnel with appropriate
skills and knowledge to satisfy all of its Contractual requirements.
Page 22
Attachment 3 - Services - Applications
Page 23
Attachment 3 - Services - Applications
Without limiting the scope of the support Services or the Contractor's obligations, in
making changes to the Services, the Contractor must:
a) Eliminate or minimise disruptions to the Customer's users caused by the
implementation of any change.
b) Without limiting paragraph a), implement changes according to a mutually-agreed
schedule between the parties.
c) Eliminate or minimise the number of change “back-outs” caused by ineffective
change planning or implementation.
d) Eliminate or minimise the number of Problems caused by change.
e) Eliminate or minimise the Outages caused by change.
f) Manage changes to individual components and coordinate changes across all
components that comprise an end-to-end solution to minimise disruption to the
Services and the Customer’s business.
g) Document all changes to the Services.
h) In conjunction with the Customer (and Customer specified third parties), ensure
that all change management processes facilitate communication, and that tested
back-out plans exist to provide a high degree of success. The Contractor
acknowledges that the stability of the production environment is critical to the
Customer's business. Accordingly, the Contractor must employ all reasonable
safeguards to ensure continuity of the Customer's business operations when
changes to the production environment or the Services are initiated or
implemented.
i) Plan and communicate scheduled changes in advance in accordance with the
Customer’s business requirements. The Contractor must use the change
management process to plan, coordinate, monitor and communicate the changes
that affect the Services.
4.17 Documentation
All activities associated with the creation and maintenance of the Documentation
relating to the System and the Services and the provision of such Documentation to the
Customer. These activities include maintaining and managing copies of all such
Documentation in a technical library.
Without limiting the scope of the support Services or the Contractor's obligations, the
Contractor must:
4.17.1 General
Develop, revise, maintain, store, retrieve, reproduce and distribute information in hard
copy and electronic form. The types of documents include:
a) End-user documentation.
b) Standard operating procedures (including but not limited to the Procedures
Manual).
Page 24
Attachment 3 - Services - Applications
Page 25
Attachment 3 - Services - Applications
Without limiting the scope of these Services or the Contractor's obligations, the
Contractor must:
a) Do everything necessary for maintaining the security of the System.
b) Liaise with and provide relevant information to other persons assigned
responsibility for the security of any part of the Customer's IT environment.
4.18.4 Security Policies & Procedures
As a minimum, the Contractor must fully comply with all aspects of the Customer's
Enterprise Information Security Policy, the following security policies, standards and
guidelines and all policies, procedures and standards in Attachment 9 in all their
interactions with the Customer and in the performance and provision of the Services
(including any security service). Where, in the Customer's Enterprise Information
Security Policy, compliance to the Commonwealth information security policies and
standards is currently discretionary, the Contractor must treat those references as
requiring mandatory compliance.
The following is an adapted extract from the Customer's Enterprise Information
Security Policy with which the Contractor must comply.
“The development and management of all Victoria Police information Systems must
be fully compliant with the following policies, standards and guidelines (or their
successors or as amended):
(i) IT&T-14: Information Security Policy (Victorian Government, May 1999);
(ii) IT Network and Application Security Best Practice Statements
(Multimedia Victoria, February 1999);
(iii) Information Technology —Code of Practice for Information Security
Management [AS/NZS ISO/IEC 17799:2001] (Standards
Australia/Standards New Zealand);
(iv) Information Security Management Part 2: Specification for Information
Security Management Systems [AS/NZS 7799.2:2003] (Standards
Australia/Standards New Zealand);
(v) Information Security Risk Management Guidelines [HB 231:2004]
(Standards Australia); and
(vi) Guidelines for the Management of IT Security [AS13335 (Set): 2003]
(Standards Australia).
However, as the documents listed above are relatively non-prescriptive, the
information security control measures implemented in relation to the Customer's
information systems must also be fully compliant with the policies, standards and/or
guidelines defined in the following (or their successors or as amended):
(i) Commonwealth Protective Security Manual (2000 edition, Attorney
General’s Department, Commonwealth of Australia);
(ii) ACSI 33: The Australian Government Information Technology Security
Manual: (2004 edition, Defence Signals Directorate [DSD], Department of
Defence, Commonwealth of Australia);
Page 26
Attachment 3 - Services - Applications
Page 27
Attachment 3 - Services - Applications
The Customer may at its sole discretion review the outcomes of BC testing and reviews.
The Contractor must implement the Customer's recommendations made as an outcome
of such reviews.
4.19.1 Contractor Reporting
The Contractor must report to the Customer any incidents related to the mandatory
requirements such as raising of alarms, security breaches etc. Additional details of this
reporting will be specified by the Customer.
Page 28
Attachment 3 - Services - Applications
Page 29
Attachment 3 - Services - Applications
management.
c) Ensure risk management becomes part of day to day management.
d) Provide Personnel with the policies, procedures and training necessary to manage
risks.
e) Develop appropriate strategies to ensure that identified risks and options for
treatment are communicated to stakeholders at all levels.
f) Monitor its strategic risk profile and achieve continuous improvement in risk
management.
g) Prepare reports on the risk management strategy and its implementation, as and
when required by the Customer, in a form that the Customer can submit to VMIA
to satisfy the Customer's obligations under the Financial Management Act 1994
and Victorian Managed Insurance Authority Act 1996.
Page 30
Attachment 3 - Services - Applications
Page 31
Attachment 3 - Services - Applications
Page 32
Attachment 3 - Services - Applications
Page 33
Attachment 3 - Services - Applications
Page 34
Attachment 3 - Services - Applications
Page 35
Attachment 3 - Services - Applications
Page 36
Attachment 3 - Services - Applications
Page 37
Attachment 3 - Services - Applications
Page 38
Attachment 3 - Services - Applications
Page 39
Attachment 3 - Services - Applications
Page 40
Attachment 3 - Services - Applications
Page 41
Attachment 3 - Services - Applications
Page 372
Attachment 3 - Services - Applications
Service Levels shall be calculated for each calendar month from the Service
Commencement Date. For the purposes of this Attachment, each of the periods
running from the Service Commencement Date to the end of the first calendar month
and the part of a month ending on the expiry of the Contract, shall be counted as one
calendar month.
Where there is no classification specified for a Service, the Contractor must assume a
‘Bronze’ Service Level.
(a) “Gold” means the relevant Service plays a key role in the customer experience
and has zero tolerance for downtime.
(b) “Silver” means the relevant Service is critical to the business. Outages of even a
short duration will typically cause adverse impact to the business, including loss
of services to large numbers of users, or potential breach of regulatory
obligations.
(c) “Bronze” means the relevant Service is important to the business. Outages
typically impact business process or small numbers of Users and may lead to
some adverse impact to the business.
Page 373