WIXLIB

Office of the CIOIT Governance FrameworkInvestment Management as a whole consists of the following disciplines: Financial ManagementPipeline ManagementResource ManagementBenefits RealisationThe CIO has tasked the Project Advisory Board (PAB) to oversee the responsible allocation of investmentfor IT Programs and Projects under the ICT investment plan. Appendix C contains the Terms of Referencefor the Project Advisory Board.6.2Architecture ManagementThe focus of Architecture Management is to: Work towards a mature practice where Enterprise Architecture (EA) is an enabler of efficientand effective IT capability development and service deliveryBuild roadmaps and mechanisms that lead to the desired future stateEnsure alignment of IT to the institutional strategyArchitecture Management as a whole consists of the following disciplines: Business ArchitectureData ArchitectureApplication ArchitectureTechnology ArchitectureSecurity ArchitectureIT Architecture is a new capability being implemented at UQ. The ITGC will oversee the function ofArchitecture Management.6.3Risk and Security ManagementThe focus of Risk and Security Management is to: Enable world-class information technology services whilst protecting the University fromincreasingly aggressive and sophisticated cyber threats.Align information security with the objectives of the University, providing visibility of key risksand issues to enable ownership by the governing bodies of the UniversityManage the risk of uncertainty in delivering objectives through appropriate identification andmitigation of risksRisk and Security Management as a whole consists of the following disciplines: Data ClassificationApplication SecurityInfrastructure SecurityBusiness Continuity PlanningDisaster Recovery PlanningProject Risk ManagementEnterprise Risk ManagementThe University of QueenslandInformation Technology Services- 11 -CRICOS Code 00025B

Office of the CIOIT Governance FrameworkThe CIO has tasked the Information Security Group (ISG) to oversee this function, with regular updatesto the ITGC.6.4Service ManagementThe focus of Service Management is to: Align the delivery of IT services with needs of the University, underlining benefits to customersMonitor the effectiveness of end-to-end servicesImprove quality and reliability of IT services offeredService Management consists of the following disciplines: Service Supporto Change Managemento Problem Managemento Incident Managemento Availability Managemento Release Managemento Configuration Managemento Capacity ManagementService Deliveryo Service Level Managemento Financial Management for IT Serviceso IT Service Continuity ManagementThe IT Service Management Committee will monitor the functions of service delivery reporting regularlyto ITGC. The Change Advisory Board (CAB) will oversee the service support discipline of ServiceManagement.6.5Category ManagementThe focus of IT Category Management is to: Provide a strategic IT purchasing and procurement approach that supports the IT Strategic Plan,drives value for UQ and responds to the UQ community’s expectations.Develop an IT purchasing and procurement framework for use consistently across UQ.Establish supply arrangements for commonly purchased items that leverage UQ’s collectivebuying power.Advise purchasers in relation to meeting custom requirements and provide assistance inpreparing and publishing tenders for significant procurements.Maintain the purchasing and procurement lifecycle for IT products and services.Identify, manage and strengthen vendor relationships to support effective contractmanagement and benefits realisation, and to identify future opportunities.IT Category Management consists of the following disciplines: Procurement AnalysisProcurement PlanningTender ManagementVendor ManagementAsset ManagementThe University of QueenslandInformation Technology Services- 12 -CRICOS Code 00025B

Office of the CIOIT Governance Framework Contract ManagementIT Category Management is a new capability being developed at UQ; the ITGC will oversee the functionof IT Category Management with the IT Asset Management Advisory Group (reporting to ITGC)continuing to oversee software compliance and asset management.Appendix A - Glossary of TermsIn this document, the following definitions SMGThe University of QueenslandInformation TechnologyUQ’s Information Technology Services DivisionChief Operating OfficerChief Information OfficerVice Chancellors CommitteeDeputy Vice Chancellor AcademicUniversity Senior Management GroupStrategic Information Technology CouncilStrategic Information Management CommitteeInformation Technology Governance CommitteeITS Senior Management sCERTProject Advisory BoardChange Advisory BoardVirtual Change Management GroupInformation Security GroupEnterprise ArchitectureInformation Technology Service Management CommitteeInformation Technology Asset Management CommitteeResearch Computing CentreAustralian Institute for Bioengineering and NanotechnologyQueensland Brain InstituteInstitute for Molecular BioscienceCentre for Advanced ImagingThe Faculty of Engineering, Architecture and Information TechnologyAustralian Cyber Emergency Response TeamThe University of QueenslandInformation Technology Services- 13 -CRICOS Code 00025B

Office of the CIOIT Governance DefinitionsGovernance ensures that stakeholder needs, conditions and options areevaluated to determine balanced, agreed-on enterprise objectives to beachieved; setting direction through prioritisation and decision making; andmonitoring performance and compliance against agreed-on direction andobjectives.Management focusses on planning, provisioning, running, and monitoringactivities to align with and support the governance objectivesAn enterprise architecture (EA) is a conceptual blueprint that defines thestructure and operation of an organization. The intent of an enterprisearchitecture is to determine how an organization can most effectivelyachieve its current and future objectives.Identity management is a broad administrative area that deals withidentifying individuals in a system and controlling their access to resourceswithin that system by associating user rights and restrictions with theestablished identity.The objective of change management is to ensure that standardised methodsand procedures are used for efficient and prompt handling of all changes tocontrol IT services, in order to minimise the number and impact of anyrelated incidents upon service.The primary objectives of problem management are to prevent problems andresulting incidents from happening, to eliminate recurring incidents, and tominimize the impact of incidents that cannot be prevented.Incident management process is to restore a normal service operation asquickly as possible and to minimise the impact on business operations, thusensuring that the best possible levels of service quality and availability aremaintained.Release and Deployment Management aims to plan, schedule and controlthe movement of releases to test and live environments.Availability Management aims to define, analyse, plan, measure and improveall aspects of the availability of IT services.The process that tracks all of the individual Configuration Items in an ITsystem which may be as simple as a single server, or as complex as the entireIT department.Capacity management ensures that IT resources are right-sized to meetcurrent and future business requirements in a cost-effective manner.The University of QueenslandInformation Technology Services- 14 -CRICOS Code 00025B

Office of the CIOIT Governance FrameworkAppendix B – Governance Committee Terms of ReferenceStrategic Information Technology CouncilThe Strategic Information Technology Council (SITC) provides guidance and governance of the provisionand direction of University-wide Information Technology IT strategy. The SITC is a critical nexus betweenInformation Technology and the core operations of the University.Mandate Placing Information Technology as an enabler aligned to supporting the University’s keyobjectivesEnsuring appropriate management and governance structures are in place for the informationtechnology functionVerifying UQ’s risk position is in line with the Universities risk appetiteMatching Information Technology performance with University expectationsReview of a university-wide IT strategies and roadmapsEndorsing and advocating Information Technology change to the University executive andthroughout the InstitutionScope IT Functions at UQMembershipPositionChief Operations Officer - ChairDeputy Vice-Chancellor (Academic)Director of Governance and RiskAn Executive DeanAn Institute DirectorUniversity LibrarianChief Information OfficerDirector, Business IntelligencePro-Vice-Chancellor, Research InfrastructureITS Associate Director, IT Governance –Secretary1.2.3.4.5.6.7.8.9.10.Terms and ProcessesoooooReports to USMGMeets twice per year.Attendance is defined as in-person, by phone, by video callNo sub-delegationMembers must be in attendance to voteQuorum 75% of filled voting positions, in attendanceThe University of QueenslandInformation Technology Services- 15 -CRICOS Code 00025B

Office of the CIOIT Governance FrameworkInformation Technology Governance CommitteeThe scope and purpose of the Information Technology Governance Committee (ITGC) is to ensure ITobjectives are in line with the Universities’ strategic direction and to ensure that the stakeholders’ needsare met by governing benefit realisation, risk optimisation and resources optimisation.Mandate Supports the achievement level of the University goals by directing IT managements prioritiesand performance,Determines the prioritisation of resources and investment in information technology increasingthe proportion of investment in ‘transformational IT’ by reducing the resources used in ‘runningIT’,Monitors the IT project portfolio and key programs underway,Provides a consistent framework across all UQ’s IT projects to ensure that project outcomes arealigned to organisational strategy and the project has appropriate oversight.Monitors the realisation of intended benefits of initiatives that include or effect informationtechnologyMonitors the effectiveness of information technology processes and services, and directingmanagement to continuously improveDevelops and recommends the IT Strategies to SITC, and ITGC manages the roadmap andprograms that support the effective delivery of the IT StrategyApproves the initiatives, architectures, standards, policies and other mechanisms that governthe IT function throughout the UniversityAssesses risk and compliance of UQ’s information management practices and provides directionfor Information Stewards.Scope IT function at UQMembershipPositionChief Information Officer - ChairUniversity LibrarianDirector, Research Computing CentreA Faculty Executive ManagerA Deputy Director (Strategic)ITS Associate Director, IT GovernanceITS Strategy, Policy and Assurance Officer – Secretary1.2.3.4.5.6.7.Terms and Processes Reports to SITCMeets every six weeksAttendance is defined as in-person, by phone, by video callMembers may delegate attendance to an equivalent peer (e.g. FEM from alternate Faculty)Members must be in attendance to voteQuorum 50% of filled voting positions, in attendanceThe University of QueenslandInformation Technology Services- 16 -CRICOS Code 00025B

Office of the CIOIT Governance FrameworkAppendix C – Management Committees Terms of ReferenceIT Project Approval BoardThe IT Project Approval Board (PAB) is responsible for the portfolio of IT programs and projects includingall IT initiatives within the University community. The primary function of PAB is to review, approve,prioritise and rejects new project proposals. An important aspect of the advisory board is its authorityto redirect the project if the team is not addressing technical, programmatic, or business issues.Mandate Approve, prioritise, reject, and escalate ITS project requestsEnsure all ITS project are appropriately governed and managedProvide a portfolio view of IT projectsRe-evaluate current projects if not meeting its original intent (i.e. scope, timeline and cost)Consolidate lessons learned from projects (including analysis of Post Implementation Reviews)Input into the enhancement of the Project Management Framework (PMF), approved by theITGC.Scope IT projects within the University communityIT Function at UQ (Framework)MembershipPositionChief Information Officer - ChairAssociate Director, IT GovernanceDeputy Director, Infrastructure OperationsDeputy Director, Applications Delivery and SupportAssociate Director, Customer Support ServicesPortfolio Manager – Secretary1.2.3.4.5.6.Terms and Processes Reports to ITGCMeets weeklyAttendance is defined as in-person, by phone, by video callMembers must be in attendance to voteQuorum 60% of filled voting positions, in attendanceThe University of QueenslandInformation Technology Services- 17 -CRICOS Code 00025B

Office of the CIOIT Governance FrameworkChange Advisory BoardThe CAB is an advisory body reviewing proposed changes, assessing risks and ensuring adequatecommunications are undertaken for the proposed change, before advising on CIO’s behalf to proceedor amend a Significant change request.MandateObjectivesCAB is responsible for providing guidance and advising on all IT changes as required. Reviewing Significant change requestsReviewing Emergency changes and providing feedback to the service support teamsReview changes post implementation, if the change did not complete as approved by the CABReview Significant changes post implementation,Compile quarterly reports tracking change outcomes including success/failure rates andEmergency changesProvide guidance to requestors on Pre-approved changesResponsibilities Review risk and impact assessment of a change to the BusinessConfirm resource requirements for the changeEnsure the change implementation plan is adequateConfirm a thorough change communication is undertaken with the right stakeholders and at theright levelReview impact on other services and/or infrastructure due to the changeEnsure a business approval has been receivedEnsure proposed scheduled times are appropriateMake recommendations to reduce risks and/or improve success likelihoodAsk probing questions to fully understand the scope and impact of a changeScope All significant changes to IT services at UQMembershipPosition1.Senior Manager, Infrastructure and Identity - Chair2.Manager, Infrastructure Services3.Manager, Networks and Data Centres4.Manager, Applications Administration5.Senior Manager, Enterprise Applications6.Technical Specialist, Database Management7.Relationship Manager8.Manager, Service Desk9.Associate Director, Library Technology Services10. Security Architect11. Senior IT Manager, IMB12. Manager, Research InfrastructureNote: Subject Matter Experts (SME) may be called upon to provide advice on particular change requestsThe University of QueenslandInformation Technology Services- 18 -CRICOS Code 00025B

Office of the CIOIT Governance FrameworkTerms and Processes Reports to ITGCMeets weeklyAttendance is defined as in-person, by phone, by video callMembers must be in attendance to voteA Virtual Change Management Group (VCMG) operates ‘online’ to review Standard changesQuorum 75% of filled voting positions, in attendanceThe University of QueenslandInformation Technology Services- 19 -CRICOS Code 00025B

Office of the CIOIT Governance FrameworkInformation Security GroupThe Information Security Group (ISG) will be a forum to discuss security issues and concerns at theUniversity of Queensland from the viewpoint of IT practitioners. It will assist the Security Architect andCIO to deliver the IT Security Strategy whilst maintaining alignment with general IT operations andpriorities.Mandate Raise operational security matters and concerns for discussionReview elements of the UQ information security management framework as they are createdand updatedBuild members information security knowledge, and disseminate this to the wider UQcommunityPromote best-practise information security practices within their circles of influenceProvide subject matter expertise as required to bear on information security issuesAct as a clearing house for issues arising from operational information security difference ofopinions, ownership and provide general clarifications as required.ScopeIT Function at tional UnitITS IT GovernanceUQ Security Operations Centre/AusCERTITS Networks and Data CentresITS Customer Support ServicesITS Applications Development and SupportITS Application AdministrationITS Enterprise ApplicationsITS Infrastructure ServicesITS Identity ManagementEAIT ITITS Relationship ManagementIMB ITLibrary ITTerms and Processes Reports to ITGCMeets monthlyAttendance is defined as in-person, by phone, by video callMembers must be in attendance to voteQuorum 75% of filled voting positions, in attendanceThe University of QueenslandInformation Technology Services- 20 -CRICOS Code 00025B

Office of the CIOIT Governance FrameworkInformation Technology Asset ManagementThe IT Asset Management Committee (ITAM) is responsible for ensuring the University effectivelymanages IT assets both hardware and software.The ITAM committee will oversee the continual improvement of the management practices surroundingSoftware Asset Management (SAM) and Hardware Asset Management (HAM) at UQ. The ITAMcommittee will approve recommendations to be submitted to Information Technology GovernanceCommittee (ITGC) for endorsement. Any matters that require urgent resolution or approval may bereferred to the CIO.MandateThe ITAM Committee objectives are to: Ensure that UQ’s software usage complies with vendor terms and conditions Ensure that UQ’s software assets are efficiently managed and utilised throughout theirlifecycle. Ensure UQ’s IT desktop hardware assets are effectively managed and utilised throughouttheir lifecycle. Approve changes to UQ’s standard software and hardware catalogues. Devel

The University of Queensland Information Technology Services CRICOS Code 00025B . IT Governance Structure for UQ . IT Governance Framework . NAME: IT Governance Model for UQ DATE: 29/05/2017 RELEASE: Draft AUTHOR: Paul Sheeran and Sasenka Abeysooriya OWNER: Associate Director, IT Governance CLIENT: Strategic Information Technology Council VERSION: V0.1