Cloud-based ICT Services Checklist
Guideline

Contents

Overview

Context

Cloud services checklist

Checklist explanation

Further information

AppendixA:Whatarecloudservices?

Appendix B: Reference and toolkits

Victorian Government Policies and Guidelines

Document control

Version history

Overview

Thisdocumentprovidesanon-exhaustivechecklistofconsiderationstobemadewhenevaluating,purchasing,implementingandmanagingcloud-basedICTservices(‘cloudservices’).Eachcheckpointitemisexplained(seeChecklistexplanation).

Context

CloudservicesareanimportantinnovationintheprovisionofICTservices.Engineeredforsharing,theyenablealargeanddiversecustomerbasetouseastandardisedservicewithouttheneedforeachcustomertoindividuallybuy,installandcustomisehardwareandsoftware[1].Cloudservicesalsogiveusersreadyaccesstoadvancedfunctionalityandhighqualityoperationsalongwithshorterprojecttimelinesand,whenmanagedproperly,significantbenefitsandlessriskincomparisontotraditionaldedicatedICTsolutions.

Enterprise-gradecloudofferingsnowexistacrossthefullspectrumofICTservices.However,someconstraintsapply.First,thecloudservicesmarketisrapidlyevolvingandcomprisesvendorsandservicesofvaryingqualityandappropriatenessforgovernmentuse.Secondly,notallworkloads,categoriesofinformationorapplicationsareappropriatefordeliveryascloudservices.Consequently,agenciesshouldapproachcloudservicesawareofboththeopportunitiesandtherisks,andtakingnoteofprocurementandriskmanagementpractices.

Cloud services checklist

Thefollowingchecklistisanon-exhaustivelistofconsiderationsagenciesshouldmakepriortocommittingtoacloudservice.

1 / HastherebeenafrankassessmentofthecurrentICTenvironment?
2 / Arethereclearbusinessoutcomesandpriorities?
3 / Haveyouassessedandcategorisedyourdataforsuitability?
4 / Doyouunderstandtherelevantdatasovereigntyrisks?
5 / Canyouadoptamoreflexibleapproachtoyourrequirements?
6 / Canyourriskanalysisprocessesaccommodatecloudservices?
7 / Canyourprocurementstrategyaccommodatecloudservices?
8 / Howwillyoufundyourcloudimplementation?
9 / Haveyoucompletedformaldatasecurityandprivacyimpactassessments?
10 / Haveyougatheredintelligencefromotherusers?
11 / Haveyouestablishedhowtheservicecostisdeterminedandhowitcanbeinfluenced?
12 / Canyoutrialtheservicebeforepurchase?
13 / Doesyourcloudservicesagreementadequatelyaddressyourcircumstances?
14 / Haveyouassignedrolesandresponsibilitiesforthestorageandretrievalofyourdata?
15 / Haveyouplannedforservicefailure?
16 / Haveyouconsideredyourfutureneeds?
17 / Haveyouconsideredyourpotentialroll-outplan?

Checklist explanation

1. Has there been a frank assessment of the current ICT environment?

Thestartingpointforanyevaluationofacloudserviceshouldalwaysbetoformarealisticappreciation ofthestrengthsandweaknessesoftheexistingapproachtosourcingandmanagingICTcapabilities.Inparticularthisevaluationshouldincludeafrankassessment oftheagency’strackrecord forICTprojectdeliveryandthesustainabilityandsecurityoftheagency’sICTenvironment.Thisisanessentialprecursortomakingpragmaticandhonestassessmentsofthebenefits,costsandrisksofdifferentsourcingoptions.

2. Are there clear business outcomes and priorities?

Asoundunderstandingoftheagency’sdesiredoutcome(s),orendstate,iscrucialtotheassessmentofwhethercloudservicesareappropriateforthegivensituation.Knowing,andprioritising,whatisneededallowsprovidersandpurchasersaliketodeterminethemostappropriatesolutionforthepurpose.Thisexerciseincludesestablishinginformationsuchaswhowillusetheservice(intermsoftypesorclassesofuser,orspecificgroups),inwhatnumbersandatwhatfrequency/volume.

3. Haveyouassessedandcategorisedyourdataforsuitability?

Privacylawsandotherinformationmanagementobligationsdictatethatnotallcategoriesofinformationareappropriateforalltypesofcloudservices.Consequently,agenciesmustanalyseandcategorisetheirdataandsatisfythemselvesthattheuseofacloudservicewillnotputthematriskofbreachingtheirlegal,reputationalandinternalobligations.

Crucially,agenciesmustconsideranyauditingrequirementsimposedonthedatathatwillbestoredinacloudservice.Particularly,thoughtmustbegiventohowreadilythatdatacanbequeried/retrieved/testedforcompliancepurposes,andwherenecessarydiscusstheseneedswiththeserviceprovider.

4. Doyouunderstandtherelevantdatasovereigntyrisks?

Criticaltoanydecisiontoengageaparticularcloudserviceistoknowwherethedataresides.Thereshouldbeanawarenessthatsomecloudserviceproviders:storetheirclientdatainlocationsotherthanwheretheirbusinessisorappearstobebased;movedatawithoutnoticefromlocationtolocationtoaccommodateoperationalissuessuchasloadbalancing;and/orsimplyresell thecloudserviceofanotherprovider,furtherdistancingthecontrolofthedatafromtheowner.

ThedifficultieswithdatanotresidinginVictorianorAustralianjurisdictionarecomplex,anddependonthetypeofdatastoredandanylegalorreputationaloverlaythatmayapplytothatdata.Itisoutofthescopeofthisguidelinetoprovideadviceinthisarea[2],howeveranevaluationoftheprovider’sstoragearrangementsneedstobeundertakenbeforeanydecisiontoproceedwithagivencloudservice.

5. Canyouadoptamoreflexibleapproachtoyourrequirements?

Generally,cloudservices–particularlypubliccloudservices[3]–areunlikelytobetailoredtomeetthespecificneedsofacustomer.Insomecircumstancesthismaywellmeanthatcertainorganisationalneedsareunabletobemetbyparticularcloudservices.However,thisrestrictioncanalsobeviewedasacatalystforagenciestostandardise business processes withintheorganisationsothattheycanutilisecloudservicesandreceivethebenefitsthattheyoffer.Consequently,agencies’requirementsdefinitionexercisesmayneedtoevolve.Forexample,agenciesmayneedtoestablishaprocesswherebytheyiterativelyquestiontheirrequirements,anddetermineanyavailablecompromises,beforeandafterapproachingcandidatecloudservices.

6. Canyourriskanalysisprocessesaccommodatecloudservices?

Proposalsforcloudservicesshouldalwaysbeevaluatedagainstrelevantriskanalysisprocessesandsuitablemitigationstrategiesshouldbeimplemented.Thereshouldberecognitionthatcloudservicespresentnewchallengesforriskmanagement.Forexample,existingprocurementpoliciesandriskmanagementprocessescanoftenfocusonminimisingtheriskofmakingabaddecision,whereascloudservicesmaycallforamore expansiveanalysis–forexampleanassessmentoftheriskof failingtomakeagooddecision,ortheriskoffailingtomakeadecisionatall.

Cloudservicesaresubjecttomanydifferentpointsofviewastotheirrisksandbenefits.Engagewithprospectivestakeholdersearlyandcloselymanagetheirperceptionsandqueries.Further:ensurethatthedesiredbusinessoutcomesandprioritiesareclearlystated and understood;communicatethefactsonthecurrentstateoftheirICTenvironment,andhowitrelatestothosedesiredoutcomesandpriorities;proactivelysocialisekeyresearchandcasestudies;showcasesuccessfulcloudservices;and,subjectcloudservicestoprofessionalICTprojectmanagementprocesses,i.e.ensuregoodplanningwithafocusonoutcomesandpragmatic,buteffective,riskmanagement.

7. Canyourprocurementstrategyaccommodatecloudservices?

CloudservicesrequireextracarewhenaligningwithexistingVictorianGovernmentPurchasingBoardprocurementrules(forexample,the‘as-a-service’modeldefieseasyquantificationofcontractvalue).Similarly,moreagile,iterative,approachestosourcingICTcapabilitiesalsodonotfitwellwithformalrequestforproposal(RFP)andtenderingprocesses.Consequently,agenciesmayneedtoassessandpossiblyadjusttheirprocurementstrategytobalancethebusinessvalueofcloudserviceswiththenecessarycompliancemeasures.

8. Howwillyoufundyourcloudimplementation?

ItisimportanttonotethatwhilstgovernmentICTsolutionshavetraditionallyinvolvedcapitalinvestment,cloudservicesareaccommodatedinoperatingexpenses.Thesefundingimplicationsmustbeunderstoodbeforeengagingwithacloudservicesprovider.Thisstepisimportantbecauseinsomeinstancescapitalexpendituremaybeeasiertosecurethanoperationalexpenditure,andviceversa.Particularly,chieffinancialofficersmayneedtobeinvolvedtoengineersolutionstothesetypesofchallenges.

9.Haveyoucompletedformaldatasecurityandprivacyimpactassessments?

Nomatterhowurgentthebusinessneed,orhowcompellingtheofferingis,agenciesshouldalwaysconsiderundertakingformaldatasecurityandprivacyimpactassessmentsbeforeengagingwithcloudservices.Theseassessmentswillensurethattherelevantriskscanbeidentifiedandactivelymanagedthroughappropriateprocess,informationmanagement,operationalandcontractualmitigations.Theprocessshouldbeinformedbyanappreciationoftheagency’sdesiredoutcomesandprioritiesandthepragmaticcost/benefit/riskcompromisesinvolvedintheprocurement.

10. Have you gathered intelligence from other users?

Asthegovernmentengageswithcloudservicesinarangeofdifferentsettings,abodyofknowledgeastofunctionality,qualityandreliabilitywillbegintoform.Consequently,beforeanyinteractionwithcloudserviceproviders,prospectivepurchasersshouldturntootheragenciestogatherintelligenceandpossiblylearnaboutalternatives.Thisengagementmayalsoexposeopportunitiesto,forexample,re-useprocurementandimplementationmaterials,createsharingarrangementsandpossiblypurchaseservicesoffexistingcontracts.

Equally,agenciesshouldrecognisethatanyengagementtheyhavewithacloudservicewillgenerateinformationthatmaybeusefultoothers.Tothatend,documentingatleastbasicinformationabouttheirinteractionswithcloudserviceprovidersisencouraged.

11. Have youestablishedhowtheservicecostisdeterminedandhowitcanbeinfluenced?

Cloudservicestendtobepricedatthesustainabletotalcostoftheiroperation,withanallowancetokeeptheservicefunctionallyrelevantovertime.Thispricingformulacanmakecloudservicesappearexpensiverelativetoothersourcingapproaches.However,particularvariablescanimpactonthisequationandmakecloudservicesmore,orless,appealingfromacostperspective.Forexample,thenumberofusersandtransactionvolumescanshapeoverallcosts.Forthisreason,prospectivepurchasersshouldconsiderarangeofusagemodelstoevaluatetheeffectofpricingunderdifferentcircumstancesandhowthoseresultsrelatetothebudgetallocatedfortheservice.

12. Can you trial the service before purchase?

AkeydifferencebetweencloudservicesandtraditionalICTcapabilitiesisthatcloudservicesaregenerallyavailablefornearimmediateuse.Thisreadyavailabilityoftenmeansthatpurchasersofcloudservicescanseekatrialoftheprospectivecloudserviceandevenapplyrealworldscenariostothetrial(usingcautionalwayswiththetypeofdatathatisusedandthetermsofthetrial).Thismoreagileapproachmayalsoallowmoreflexibilitytotrialmultipleservices,affordingthedecision-makerthechancetocontrastandcompareacrossavarietyofofferings.

13. Doesyourcloudservicesagreementadequatelyaddressyourcircumstances?

Vendorsofcloudservicesoftenpresentstandardformagreementstoprospectivepurchasers.Unsurprisingly,theseagreementscantendtofocusonprotectingthesupplier’sinterests,andmaynotprovideadequateassuranceforagovernmentagency.Agreementswithcloudservicesuppliersshouldbecloselyscrutinised,andwherethetermsarenotappropriateforthepurchaser,anegotiationoftermsmaybenecessary.Theextentofthatnegotiationisamatterfortherelevantagency,takingintoaccounttheirparticularcircumstances.However,ataminimum,thepointsraisedbythisguideline,andotherrelevantgovernmentmaterials,shouldbeaddressedinanyfinalwrittenagreement.

14. Haveyouassignedrolesandresponsibilitiesforthestorageandretrievalofyourdata?

Becausedataisstoredin,andrelianton,thecloudserviceprovider’sparticularfacilities,agenciesmustformadequateplanstogettheirdataintoandoutofthosefacilities.Moreover,theyshouldensurethatbetweenthemselvesandtheprovideritisclearwhohasresponsibilityforwhatinthoseprocesses,andwherecostslie.

Withrespecttodataretrieval,unexpectedcircumstancescanarise,e.g.theproviderceasestooperate(inanorderlyordisorderlyfashion)oroneorbothpartieswishtoterminatetherelationship.Plansastohowtoretrievetherelevantdataontherealisationofthesesituations(andanyotherreasonablyconceivablesituation)shouldbedevelopedbeforeanydecisionstopursueaparticularcloudservice.

15. Haveyouplannedforservicefailure?

Acloudserviceisessentiallyanarms-lengthoutsourcingarrangementwhich,byitsnature,involvestheriskofinterruptionstosupplyand/orthesupplierceasingoperationspermanently.Inordertomanagethoserisks,allpurchasersofcloudservicesshouldhaveaplantoaddressthoseeventualities.Anysuchplanshouldbeappropriateforthedegreeofrelianceonthecontinuousavailabilityandperformanceoftheservice,andshouldformpartofthebroaderbusinesscontinuityplanningfortheagency.Wherepossiblethiskindofplanshouldbeadequatelytestedtotheextentpossible.

16. Haveyouconsideredyourfutureneeds?

Overtime,implementationsofcloudservicescanevolvefromsmall,possiblyexperimental,beginningstobecomemission-criticalapplications.Thispossibilitymustbeanticipatedwhenpartneringwithacloudserviceprovider,withagenciescarefullyconsideringthecapacityoftheprovidertoevolvewiththeirfutureneeds(e.g.increaseinusers,consistentoperationalperformance, ongoing vendor development roadmap, andabilitytomeetevolvinginformationsecurityrequirements).Recentqualitycertificationsachievedbythevendormayprovideindicators.

17. Haveyouconsideredyourpotentialroll-outplan?

Cloudservicesarewellsuitedtostartingwithsmall,evaluativeimplementations,whichmaythenbeprogressivelyiteratedwhentheagencyissatisfiedoftheirsuitability.Thebenefitofthisapproachisthatbusinessfeedbackfromeachoftheiterationsinformsthenext,andthatfeedbackinturnbenefitstheentirerollout.Atsomepoint,largerscalerolloutcanthenbeacceleratedonthebackofthattestingincludingthelessonsthathavebeenlearnedandresolved.Thisapproachcanconsiderablyreducetherisksofprojectfailureanddeliverbusinessoutcomesmorequickly.Agenciesplanningtoutilisecloudservicesshouldadvisestakeholdersofthistomanageexpectationsaboutthewaytheservicewillberolledout.

Further information

Forfurtherinformationregardingthisguideline,pleasevisit the Enterprise Solutions website.

1

AppendixA:Whatarecloudservices?

Cloudservicesdefined

Therearemanydefinitionsofcloudservices.TheUSNationalInstituteofStandardsandTechnology(NIST)definition(as referenced in the ‘Cloud services’ section below) iscommonlyusedingovernmentcloudpolicydocuments.Thissectionprovidesanarticulationofthecommonlyregardedcharacteristicsofcloudservices.

Cloud computing

Cloudcomputingreferstotheunderlyingtechnologiesandmethodsthatarethebuildingblocksofcloudservices.Theseinclude,forexample,virtualisation,automation,self-serviceprovisioning,usage-basedservicemeteringandcharging,multi-tenantinfrastructureandapplicationarchitectures,webservices,serviceorientedarchitecture(SOA)andapplicationprograminterfaces(APIs).

Cloud services

Cloudservicesareaformofoutsourcedsharedservices,createdusingcloudtechnologiesandmethods(seecloudcomputing,above).Thedistinctionbetweencloudcomputingandcloudservicesisimportant.Whileitmayberelativelystraightforwardforanyorganisationtoimplementcloudcomputingtechnologies,thecreationandoperationofareliableandtrustworthycloudserviceisasignificantlymoredifficult,andexpensive,proposition,involvingappropriateorganisation,process,peopleandculture.

CloudservicesarealsorevolutionarybecausetheyrepresentadramaticchangeinthewayICTcapabilitiesarebothprovidedandsourcedassharedservices.Theyrepresentanopportunitytoshifthowthesecapabilitiesarepurchasedand/orconsumed,whichinturncanleadtoextraordinaryorganisationalchange.CloudservicesmaycompriseawidespectrumofICTfunctionality,whichtypicallyfallunderthreecategories:

  • Software-as-a-service (SaaS): the provision of a fully operational application as a cloud service via a web browser and web services
  • Platform-as-a-service (PaaS): the provision of an application development and operation environmentas a cloud service
  • Infrastructure-as-a-service (IaaS): the provision of computing and storage infrastructure as a cloud service

Thiscategorisationdemonstrateshowcloudofferscustomerstheabilityto‘sourceandconsume’ratherthan‘buyandcontrol’.WhilstthedistinctionbetweentheIaaS,PaaSandSaaScategoriesisnotalwaysclear,ingeneralterms,customerspurchase:IaaStoaccesslesscostly,moreflexible,ICTinfrastructure;PaaStoenablefasterandlesscostlydevelopmentandoperationofbespokeapplications;and,SaaStoenablefasterandlesscostlyimplementationandoperationofstandardised‘outofthebox’businessapplications.

Delivery of cloud services: public, private and hybrid

Traditionally,cloudserviceshavebeendescribedaseitherpublicorprivate(andmorerecently,ashybrid,comprisingelementsofpublicandprivate). Today,asingleprovidercandeliverservicesusingdifferentmodels,more-publicormore-private,dependingoncustomerneeds.

Publiccloudservicesarelargescaleglobalornationalsharedserviceswhereallcustomersconsumestandardisedfunctionalityoncommontermsandconditionsviaawebbrowserandthepublicinternet.

Privatecloudservicesaresharedserviceswithresourcesdedicatedtoaparticularcustomerorcommunityofcustomers.Privatecloudservicesmaybedeliveredin-houseorexternallyprovidedandmaybeaccessedviathepublicinternetorviaasecureprivatenetwork.Aprivatecloudservicemayincludefunctionalityand/orcontractualtermsandconditionsthataresubstantiallytailoredtoanindividualcustomer’sneeds.Private cloud services provide exclusivity and customisation creating major drawbacks of cost/ maintenance, compared with public cloud.

In adopting a public cloud delivery service, agencies can transfer management responsibility to the cloud provider, while in a private cloud delivery service there can be significant demand for the agency‘sresources to update, maintain, and safeguard these services.

Benefitsfrom the adoption of cloudservicesare typically greater via a publicclouddelivery model.Bearingthisinmind,agenciesareadvisedtoavoidsimplisticassumptionsbasedonpublic versusprivateclouddistinctions–inparticulartheassumptionthataprivatecloudserviceisalwayssaferthanapubliccloudserviceshouldbechallenged.Instead,agenciesmightfocusonunderstandingtheactualtrustworthinessandfunctionalityofaparticularcloudservice,keepinginmindalwaysthequestion:allthingsconsidered,willthisserviceachievebetterbusinessoutcomesthanthealternatives?

Enterprise-grade cloud services

Itisimportanttoacknowledgethatnotallcloudservicesproviders,andnotallcloudserviceofferings,aresuitableforusebylargeenterprisessuchasgovernmentagencies.Indeed,manycloudservicesaretargetedpurelyattheconsumerandsmall-mediumbusinessmarketsandthedegreetowhichtheseservicesmeettheneedsoflargerorganisationsvaries.

Enterprise-gradecloudservicesmaybedistinguishedbycharacteristicssuchasthe:

  • trustworthiness/credibility/financialstrengthoftheproviderorganisation
  • operationalmaturity,historicalperformanceandresilienceoftheservice
  • depthandbreadthofthecustomerbase
  • forwardroadmapofserviceenhancements
  • provider’sachievementofqualityandsecurityaccreditations
  • geographiclocationofdatacentres
  • availabilityandqualityofcustomersupportservices
  • willingnessoftheprovidertoagreetonon-standardcontractualtermsandconditions.

Whetheracloudserviceisappropriateforaspecificenterprisepurposeisadecisionfortherelevantagency.Allusualbenefitandriskassessmentsshouldbeapplied,toboththeserviceproviderandthespecificsoftheservicesbeingconsidered.

1

Appendix B: Reference and toolkits

Victorian Government Policies and Guidelines

Victorian Government ICT Strategy Policies, Standards & Guidelines

  • Business systems, policies and standards

Requirements for health records

  • HealthPrivacyPrinciples

Australian Government Policies & Guidelines

  • Whole of Government Technology and Procurement
  • TheDataCentreasaServiceMultiUseListFactSheet
  • CloudComputingSecurity
  • PrivacyLaw
  • PrivacyResources for Agencies and organisations
  • Privacy agency resource 1: Individualhealthcareidentifiers—Complianceobligationsforstateandterritoryhealthcareproviders on the OfficeoftheAustralianInformationCommissioner website

Other State Government Jurisdictions

  • ProcurementStrategicDirectionsStatement on the NSW Procurement Board website

Cloud Service Providers Codes of Practice

  • Cloud Computing Consumer Protocol - Discussion Paper on the Australian ComputerSociety website

Data sovereignty

  • DataSovereigntyandtheCloud

United States Government

  • CloudITAcquisitionServices
  • FederalCloudComputingStrategy
  • TheFederalRiskandAuthorizationManagementProgram(FedRAMP)
  • InformationTechnologyReform:ProgressMadebutFutureCloudComputingEffortsShouldbeBetterPlanned

UK Government

  • ServiceManual

Document control

Version history

Version / Date / TRIMref / Details
0.1 / September 2013 / D11/192132 / InitialDraft
0.9 / Sep 2013 –May 2014 / D11/192132 / Version for initialnoting by theCIO Council
1.0 / 31 July 2014 / For release
1.1 / 1 April 2017 / D17/158064 / March 2017 internal review, minor changes, new template.
Keywords: / Cloud-based ICT services; cloud services; ICT procurement; digital design; service design; ICT expenditure; information management; information security; privacy; recordkeeping; compliance; audit; business continuity; disaster recovery; evaluation
Identifier:
CS-GUIDE-01 / Version no:
1.1 / Status:
Review and re-Issued
Issue date:
April 2017 / Date of effect:
April 2017 / Next review date:
July 2018
Authority:
Victorian Government CIO Leadership Group / Issuer:
Victorian Government Chief Technology Advocate

[1]SeeAppendixAforfurtherinformationonthenatureofcloudservices.

[2]SeeAppendixB,Datasovereigntyforfurtherinformation.

[3]SeeAppendixAforadefinitionofpubliccloudservices.