NSW Government

Infrastructure as a Service

Solutions Standard

v1.0

September 2015

Infrastructure as a Service Solutions Standard

CONTENTS

1. CONTEXT 3

1.1. Background 3

1.2. Purpose 3

1.3. Scope and application 3

1.4. Policy context

1.5. The ICT Services Catalogue 4

2. KEY PRINCIPLES 4

3. REQUIREMENTS 5

3.1. Infrastructure as a Service 5

3.2. Service level and complexity 5

3.3. Requirements tables 7

3.3.1 Bronze (basic) – Use Cases / Scenarios 8

3.3.1 Silver (standard) – Use Cases / Scenarios 10

3.3.2 Gold (complex) – Use Cases / Scenarios 12

3.4. Elements of this standard 14

DOCUMENT CONTROL 18

APPENDIX A – DEFINITIONS 19

APPENDIX B – ABBREVIATIONS 21

APPENDIX C – REFERENCES 22

APPENDIX D – STANDARDS 23

Developing technical standards 23

Management and implementation 23

Infrastructure as a Service Solutions Standard

1. CONTEXT

1.1. Background This is a technical standard developed through the NSW ICT Procurement and Technical Standards Working Group. This standard contains technical and functional requirements that agencies should consider when procuring ICT services for Infrastructure as a Service (IaaS) solutions.

By defining the necessary and common elements across agencies the standard provides an opportunity to leverage the buying power of Government as a whole, improve procurement efficiency and increase interoperability.

1.2. PurposeThe purpose of this standard is to assist NSW Government agencies to develop, procure and implement IaaS solutions and tools, as well as take full advantage of their benefits. This standard also helps agencies procure in a strategic manner that reflects the NSW Government’s priorities as outlined in the NSW Government ICT Strategy.

This standard details the issues that need to be considered so each agency can identify the available options that best suit their business requirements, helping agencies achieve value for money through cost savings and improved flexibility of service offerings.

1.3. Scope and applicationThis standard applies to all NSW Government departments, statutory bodies and shared service providers. It does not apply to state owned corporations, but is recommended for their adoption.

For the purposes of this standard, IaaS means providing the capability for the consumer to provision processing, storage, networks, and other fundamental computing resources. The consumer is able to deploy and run arbitrary software, which can include operating systems and applications. Elements of IaaS, which make up key elements of this standard, include:

Compute as a Service Storage as a Service Network as a Service Pre-production or Testing as a Service

See Appendix A for definitions of the elements of the above elements of this standard.

This standard sets out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW ICT Services Catalogue. Agencies should consider any specific operational or regulatory factors that impact their requirements, and specific requirements they have in addition to those detailed in this standard.

1.4. Policy contextThe NSW Government ICT Strategy and Digital+ 2015 Final Update set out the Government’s plan to: build capability across the NSW public sector to deliver better, more customer-focused services that are available anywhere, anytime; and to derive increased value from the Government’s annual investment in ICT.

Information sharing, open data and reuse of technology are priority initiatives of the ICT Strategy, to maximise the return on government investments, support better policy development and service delivery. The NSW Government ICT Investment Policy and Guidelines

Infrastructure as a Service Solutions Standard

establishes these requirements for all new ICT projects, particular to make better use of the functionality in existing systems.

The NSW Government Enterprise Architecture (NSW GEA) provides direction and practical guidance to accelerate the development of agency EA capability and enabling a common, intra and inter agency approach to the design of digital government. It encompasses all aspects of enterprise architecture activity at the business, information, application and technology infrastructure layers. The NSW GEA is mapping the landscape of Whole of Government systems available across the sector, highlighting opportunities for reuse and where APIs can add value.

NSW Government, along with many governments in other jurisdictions, has moved towards opening up previously protected databases and applications, so that data and functionality can be accessed across agency boundaries or reused in new systems. Within NSW this has been reflected in the development of the NSW Government Open Data Policy, which provides clear direction for agencies to make their data available to the public in machine readable forms, including through the availability of APIs.

Developing whole of NSW Government ICT technical standards is a key initiative of the NSW Government ICT Strategy, driven by the ICT Procurement and Technical Standards Working Group. These standards leverage principles defined in the NSW Government ICT Strategy and the NSW Government Cloud Policy, and they support the NSW ICT Services Catalogue.

The standards set out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW Services Catalogue. This helps achieve consistency across service offerings, emphasising a move to as a service sourcing strategies in line with the NSW Government ICT Strategy, and it signals government procurement priorities to industry.

This standard should be applied along with existing NSW Government policies and guidance, including the NSW Digital Information Security Policy. More information on the process for the development of standards that populate the ICT Services Catalogue is at Appendix D – Standards.

1.5. The ICT Services CatalogueThis catalogue provides suppliers with a showcase for their products and services, and an opportunity to outline how their offerings meet or exceed standard government requirements. The standards, together with supplier service offerings, help to reduce red tape and duplication of effort by allowing suppliers to submit service details only once against the standards. The offerings are then available to all potential buyers, simplifying procurement processes for government agencies.

Implementing this category management approach will embed common approaches, technologies and systems to maintain currency, improve interoperability and provide better value ICT investment across NSW Government.

2. KEY PRINCIPLESWith IaaS, the consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g. host firewalls).

This standard is based on the following principles:

End-to-end digital: IaaS solutions should enable end-to-end digital business processes and management.

Infrastructure as a Service Solutions Standard

Control technical diversity: IaaS solutions should help control technical diversity to minimise costs associated with maintaining expertise in and connectivity between multiple processing environments.

Data security: Meet any applicable requirements of the NSW Digital Information Security Policy and ISO 27001.

Technology currency: Solutions should be designed to maintain technology currency for key systems, and to maintain a pace that aligns with business context and risk profile.

Data quality: Data should possess characteristics indicating data quality, including in relation to: accessibility, the institutional environment, relevance, timeliness, accuracy, coherence and interpretability (see the NSW Government Standard for Data Quality Reporting for more details).

Single source of truth: Where applicable, agencies should establish a dataset as the single source of truth, to help eliminate duplication, inconsistency, and to support data currency.

Facilitating as a service: IaaS solutions should facilitate the agency transition to as a service, and ensure agency alignment with broader NSW ICT Strategy.

Interoperability: IaaS solutions should meet applicable recognised open standards across the elements of compute, storage, network, and pre-production and testing.

Business continuity: IaaS solutions should meet business continuity requirements, particularly with transition in and out (see the NSW Digital Information Security Policy and ISO 27031-2011 for more guidance).

3. REQUIREMENTS

3.1. Infrastructure as a ServiceWhen considering any aspect of IaaS (as defined in this standard) an agency must consider the Service Management aspects of the service(s) on offer. Definitions for items discussed below can be found in Appendix A – Definitions.

The following environments should be considered when specifically assessing a Compute as a Service offering:

1. Production2. Disaster recovery3. Test, development and/or user acceptance testing

The following components should be considered when specifically assessing a Storage as a Service offering:

1. Tier 0 Storage 2. Tier 1 Storage3. Tier 2 Storage4. Tier 3 Storage

The following elements should be considered when specifically assessing a Pre-production or Testing as a Service offering:

1. Pre-production (or commissioning) services2. Testing services

3.2. Service level and complexity

Infrastructure as a Service Solutions Standard

Compute as a service can be provided in a range of ways. For example, the supplier of the service may manage some of the service or environment during the course of the contract, or the supplier of the service may manage the entire service for course of the contract.

The following requirements use case tables are separated into three service levels – bronze, silver and gold, reflecting the complexity of the IaaS solution required:

Bronze: Basic IaaS – generally suitable for non-production environments.

Silver: Standard IaaS.

Gold: Advanced/complex IaaS.

Infrastructure as a Service Solutions Standard

3.3. Requirements tablesThe following tables set out the recommended business and technical requirements for the provision of IaaS services to NSW Government. They provide a consistent approach for all NSW Government agencies regardless of their size. Explanations for each element of the following use cases are provided at section 3.4.

Infrastructure as a Service Solutions Standard

3.3.1 Bronze (basic) – Use Cases / Scenarios

‘Use cases’ for IaaS that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns.

High

ava

ilabi

lity

Non

-geo

-sep

arat

ed d

ata

cent

re re

dund

ancy

Geo-

sepa

rate

d da

ta c

entr

e re

dund

ancy

Dedi

cate

d re

sour

ces

Non

-ded

icat

ed re

sour

ces

Cont

ent c

apab

ility

(blo

ck, fi

le

syst

em e

tc.)

Conn

ectiv

ity to

reso

urce

(p

hysic

al, i

-scs

i, fib

re e

tc.)

Man

agem

ent t

ools

for s

tora

ge

Encr

yptio

n ke

ys

Dedu

plic

ation

serv

ices

Back

up/r

esto

re se

rvic

es

Data

repl

icati

on

Phys

ical

net

wor

king

serv

ices

GovD

C on

-ram

p

Man

agem

ent t

ools

for

netw

orks

Com

miss

ioni

ng se

rvic

es

Testi

ng se

rvic

es

Compute – Production Environments Compute – Disaster Recovery Environments Compute – Test / Development / User Acceptance Testing Environments Storage – Tier 0 Storage – Tier 1 Storage – Tier 2 Storage – Tier 3 Network Services Pre-production Services Testing Services

8

Infrastructure as a Service Solutions Standard

Self-

serv

ice

adm

inist

ratio

n

Full-

serv

ice

adm

inist

ratio

n

Clou

d co

mpu

ting

hosti

ng

faci

lity

NSW

Gov

ernm

ent D

ata

Cent

re

Ons

hore

/offs

hore

m

anag

emen

t

Serv

ice

leve

l m

anag

emen

t

Mul

ti-se

rvic

e br

oker

pr

ovisi

on

Serv

ice

man

agem

ent –

pe

rfor

man

ce &

late

ncy

Serv

ice

man

agem

ent –

di

sast

er r

ecov

ery

Compute – Production Environments Compute – Disaster Recovery Environments Compute – Test / Development / User Acceptance Testing Environments Storage – Tier 0 Storage – Tier 1 Storage – Tier 2 Storage – Tier 3 Network Services Pre-production Services Testing Services

9

Infrastructure as a Service Solutions Standard

3.3.1 Silver (standard) – Use Cases / Scenarios

‘Use cases’ for IaaS that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns.

High

ava

ilabi

lity

Non

-geo

-sep

arat

ed d

ata

cent

re re

dund

ancy

Geo-

sepa

rate

d da

ta c

entr

e re

dund

ancy

Dedi

cate

d re

sour

ces

Non

-ded

icat

ed re

sour

ces

Cont

ent c

apab

ility

(blo

ck, fi

le

syst

em e

tc.)

Conn

ectiv

ity to

reso

urce

(P

hysic

al, i

-scs

i, fib

re e

tc.)

Man

agem

ent t

ools

for s

tora

ge

Encr

yptio

n ke

ys

Dedu

plic

ation

serv

ices

Back

up/r

esto

re se

rvic

es

Data

repl

icati

on

Phys

ical

net

wor

king

serv

ices

GovD

C on

-ram

p

Man

agem

ent t

ools

for

netw

orks

Com

miss

ioni

ng se

rvic

es

Testi

ng se

rvic

es

Compute – Production Environments Compute – Disaster Recovery Environments Compute – Test / Development / User Acceptance Testing Environments Storage – Tier 0 Storage – Tier 1 Storage – Tier 2 Storage – Tier 3 Network Services Pre-production Services Testing Services

10

Infrastructure as a Service Solutions Standard

Self-

serv

ice

adm

inist

ratio

n

Full-

serv

ice

adm

inist

ratio

n

Clou

d co

mpu

ting

hosti

ng

faci

lity

NSW

Gov

ernm

ent D

ata

Cent

re

Ons

hore

/offs

hore

m

anag

emen

t

Serv

ice

leve

l m

anag

emen

t

Mul

ti-se

rvic

e br

oker

pr

ovisi

on

Serv

ice

man

agem

ent –

pe

rfor

man

ce &

late

ncy

Serv

ice

man

agem

ent –

di

sast

er r

ecov

ery

Compute – Production Environments Compute – Disaster Recovery Environments Compute – Test / Development / User Acceptance Testing Environments Storage – Tier 0 Storage – Tier 1 Storage – Tier 2 Storage – Tier 3 Network Services Pre-production Services Testing Services

11

Infrastructure as a Service Solutions Standard

3.3.2 Gold (complex) – Use Cases / Scenarios

‘Use cases’ for IaaS that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns.

High

ava

ilabi

lity

Non

-geo

-sep

arat

ed d

ata

cent

re re

dund

ancy

Geo-

sepa

rate

d da

ta c

entr

e re

dund

ancy

Dedi

cate

d re

sour

ces

Non

-ded

icat

ed re

sour

ces

Cont

ent c

apab

ility

(blo

ck, fi

le

syst

em e

tc.)

Conn

ectiv

ity to

reso

urce

(P

hysic

al, i

-scs

i, fib

re e

tc.)

Man

agem

ent t

ools

for s

tora

ge

Encr

yptio

n ke

ys

Dedu

plic

ation

serv

ices

Back

up/r

esto

re se

rvic

es

Data

repl

icati

on

Phys

ical

net

wor

king

serv

ices

GovD

C on

-ram

p

Man

agem

ent t

ools

for

netw

orks

Com

miss

ioni

ng se

rvic

es

Testi

ng se

rvic

es

Compute – Production Environments Compute – Disaster Recovery Environments Compute – Test / Development / User Acceptance Testing Environments Storage – Tier 0 Storage – Tier 1 Storage – Tier 2 Storage – Tier 3 Network Services Pre-production Services Testing Services

12

Infrastructure as a Service Solutions Standard

Self-

serv

ice

adm

inist

ratio

n

Full-

serv

ice

adm

inist

ratio

n

Clou

d co

mpu

ting

hosti

ng

faci

lity

NSW

Gov

ernm

ent D

ata

Cent

re

Ons

hore

/offs

hore

m

anag

emen

t

Serv

ice

leve

l m

anag

emen

t

Mul

ti-se

rvic

e br

oker

pr

ovisi

on

Serv

ice

man

agem

ent –

pe

rfor

man

ce &

late

ncy

Serv

ice

man

agem

ent –

di

sast

er r

ecov

ery

Compute – Production Environments Compute – Disaster Recovery Environments Compute – Test / Development / User Acceptance Testing Environments Storage – Tier 0 Storage – Tier 1 Storage – Tier 2 Storage – Tier 3 Network Services Pre-production Services Testing Services

13

Infrastructure as a Service Solutions Standard

3.4. Elements of this standardHigh availability

The service was able to meet the availability requirements defined in the service offering and/or signed off by both the service provider and the customer. The actual availability of the service must be provided in written form prior to any engagement of the service. Any response to a market engagement must provide this information as part of their response and update it as required.

Non-geo-separated data centre redundancy

The service is provided from a single site location including any redundancy equipment that would take over running of the service in the event the primary equipment failed.

Geo-separated data centre redundancy

The service offers redundancy of equipment/services from geographically separated facilities in the event of a catastrophic outage at one site the other site would continue to provide services.

Dedicated resources

All elements of the service must be provided on dedicated resources, that is not shared with other customers. The service provider will need to be able to demonstrate that all resources are dedicated to the one customer and not being shared between multiple customers.

Non-dedicated resources

Either all or some elements of the service may be provided on/from resources that are shared with other customers.

Content capability (block, file system etc.)

The provision of storage services needs to identify the means by which a system can address the storage to ensure all elements of a system are compatible with one another. All means of addressing the storage should be provided in any market engagement response.

Connectivity to resource (physical, i-scsi, fibre etc.)

The means of connectivity between the storage resource(s) and the compute service needs to be articulated, if options exist full details on each option should be provided as part of any market engagement response.

Management tools for storage

The service will have appropriate management tools that allow either the service provider to manage the storage service or allows the customer to manage their storage units. Any response to a market engagement should provide details of the tools used (or available including any recommendations); whether the tools are available to the customer and to what extent the customer is able to self-manage their storage system.

Encryption keys

The service will have appropriate encryption keys for the types of services being offered. Any response to a market engagement should provide sufficient details of the encryption keys used, whether these are controlled by the supplier of the service or the customer. As part of this response, the service provider needs to disclose what if anything can be accessed by the non-holder of the encryption keys.

14

Infrastructure as a Service Solutions Standard

Deduplication services

Services should be able to provide (where appropriate and/or required) deduplication services that remove unnecessary duplicated copies of data on the service. In any market engagement, the service provider should be able to describe if/how their service achieves this along with details about solutions/environments that it supports.

Backup/restore services

Services to back up and restore data on the service as required mainly for disaster recovery purposes but may also be required for other purposed including but not limited to investigations and/or roll-backs. Any response to a market engagement should describe the types of backups and restores that are available within the service including frequency, time to recover and if additional costs are required including indicative amounts.

Data replication

Solution providers must not change any data replication parameters and/or locations without prior written consent from agencies concerned. All data storage locations must be known to agencies and changes agreed before they occur. If data is replicated to a location that has not been approved, the service may be terminated for breach.

Physical networking services

The service needs to define the exact means of connection between components (compute, storage and other). Specific details should include:

Layer 2 connection points (if applicable)

Layer 3 connection points (if applicable)

Routing protocol(s)

Virtual private networks

Access port(s) and their capacity

Type of connects available (e.g. copper, fibre etc.)

GovDC on-ramp

Where services are provided outside of NSW GovDC environments, a single deducted (with appropriate redundancy) network link for all NSW Government agencies is to be provided that is capable of expansion to meet changing needs.

Management tools for networks

The service will have appropriate management tools that allow either the service provider to manage the network service or allows the customer to manage their networks. Any response to a market engagement should provide details of the tools used (or available including any recommendations); whether the tools are available to the customer and to what extent the customer is able to self-manage their networks. The management tools will also provide inputs for service reporting requirements.

Commissioning services

Services that assist the customer in transitioning to the as a service environment. For the purposes of this standard, commissioning services will include design services – ensuring the service is designed to deliver the required outcomes; commissioning services – ensuring the service is commissioned in accordance with the design and customer requirements; transition services – ensuring services are transitioned to the service from their existing environment(s). Any response to a market engagement should provide a complete list of commissioning services that a customer can take advantage of.

15

Infrastructure as a Service Solutions Standard

Testing services

Provision of testing services that comply with international testing standards that can be made up of testing systems that require human intervention or not; professional services to perform and/or manage testing of ICT environments. In responding to any market engagement, suppliers should be able to provide a full list with appropriate rate cards of all services they are able to offer within this element of this standard.

Self-service administration

The ability to automatically provision and de-provision for all agency resources within the system, together with other appropriate administration and management tasks that can be delegated from the service provider that do not impinge on the solution being provided to other customers.

Full-service administration

All provisioning, de-provisioning, together with all other administration and management tasks required to operate the environment, are provided as part of the service offering. The only exception will be service management of the provider which remains the sole responsibility of the initiating agency.

Cloud compliant hosting facility

All relevant cloud services for the solution may be provisioned from a compliant hosting facility. Compliant hosting is defined as having the following attributes and/or capabilities:

The location of the hosting facility must be identified either by name and/or location (city and country) in any response.

The hosting location cannot be changed without first informing the agency concerned.

The service provider undertakes, maintains and provides access to SSAE 16 Service Organization Control (SOC) Type II reports (or equivalent) for the services and facilities in scope for the engagement.

The hosting facility must comply with minimum Tier 3, as defined by the Uptime Institute, ANSI TIA-942, or an equivalent industry standard.

The hosting facility must be certified against ISO 27001; compliance with the following international standards is desirable:

o ISO 9001

o ISO 27002

o ISO 20000-1:2011

o ISO 14001

Other desirable certifications may include, but are not limited to:

o PCI-DSS v3.0 or later

o Australian Signals Directorate

o ASIO-T4

o Uptime Institute

o CSA

Also consider contractual obligations relating to the service provider allowing security assessments and treatment of outcomes as agreed with the client.

If the hosting facilities changes to a location that is deemed unacceptable either to NSW Government or to the agency and/or loses attributes and/or capabilities identified above, the agency may need to consider termination of services.

16

Infrastructure as a Service Solutions Standard

NSW Government Data Centre

All relevant services for the solution may be provisioned from one or both NSW Government Data Centre (GovDC). Depending on the service offering and agency requirements, it may be possible to ‘burst’ some elements of services to other location(s) subject to agreement with the commissioning agency.

Burst data centres must be deemed ‘compliant’. If the ‘burst’ data centre facilities change to a location that is deemed unacceptable either to NSW Government or to the agency, the agency may need to re-examine the ‘burst’ service or the full service.

Onshore/offshore management

All solution providers must be able to articulate where their services will be provided from, including any remote support services. For example, with a ‘follow the sun’ support model, the locations of each of their support sites around the globe need to be identified. Any changes to these need to be communicated to the customer agency promptly and if this causes issues, the agency has the right to cancel the service with appropriate notification.

Service level management

Agencies will retain ultimate responsibility for service level management in any solutions engagement, which would ordinarily be covered by a Service Level Agreement (SLA). Agencies, service-brokers and solution providers need to agree all SLA reporting and other related activities as part of any transition-in process.

Multi-service broker provision

Any solution provider must work within the confines of a multi-service provider environment where either the agency or nominated provider will perform broker service provision. This will be defined as one provider being made accountable for the provision of all associated services, whether these are provided by the provider itself, or other third-party providers.

Service management – performance and latency

The solution will provide appropriate built-in redundancy to achieve agency required levels of service. Typically this may be not less than 99.99% availability during operating hours, and for most agencies this would be a minimum 7:00am-7:00pm Monday to Friday. Some agencies may have a requirement for 24 hours, 7 days per week (e.g. Police and Emergency Services, Health, Transport). Bandwidth and latency expectations are to be defined and agreed up front.

Service management – disaster recovery

The solution is to have appropriate levels of disaster recovery built in to minimise downtime or disruption to the service. This element could include anything from a duplicated solution that is available immediately if the primary site fails, to a fully documented process for restoring services within SLA defined times.

17

Infrastructure as a Service Solutions Standard

DOCUMENT CONTROL

Document historyStatus: Published

Version: 1.1

Approved by:

Approved on:

Issued by: ICT Services, Service & Digital Innovation, Department of Finance, Services & Innovation

Contact: ICT Services, Service & Digital Innovation, Department of Finance, Services & Innovation

Email: standards@finance.nsw.gov.au

Telephone: (02) 9372 7445

Review This standard will be reviewed as required.

18

Infrastructure as a Service Solutions Standard

APPENDIX A – DEFINITIONS

Term Description

As a service (aaS) As a service – Refers to how the solution is provided. “As a service” usually refers to services that are delivered via the cloud rather than locally or on-site, although this is not always the case.

As a service solution components are usually funded from an operating expenditure budget unlike capital intensive ICT infrastructure and equipment.

Compute as a service Using cloud infrastructure to deliver virtual data centre resources as a service, rather than as a capital expenditure. This data centre allows the consumer to build, configure and control their VMs. Compute as a service typically includes a self-service portal, orchestration tool and secure multi-tenant enabled shared infrastructure.

Disaster recovery Environments

Environments that replicate production environments but do not carry production loads. Disaster recovery environments could include hot (available for instant promotion to production); warm (available for promotion to production within 30min to 4 hours); cold (available to take production environments once configured normally 4-24 hours after an outage).

Infrastructure as a Service (IaaS)

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources. The consumer is able to deploy and run arbitrary software, which can include operating systems and applications. Computing power, networking and storage is provided.

Network as a Service A model for delivering network services over the internet on a pay-per-use or subscription basis. The network is virtual, and it is consumed as a utility.

Pre-production or Testing as a Service

Typical use cases could include testing and development projects or less critical workloads such as temporary applications.

Production environments Environments that support service delivery (internal and external) to the customer.

Test, development and user acceptance testing environments

Environments that are used for non-production testing, development and/or user acceptance of systems in production. Requirements may vary from production-like environments down to basic configurations. These environments may not be required all of the time, most likely they will be required on demand for periods of time and could be shared among many customers.

19

Infrastructure as a Service Solutions Standard

Storage as a Service

This typically involves a larger organisation providing space in their storage infrastructure to a smaller organisation. This space can be rented or provided on a subscription basis.

This can be a convenient methodology for managing backups, and providing cost savings in personnel, hardware and physical space. Furthermore, the service can be used to mitigate risks in disaster recovery, provide long-term retention of records, or enhance business continuity and availability.

Tier 0 StorageTransactional data requiring extremely high performance. Typically SLC solid state storage solutions.

Tier 1 StorageMission critical application data. Typically fibre channel Storage Area Network(s) (SAN) or SAS HDDs.

Tier 2 StorageLess critical data that could be recovered after mission critical application data. Typically SATA disk arrays.

Tier 3 Storage

Data that is rarely used but needed to be retained for a variety of reasons. Typically stored on CD-R and/or tape.

Additionally relates to the regular backing up of data stored on other Tiers for the purpose of disaster recovery and similar events.

20

Infrastructure as a Service Solutions Standard

APPENDIX B – ABBREVIATIONS

aaS As a service

AIIA Australian Information Industry Association

ASIO Australian Secret Intelligence Organisation

CSA Canadian Standards Association

GovDC Government Data Centre

IaaS Infrastructure as a Service

ICT Information & Communication Technology

ISO/TC International Organization for Standardization / Technical Committee

IT Information Technology

OS Operating System

PCI-DSS Payment Card Industry – Data Security Standard

PTS Procurement & Technical Standards

SAN Storage Area Network

SLA Service Level Agreement

VM Virtual Machine

21

Infrastructure as a Service Solutions Standard

APPENDIX C – REFERENCES Agencies should have regard to the following statutes, NSW Government policies and standards:

AS/NZS ISO 31000 Risk management – Principles and guidelines ISO 27031-2011 Information technology – Security techniques – Guidelines for information and

communication technology readiness for business continuity ISO 27001 Information technology – Security techniques – Information security management systems

– Requirements Copyright Act 1968 Electronic Transactions Act 2000 Government Information (Public Access) Act 2009 Health Records and Information Privacy Act 2002 NSW Government Digital Information Security Policy NSW Government Open Data Policy NSW Government Cloud Policy NSW Government Standard for Data Quality Reporting NSW Government ICT Strategy NSW Government ICT Technical Standards – Mobility Standard NSW Government Information Classification and Labelling Guidelines NSW Procurement: Small and Medium Enterprises Policy Framework Privacy and Personal Information Protection Act 1998 Public Finance and Audit Act 1983 Public Interest Disclosures Act 1994 State Records Act 1998 TPP 09-05 - Internal Audit and Risk Management Policy for the NSW Public Sector

22

Infrastructure as a Service Solutions Standard

APPENDIX D – STANDARDS

Developing technical standardsDevelopment of a standard begins with identifying the need for a new standard, which is followed by the development of the standard in consultation with the industry and experts groups, including the Australian Information Industry Association (AIIA).

The following diagram outlines the process.

The ICT Procurement and Technical Standards Working Group (PTS Working Group) is chaired by the Department of Finance, Services & Innovation and includes senior representation from across NSW Government.

Agencies engage with the PTS Working Group concerning services for inclusion in the ICT Services Catalogue. This drives the development of technical standards, where none exist. The PTS Working Group has the leading role in reviewing and endorsing the technical standards developed in response to agencies’ requirements.

The PTS Working Group is supported by two sub-groups responsible for the areas of Telecommunications and Services and Solutions. The sub-groups are responsible for initial development and review of standards relating to their areas of responsibility.

Management and implementationThere is scope to modify standards through the NSW Government ICT governance arrangements as necessary. Standards are designed to add value, augment and be complementary to, other guidance, and they are continually improved and updated.

This standard does not affect or override the responsibilities of an agency or any employee regarding the management and disposal of information, data, and assets. Standards in ICT procurement must also address business requirements for service delivery.

NSW Procurement facilitates the implementation of the standards by applying them to the goods and services made available through the ICT Services Catalogue.

23

Need for new or amended standard

identified

Standard developed (Industry/agencies

consulted)

Standard approved and released by PTS

Working Group

Market engagement for services which meet the standard

Services added to Catalogue

Business requirements change