Agencies should ensure that the requirements of this Information Standard are applied within the general context of the due diligence, accountability and probity outlined in:

• Public Sector Ethics Act 1994;
• Public Sector Ethics Regulation 1999;
• Financial Management Standard 1997(FMS);
• State Purchasing Policy 2000;
• Public Records Act 2002;
• current Information Standards; and
• any other legislation that the individual agency operates under.

Regardless of ICT resource support or provision arrangements, for example, equipment may be leased, owned or provided by a Shared Service Provider (SSP) it is critical that the agency plans for and provides strategies to ensure that maintenance and disposal requirements are monitored and managed.

For example agencies should ensure that where ICT resources are leased, the sensitivity of data, maintenance and removal of data at the conclusion of leasing arrangements are considered in the establishment and planning of lease arrangements.

When planning strategies for managing ICT resources agencies should refer to the following resources for direction:

• The provisions of the Financial Management Standard;
• Queensland State Purchasing Policy;
• Agency Financial Management Practice Manual;
• Queensland Audit Office QAO Better Practice Guidelines for Non-Current Assets;
• Treasury, Financial Management Resource Centre;
• ICT Resources Planning (IS2);
• Information Security (IS18);
• Record Keeping (IS40); and
• Managing Technology Dependant Records (IS41).

To ensure effective implementation ICT resource management, appropriate and regular training should be provided to staff involved in the maintenance and disposal of ICT resources. With the increasing prevalence of multi-functional devices agencies should also monitor training to ensure that it continues to take into account the various types of devices used in storing and transmitting information.

Queensland State Purchasing, provide a number of purchasing training programs which address these issues.

Agency staff involved in the acquisition, maintenance and disposal of ICT resources should also have a general understanding of the terms and conditions contained within GITC.

• ICT Resources Planning (IS2);
• Information Technology and Telecommunications (IT&T) Purchasing (IS13);
• Record keeping (IS40);
• Retention and Disposal of Government Information (IS31);
• Managing Technology Dependant Records (IS41);
• Security (IS18); and
• Privacy (IS42).

Maintenance processes cover a wide range of activities including preventative, repair and upgrade maintenance, which may be the result of scheduled or non-scheduled activities. Agencies need to ensure that adequate policies and processes are in place to protect agency ICT resources and the information, which is contained on them during any maintenance process. Processes should also be reviewed on an ongoing basis to ensure that when new technologies are introduced that maintenance processes are in place.

When assessing and developing maintenance processes agencies should refer to:

• Information Security (IS18) and the accompanying Information Security Best Practice Supplement;
• Privacy (IS42) and accompanying Privacy Guidelines;
• RecordKeeping (IS40); and
• Managing Technology Dependant Records (IS41).

All contract maintenance service providers must be Government Information Technology Conditions (GITC) signatories. Government buyers who purchase from a supplier who does not have GITC accreditation, are not protected by the provisions of the GITC.

Detailed information on GITC arrangements including confidentiality, terms and conditions is available on the Government Information Technology Conditions website.

Maintenance contracts are normally considered as insurance against high repair costs and long down time should an item fail. The agency should base its decision to enter into a maintenance contract on consideration of cost justification vs. risk. Further information regarding the variations that agencies need to consider in managing maintenance contracts can be found in the Warranties and Maintenance Reference Sheet located in the Maintenance & Disposal Toolbox.

Warranties may be offered as an extension of warranty arrangements on ICT products at time of purchase. Although this may increase the initial purchase price of the item, there may be longer-term savings by not having to pay an annual maintenance fee. Further information regarding the variations that agencies need to consider in managing warranties can be found in the Warranties and Maintenance Reference Sheet located in the Maintenance & Disposal Toolbox.

Service or Operating Level Agreement (SLA/ OLA) are essential in ensuring that both agency and service providers have a clear understanding of their respective commitments associated with the terms and conditions of any ICT maintenance agreement.

Information relating to any warranty/maintenance agreements could be held as part of the Agency's resource register. Further details regarding the variations that agencies need to consider in developing and managing service agreements can be found in the Warranties and Maintenance Reference Sheet located in the Maintenance & Disposal Toolbox.

• IT&T Purchasing (IS13);
• Recordkeeping (IS40);
• Retention and Disposal of Government Information (IS31);
• Managing Technology Dependant Records (IS41);
• Security (IS18); and
• Privacy (IS42).

To ensure information and records are appropriately managed, agencies should refer to the RecordKeeping (IS40), Managing Technology Dependant Records (IS41) and Retention and Disposal of Government Information (IS31) before undertaking ICT resource disposal processes.

Destruction is the only method, which will completely remove all traces of data by memory devices (including volatile storage such as Random Access Memory (RAM)) or magnetic media. However, there are a small number of sanitisation methods that will reduce the risk of information being recovered. Agencies should refer to the Australian Communications-Electronic Security Instruction 33 (ACSI 33), for the sanitisation of magnetic media for these methods.

Agencies should also refer to Information Security (IS18) and the accompanying Information Security Best Practice Supplement when assessing and developing processes for the removal of information from ICT resources before disposal or re-use of the equipment. Agencies should also ensure that the provisions of Privacy (IS42) and accompanying Privacy Guidelines are also used to guide the development of processes for disposal.

Agencies should refer to the FMS and local agency delegation policy to determine agency processes for the disposal of ICT resources. Under the provisions of the FMS responsibility for the disposal of surplus resources rests with the Accountable Officer or delegate of the department/agency. Surplus resources should only be sold, traded-in or otherwise disposed of with the approval of the Accountable Officer and in the manner specified by that officer or delegated officer.

To ensure that resources and any residual information contained on ICT resources is rendered inoperable or retained as required, procedures should be developed to verify that the appropriate action is satisfactorily completed. Agencies should refer to Information Security (IS18) and the accompanying Information Security Best Practice Supplement when assessing and developing such processes.

ICT products represent a considerable investment and require special consideration when disposing of these items. Generally, the time to assess disposal options should coincide with forward procurement planning. Agencies should consider a number of options including:

• Disposal within Government;
• Trade in; and
• Disposal Outside Government