Software application risk assessment procedure

Intent

To ensure that RMIT records (in applications small or large) receive an appropriate level of protection and classification at the point of creation of a new system.

This procedure supports the objective of the Information security policy and the Records management policy that:

Managers of any project or change activity with the potential to impact upon records or recordkeeping practices (for example, a process change involving the development of a business information system), must consult with the Records Management Unit at an early stage of project development, to enable assessment of records management compliance and impact.

Scope

This procedure relates to all software applications created or managed by or on behalf of RMIT, regardless of location (cloud, external server etc.) that manages RMIT records.

This procedure applies to all RMIT operations including those of the RMIT Group, outsourced providers, offshore partners and any contractor or other body engaged by RMIT.

Compliance is required by all RMIT IT users (eg. employees, officers, staff, contractors, students), systems/infrastructure, applications and networks.

RMIT must ensure the applications it procures, uses or develops follow this procedure.

Exclusions

Applications which are facilitative only and do not create original records.

Procedure steps and actions

Procedure (including Key Points)

Responsibility

Timeline

RMIT Systems must follow the following steps where applications store or create RMIT records:

1. Criteria for risk identification

The Impact Assessment Template must be used to identify:

    a) Risks identified and mitigated via the Risk management procedure

    b) Risk of privacy breach assessed and mitigated, with consideration of the ‘Cross Border Data Flows’ principle and location of physical servers.

    c) Classification of system in accordance with the Records security classification procedure

    d) Records Retention and migration strategies identified (if any).

a) Proposed application owner prepares the Impact Assessment Template in consultation with the relevant areas noted on the template.

b) Proposed application owner forwards the Impact Assessment Template to nominees identified on the form.

a) As identified in the Project Governance Guideline. ASAP during development of the application.

b) Impact Assessment Template to be reviewed within 10 days of receipt.

2. Non-compliant applications

    a) For applications that are assessed as non-compliant, a progressive compliance plan must be undertaken to meet regulatory compliance (outlined below).

    b) The Sponsor of the project must sign-off on the action plan to mitigate the risk or, if required, the decision to accept the risk without implementing mitigating actions.

Non-compliance with the requirements of this Procedure is subject to the Compliance breach reporting procedure.

Proposed application owner prepares the documentation in consultation with the relevant areas (see: “interpretation and advice” below)

RMIT staff members use the Compliance breach reporting procedure to report to the Manager, Compliance on breaches.

Occurs before implementation of application/finalisation of the project

[Next: Supporting documents and information]