Now that’s a mouth-full!
Mike alerted me to this interim document put out by the State Services Commission of New Zealand. The document seeks to give some guidance to government agencies looking at using offshore ICT providers and seek to help agencies take a professional approach to considering offshore as an option to improve service delivery. It is intended as a risk assessment resource and aims to retain control over government information systems and assets.
So what does it say?
- Detailed risk reports should be completed when looking to offshore ICT services. This assessment should determine location of where information will be stored and the specific classification level of any data being transferred
- Processes should be in place to manage the ongoing relationship to react to "political, legislative, business, systems, environmental, and cultural" changes
The risks of offshoring are split across;
- Big picture risks: risks that may put a proposal out of consideration regardless of its other virtues
- Trust and public confidence risks: how a proposal may adversely affect the Trusted State Services Development Goal for the New Zealand State Services.
- Control risks: the need to maintain control over data as required by, for example, the Public Records Act 2005.
- Governance, management, and project risks: difficulties that may arise when management of a business function or project is geographically dispersed.
- Economic risks: following procurement policy while considering possible effects on the larger New Zealand economy of an offshore proposal.
- Business continuity risks: government responsibilities in maintaining capability in the country in the event of an emergency or a service provider failure.
- Security and integrity risks: includes industrial espionage, social disruptions, terrorist threats, and data corruption.
- Privacy risks: threats to government held personal information if sent offshore.
- Legal and commercial risks: practical and legislation-related risks of doing business outside New Zealand.
- Fiscal risks: currency fluctuations, offshore taxes, and other financial risks.
From an initial read it seems that the concerns can be split into two main camps;
- Project management, cultural, IT resistance and security risks
- Jurisdictional risks caused by offshoring
My take on it is that the first issue has some easy fixes. Clearly there is a need for good management of SLAs, excellent due-diligence of potential providers and a true TCO/ROI analysis of the different options. This coupled with some excellent project management should take what is a complex, multi-dimensional problem and deliver a robust outcome.
That part was easy. The second issue less so.
The fact is under the current cloud computing models, we don’t know where our data is and have no idea of the jurisdictional ramifications of a solution that sees bits stored in multiple locations.
Answer? A domestic datacentre with scale. We already know that there are issues with the limited outbound pipes we have as a nation, and with the imbalance in terms of outbound and inbound data. Seems that that, coupled with concerns by Government agencies about the offshoring of ICT outsourcing, builds a reasonably compelling case for a locally sited data centre – both in terms of traffic management and security assurance.
I’d be keen to hear the sage thoughts of the ICT intelligentsia out there on this one…