Distributed IT Governance

Distributed IT

While much of the University’s IT is centralised (Centralised IT) and managed by Information Technology and Digital Services (ITDS), including its security and protection, many Distributed IT assets continue to exist. Distributed IT assets are data, systems and services that are managed and maintained by staff locally in academic departments or research groups and/or outsourced to an external vendor for research and teaching purposes.

Types of IT Assets 

All University of Adelaide (UoA) Information Technology (IT) assets and services are categorised as either Centralised IT, Distributed IT or Specialist IT and must comply with the IT Acceptable Use and Security Policy (ITAUSP)

  • Centralised IT: IT assets and services managed by primarily by Information Technology and Digital Services (ITDS)
  • Distributed IT: IT assets and services managed outside of ITDS by staff in academic departments and research groups
  • Specialist IT: a subset of Distributed IT that require specialist knowledge and cannot be considered for future centralisation to Centralised IT

The 'Is this Distributed IT?' document illustrates some examples of what are and what are not considered Distributed IT.

Distributed IT Governance Framework 

The Distributed IT Governance Framework has been developed in collaboration with ITDS and Risk Services to address Distributed IT risk by applying a risk and compliance approach to security of Distributed IT. This spreads the burden of ensuring security controls across the business owners of Distributed IT, ITDS, and Risk Services.

The below roles have been defined for the management of Distributed IT.

Area Manager

Deputy Vice-Chancellors, Vice Presidents, Pro Vice-Chancellors, Executive Deans, Director Human Resources (and a person acting in these positions) and Institute Directors as defined in the University if Adelaide Enterprise Agreement.

Area Managers are accountable for business owners of Distributed IT in their area to ensure that business owners comply with the framework.

Area Managers are required to complete and Annul Declaration of Compliance with the Distributed IT Framework.

Business Owner

The person or a party that is ultimately accountable for the security of data and/or services provided by University IT.

Business owners are responsible for ensuring that the compliance steps described in this Framework are carried out in a timely manner, including development and maintenance of the Distribute, IT Asset Register, Standard Control Library, and for documenting risks in the University Risk Register along with treatment plans.

IT Custodian

Any person that is responsible for the acquisition, implementation, and/or ongoing operations and maintenance of University IT under the direction of the respective business owner.

Distributed IT Custodians support the business owners to maintain the configuration and security of Distributed IT under their responsibility, including implementation of security controls in accordance with the ITAUSP and CSF standards.

At A Glance: Managing Distributed IT

Maintaining the same level of security in Distributed IT as Centralised IT is challenging due to lack of local IT capacity and experience. The Distribute IT Governance Framework comprises four key steps to ensure that Distributed IT assets (DITAs) are properly captured and their risks managed.

Resources

ITDS and Risk Services have developed a comprehensive set of resources to assist you in complying with the Framework.

For any further questions email the Distributed IT Squad at DistributedIT@adelaide.edu.au or your ITDS Liaison Manager.