Distributed IT Governance
Distributed IT
While much of the University’s IT is centralised (Centralised IT) and managed by Information Technology and Digital Services (ITDS), including its security and protection, many Distributed IT assets continue to exist. Distributed IT assets are data, systems and services that are managed and maintained by staff locally in academic departments or research groups and/or outsourced to an external vendor for research and teaching purposes.
Types of IT Assets
All University of Adelaide (UoA) Information Technology (IT) assets and services are categorised as either Centralised IT, Distributed IT or Specialist IT and must comply with the IT Acceptable Use and Security Policy (ITAUSP).
- Centralised IT: IT assets and services managed by primarily by Information Technology and Digital Services (ITDS)
- Distributed IT: IT assets and services managed outside of ITDS by staff in academic departments and research groups
- Specialist IT: a subset of Distributed IT that require specialist knowledge and cannot be considered for future centralisation to Centralised IT
The 'Is this Distributed IT?' document illustrates some examples of what are and what are not considered Distributed IT.
Distributed IT Governance Framework
The Distributed IT Governance Framework has been developed in collaboration with ITDS and Risk Services to address Distributed IT risk by applying a risk and compliance approach to security of Distributed IT. This spreads the burden of ensuring security controls across the business owners of Distributed IT, ITDS, and Risk Services.
The below roles have been defined for the management of Distributed IT.
Area Manager |
Deputy Vice-Chancellors, Vice Presidents, Pro Vice-Chancellors, Executive Deans, Director Human Resources (and a person acting in these positions) and Institute Directors as defined in the University if Adelaide Enterprise Agreement. Area Managers are accountable for business owners of Distributed IT in their area to ensure that business owners comply with the framework. Area Managers are required to complete and Annual Declaration of Compliance with the Distributed IT Framework. |
Business Owner |
The person or a party that is ultimately accountable for the security of data and/or services provided by University IT. Business owners are responsible for ensuring that the compliance steps described in this Framework are carried out in a timely manner, including development and maintenance of the Distribute, IT Asset Register, Standard Control Library, and for documenting risks in the University Risk Register along with treatment plans. |
IT Custodian |
Any person that is responsible for the acquisition, implementation, and/or ongoing operations and maintenance of University IT under the direction of the respective business owner. Distributed IT Custodians support the business owners to maintain the configuration and security of Distributed IT under their responsibility, including implementation of security controls in accordance with the ITAUSP and CSF standards. |
At A Glance: Managing Distributed IT
Maintaining the same level of security in Distributed IT as Centralised IT is challenging due to lack of local IT capacity and experience. The Distribute IT Governance Framework comprises four key steps to ensure that Distributed IT assets (DITAs) are properly captured and their risks managed.
Resources
ITDS and Risk Services have developed a comprehensive set of resources to assist you in complying with the Framework.
- Distributed IT Governance Framework
- Distributed IT Governance Course on MyUni (compulsory for Business Owners and IT Custodians)
- Distributed IT Risk Management Guide
- Distributed IT Risk Management Process (detailed process map showing how distributed IT risks are raised and managed)
- Distributed IT Vendor Management Guide
- Templates:
For any further questions email the Distributed IT Squad at DistributedIT@adelaide.edu.au or your ITDS Liaison Manager.