Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Web Guidelines » General Resources » NZ Government Web Site Outsourcing Guidelines

NZ Government Web Site Outsourcing Guidelines

Foreword

Purpose

The NZ government web site outsourcing guidelines accompanies the NZ Government web standards and recommendations version 1.0.

The purpose of this document is to provide guidelines for NZ government agencies tendering and contracting for web development and hosting services.

It is not intended to be a comprehensive guide and should not be used as the only basis for requests for proposals (RFPs) or contracts.

This document also covers domain name registration.

Audience

Business and web site managers and vendors should read these guidelines.

Current version

The current version of the NZ government web site outsourcing guidelines is Version 1.0, last revised in January 2007.

To print this document, download the RTF [120KB]

Anyone can suggest changes to the NZ government web site outsourcing guidelines, by sending comments to web.guidelines@ssc.govt.nz. Suggestions will be evaluated and may be included in future revisions.

All major revisions to the NZ government web site outsourcing guidelines supersede earlier revisions.

Feedback

Please supply feedback on the readability, usability and accessibility of this document by email to web.guidelines@ssc.govt.nz.

Outsourcing Guidelines

Although these are Guidelines, as stated under Purpose above, there are however three (3) standards (mandatory requirements) included that are relevant to outsourcing.

These standards are in and part of the NZ Government web standards and recommendations. Reference to the appropriate sections of this document should be made for further details relating to these standards.

Tendering and contracting

Minimum Procurement Standards and Procedural Requirements

International trade agreement commitments require New Zealand government departments' procurement requirements to be notified publicly and encourage the use of electronic means for this. Accordingly, the Mandatory Rules for Procurement by Departments require Public Service Departments, New Zealand Defence Force and New Zealand Police to use the Government Electronic Tenders Service (GETS). While this requirement does not extend to wider public sector agencies, they are encouraged to apply the Mandatory Rules for Procurement and make use of GETS.Refer to standard 23.1 in the NZ Government web standards and recommendations.

Agencies are also required to post on their web site brief details of contracts awarded for purchases of goods or services above the threshold value as stated for purchases of goods and general services (refer government procurement site http://www.procurement.govt.nz) and, in relation to contract awards that are the outcome of an open invitation to tender/register interest, provide the same information directly to the Industry Capability Network New Zealand (ICN), for posting on the ICN's GETS web site. The department must also arrange with the ICN the establishment of a permanent hyperlink from the GETS web site to the page on the departmental web site where all published contract award information is posted.

Resources

http://www.med.govt.nz/pubs/publications-01.html#P86_3271

http://www.procurement.govt.nz

Tender document inclusions

Tender documentation (RFIs, RFPs, etc) and final contracts must make compliance with the Web Standards and Recommendations a requirement. Refer to standard 23.2 in the NZ Government web standards and recommendations.

It may also be appropriate to explicitly specify compliance with other government policy and standards referenced in the Guidelines.

Major IT projects

A major IT project is a new initiative, an ongoing development or acquisition project, an operational system, or other type of IT project (including studies against existing contracts) that meets any any one or more of the criteria as defined in the Cabinet Office paper CO(01)4 (http://www.dpmc.govt.nz/cabinet/circulars/co01/4.html), under item 11 - Major IT project: defining criteria

Resources

Guidelines for Managing and Monitoring Major IT Projects

Domain name registration

A separate policy covering domain name registration and use is currently being drafted and will be linked to from these Guidelines.

Web development services

Responsibilities

In contracts, you should clearly distinguish the supplier’s and the purchaser’s responsibilities to:

  • design
  • liaise with the host
  • provide content
  • test and correct bugs
  • maintain and update the site
  • promote the site.

Intellectual property

In contracts, you should specify who owns the intellectual property for all aspects of the design (including scripts and other coding).

Support

Contracts for on-going support of the web site should clearly distinguish what is maintenance and what is new development requiring a separate contract. Specify services levels for the support being contracted.

Hosting services

Security

All government web sites must comply with the Minimum Standards for Internet Security in the New Zealand Government. See Section 8, Annex A, Security in the Government Sector.

Agencies should ensure that hosted sites, both in-house and by an external vendors, are covered by a comprehensive documented security policy. This should specify

  • the physical and electronic security of the hosted site
  • routine and emergency security procedures including reporting security threats and breaches.

Agencies should test the host’s compliance with the security policy, including penetration testing.

Resources

Departmental Security Officer or the Departmental IT Security Officer should be consulted before setting up hosting arrangements.

Government security publications are available from the Government Communications Security Bureau.

Disaster recovery

A comprehensive disaster recovery plan is set out whether the site is hosted in-house or hosted externally in which case this should constitute part of the contract.See recommendation 31.1.1 in the NZ Government web standards and recommendations.

Routine backup procedures

The disaster recovery plan covers the host’s routine backup procedures and sets a maximum time for recovery from failure.

Maintain separate backups

The agency should keep separate backups of documents and data from those held by the host.

Connection guarantees

Contracts with hosts should specify guaranteed connectivity or uptime for the hosted site. The connectivity guarantee should be carefully worded to reflect the business requirements of the web site and is specific about measurement and periods measured. While having no downtime is important for the business of e-government, 100% connectivity can only be guaranteed if the site is mirrored using more than one server in different locations.

Connection guarantees should be carefully worded to reflect the business requirements of the web site, being specific about the measurements and periods measured. For example, 99.5% uptime over a year is equivalent to 44 hours downtime per year or roughly 3.5 hours per month. While 3.5 hours downtime in a given month may meet the requirements of your business, one continuous period of 44 hours downtime may not.

The contract should also detail escalation procedures and timeframes, and agreed responsibilities and penalties.

Technical Support

Contracts should specify

  • telephone technical support
  • monitoring the site

both of which should be available around the clock.

Bandwidth

Bandwidth requirements are difficult to predict. Whatever arrangement is made with your host, you should make sure contracts allow you to make changes to meet demand. You should specify the terms for higher or lower bandwidth requirements, including the amount of notice required and the cost involved.

Other requirements

Contracts should specify any other requirements necessary to support the site, such as database integration, scripting support and access to the server and server logs.

Web server statistics

Contract should specify that the host provide statistics for:

  • Page visits (hits alone are misleading)
  • Unique visitors (based on visits from unique IP addresses at lengthy intervals)
  • Successful requests
  • Unsuccessful requests
  • Most frequently visited pages
  • Least frequently visited pages
  • Most common entry pages
  • Top referring sites
  • Search terms used

Site managers should retain server logs and ensure that statistics are available across the agency for business planning.

Pricing

Contracts should set out the cost of:

  • Additional bandwidth
  • Differential charging for international and national traffic
  • Additional disk space
  • Additional software
  • Surcharges on quarterly as opposed to annual payments
  • Maintenance of any hardware provided as part of the contract.

Privacy

When contracting with a service provider, the contract must specify that the provider must not independently collect, or reuse data gained in the course of providing the service. This includes (not exhaustively) data collected in the course of operating the web server, including cookies, click-stream data, HTTP request header information or upstream monitoring.

This does not relieve the contractor of their obligations under the Privacy Act 1993.

This is also Standard 23.3 in the NZ Government web standards and recommendations.

The reader is strongly recommended to refer to the Privacy Act 1993 section (see Policies) for further details regarding privacy with respect to web site hosting.