Download original attachment
(PDF file)
This is an HTML version of an attachment to the Official Information request 'Human Resources Process for Employment Matters'.

Discussion  
IT Organisation Design 
4.  Since the 2022 proposal for change which only included a minor change in the IT team (the introduction of 
a Senior Advisor Information Management), several key leadership positions within the IT leadership team 
have become vacant along with other vacancies across the team. 
5.  A review of the current IT capability has identified critical capabilities are not currently present in the IT 
team, position descriptions are not aligned with activity performed, there is insufficient coverage for many 
key roles, and leadership roles are missing key responsibilities.   
6.  On 6 August 2024 the Commission’s ELT approved the principles, scope & approach to design an IT 
organisation that meets the current and future IT capabilities necessary to support the Commission and 
delivery of 2026 General Election. 
7.  This work is expected to be completed in late 2024 and will likely involve the disestablishment of several 
positions within the team and potentially involve engagement with new suppliers for critical services. 
8.  The draft design work has assumed that certain capabilities will be better sourced from the market rather 
than met with internal labour. These include the 24x7 monitoring and response of cybersecurity events 
and software performance testing. 
 
Operating Model & Capability 
2.  Analysis of FY24 expenditure with Catalyst identified that approximately 
 of annual expenditure 
 related to enhancement of its core software assets. After the delivery of the 2023 General 
Election, the work programme related to this expenditure was unclear and focused on immediate lessons 
learned from the event.  
9.  Improvements have since been made to the work management with Catalyst and the IT team, with 
quarterly planning and prioritisation introduced that will support minor remediations and significant 
initiatives, such as the project briefs from the GE2026 programme. An example of the FY25 Q1 
commitments are included in Appendix 1, FY25 Q1 IT Commitments. 
10.  A review into the software testing capabilities of the Commission was conducted by Planit with support 
from Catalyst in July and August 2024. The outcomes of this report are being reviewed by the Catalyst & IT 
leadership and expect to be presented to the ELT by October 2024. 
11.  Single points of knowledge risk exist across IT, particularly in the software applications team. These will 
take time to remediate and are being considered as part of the IT Organisation Design activity. 
 
Suppliers 
12.  The resignation of the Senior Manager, IT Services highlighted a critical capability gap in cyber security for 
out-of-hours monitoring and response. While a short-term contractor has been engaged to provide 
sufficient coverage, additional external services are likely to be required if the Commission expects a 24x7 
monitoring and response of its security environment. 
13.  On 31 May 2024, the IT team ceased engagements with BlueHex who provided a long-term contracted 
consultant for IT architecture and cyber security services. A permanent capability was not established to 
replace these functions, with the scope now included as part of the IT Organisation Design.  
14.  Account management focus with Catalyst has been on several areas, including compliance of billing and 
cost-controls with the contract, re-instigating regular reviews of critical documents and management of 
work programs. As mentioned in the August 2024 Finance update to the Board, we have worked closely 
with Catalyst to determine the amount of spend that relates to improvements of our systems that we have 
capitalised in our balance sheet at 30 June 2024. 
15.  We will continue to use the Frontier chris21 software for the management of payroll services for the 
temporary workforce related to GE events while we focus on the uplift of payroll services & capabilities for 
permanent employees. We will reassess this as part of our planning for GE2029. 
16.  Engagement with Deloitte for the support & management of the Data Platform was extended for another 
12 months while the capabilities needed were reviewed as part of the IT Organisation Design activity. 
 
Assets - Software 
17.  In FY24 Q1, the IT team undertook an internal assessment of its software assets to understand their 
current quality condition and recommend investment treatments utilising the Gartner® ‘TIME’ framework – 
Appendix 2, IT asset quality assessment summary
18.  It found that most of the Commission’s core software applications that support enrolment & election 
management are in sufficient technical condition to support its current needs; however, the lack of a clear 
software application or product strategy is limiting its understanding of their suitability to support the 
Commission’s business operations. 
19.  It also noted that several assets require further review to determine their treatment in the short term, and 
planned remediation activities continue for software assets at risk of technical or compliance failure. 
20.  The infrastructure software of the Commission is in good condition, and well placed to serve both current 
and future needs, and investment in corporate software should be extended where appropriate as these 
assets are also well placed to support future needs. 
3.  On 27 August 2024 the Commission’s ELT agreed that regular assessment of the Commission’s IT assets 
is included as part of the year-one quality assurance activities. 
21.  The GE2026 Programme Board has approved the creation of a ‘Systems Modernisation & Foundations’ 
workstream that will develop the treatment plans and a software application strategy & roadmap for the 
Commission’s core technology assets. 
 
Assets - Hardware 
22.  Work has completed for the selling of GE2023 related hardware and disposal of aged physical assets from 
GE2023 and previous GE events. This involved the sale of 4,320 mobile phones, 1,030 laptops, 246 
tables and 2,798 peripherals. 
23.  The sale of these assets exceeded the amount budgeted as part of the GE2023 General Election 
Technology Project (GETP), however this activity required significant administrative overhead from both the 
Commission staff and suppliers to achieve the positive outcome. The sell back of mobile phones, laptops, 
docks and keyboards generated $1.188m vs the budget of $0.802m, an excess of $386k. 
24.  Future approaches to hardware sourcing for General Election events is expected to be discussed with lead 
government agencies for procurement and market suppliers to determine if future approaches can provide 
a better return for the government sector. 
 
Information Management 
25.  Work continues for the information management improvements action plan with the development of the 
information management ‘Managers Essentials’ module (IM roles & responsibilities) and completion of the 
M365 Teams SharePoint Assessment (Integrity of information).  
26.  Progress has been delayed on several action plan items due to bereavement leave. Work remaining for 
2024 includes updates to the Data and Information Management Policy (IM policy & process) and 
development of further induction & training material (IM roles & responsibilities).  
27.  In April 2024 it was found that information held within a previously used cloud service known as LOOMIO 
was at risk due to a leak of encrypted usernames and passwords. While the risks of compromise of this 
information is low, remediation activity has been underway to classify, transfer and dispose of the 
information held within LOOMIO and is expected to be completed with the decommission of the LOOMIO 
service in September 2024. 
28.  The interruptions introduced by the COVID-19 epidemic that corresponded with the Commission’s 
deployment of a new Enterprise Information Management System (EIMS) – Microsoft Teams, has resulted 
in a significant sprawl of information across the Commission’s operating environment. Significant focus 
and acceleration of aspects of the information management improvements action plan are being 
considered to address this. 
 
Cyber Security 
29.  As part of the development of the ‘IT Acceptable Use Policy’, vulnerabilities were found in the way the 
Commission manages access to its environment from non-managed systems. Work on the policy was 
delayed while these vulnerabilities were remediated, and it is expected that the new draft policy will be 
completed in September 2024. 
30.  In the recent phishing simulation that tests the Commission’s staffs’ risk to compromise by email-based 
scam activity, 11.3% of users would have been compromised by this attack. Subsequently all users have 
completed follow-up training and were successful in identifying a follow up simulation. Regular phishing 
simulations will continue as part of ongoing education and monitoring. 
31.  Recertification and accreditation of the Financial Management Information System (FMIS) – Microsoft 
Dynamics is being completed as part of the phase-3 implementation of the solution.  
32.  Work is planned to recertify the Application Recruitment Tracking System (ARTS) – SnapHire in early 2025 
as part of upcoming changes associated with the GE2026 program. The accreditation for use of this 
solution expires in November 2024, and the CIO intends to approach the CE for an extension of the current 
accreditation for this period. 
33.  Improvements to cyber security within the Catalyst managed environment are progressing, with the 
intention to implement Endpoint Detection & Response (EDR) capabilities to enrolment systems by the end 
of 2024. These capabilities improve the ability to detect and automatically respond to cyber security 
threats such as virus’ and malware. 
 
Appendices 
APPENDIX 1, FY25 Q1 IT commitments 
APPENDIX 2, IT asset quality assessment summary


APPENDIX 2, IT asset quality assessment summary