This process is written to comply with requirements in the Asset Management Framework (AMAF) overseen by the Victorian Department of Treasury and Finance.
AMAF is a framework used to measure the maturity of government asset management across all asset classes (IT, buildings, vehicles etc). Although this is a generic asset framework, it can be applied in the context of the IT asset class (when interpreted through an ITIL lens).
Please contact the Cyber Security Branch at vicgov.ciso@dpc.vic.gov.au to access the AMAF 41 Processes – IT Asset Class Considerations resource for a suggested interpretation.
Other frameworks were considered such as COBIT, IT-CMF and ISO 19770, however AMAF is recommended for the following reasons:
- The 41 process areas of AMAF allow IT asset management to be measured at a manageable and useful level of detail (not too high level nor too low level)
- Many Victorian Government organisations are already measuring the maturity of their overall asset management, and in some instances their IT asset management, using AMAF
- AMAF is a mandatory framework (underpinned by the Financial Management Act) for many Victorian Government departments and agencies
AMAF describes the following end-to-end asset lifecycle:
AMAF also provides a self-assessment Compliance Tool with which the 41 process areas can be allocated one of the following maturity levels:
- Innocence (level 0)
- Awareness (level 1)
- Developing (level 2)
- Competence (level 3)
- Optimising (level 4)
This tool can be used to measure the maturity of the IT asset class (as well as other asset classes).
Some organisations will also be assessing some of their IT asset management processes against VPDSS requirements which uses a similar 5 tier system (the tiers being: Informal, Basic, Core, Managed, Optimising).
It is recommended that all Victorian Government departments and agencies achieve and maintain a minimum level of Competence (level 3) for all 41 AMAF processes in the domain of IT asset management.
It is recommended that the level of Optimising (level 4) should be achieved and maintained for the following specific IT assets:
- IT assets that process or hold Protected or above data, or have one or more OVIC Integrity or Availability Business Impact rating of 3 (Major) or above
- IT assets containing Personal Information (as per Privacy and/or Health Acts)
- Internet-facing IT assets (including webservers, network perimeter devices, SaaS, PaaS and IaaS).
AMAF requires a generic asset self-assessment against these 41 process areas every three years, however it you have an active IT asset management uplift project or BAU (business as usual) activity in progress, it is recommended redoing the self-assessment every 6-12 months to measure and demonstrate progress. Note that the first time an AMAF maturity assessment for the IT asset class is undertaken may take more time and effort than subsequent assessments.
Updated