Governance

Agencies should have, or establish, governance functions around online delivery. 

Government agencies could appoint staff to key roles to inform effective online governance. For example, a senior manager could be appointed to be responsible for online strategy for the agency, and an online champion could be appointed as a skilled advocate of good practice online.

Chief executives of government agencies are ultimately responsible for their agency’s online channel, and can expect assurance that their investment in it is efficiently managed.

If necessary, agency staff responsible for online services should promote the benefits of formal online governance structures at senior levels, to:

• strengthen a strategic approach to their agency’s overall web presence
• foster good practice across the spectrum of online disciplines, from privacy and security, to usability and accessibility, to information and data management
• seek linkages with other online initiatives in their sector or in wider government, to maximise efficiencies and optimise the user experience
• ensure training programmes are in place that provide staff with the skills needed to manage online products in accordance with required standards such as security and privacy management and accessibility.

Responsibilities

For every online product that an agency operates, agencies should have clearly defined accountabilities and responsibilities defined by their online governance bodies.

Responsibilities of product owners

The product owner is a business manager who carries the accountability for a given system and ensures it is fit for purpose from a business viewpoint and is fit to operate on the public web.

If you are the business owner of an online product you are responsible for:

• assurance and formal acknowledgement that the product meets required standards in security and privacy management through a programme of periodic testing and assessment
• assurance and formal acknowledgement that the product meets required standards in accessibility and usability through a programme of periodic testing and assessment
• assurance that the product meets the requirements of the Public Records Act
• monitoring the costs of operating the online product
• ensuring there are measurement, monitoring and reporting frameworks, and their associated performance targets, to provide ongoing assurance that the product continues to meet both user and agency needs, and continue to justify investment
• engaging with users as appropriate, to assess the ongoing usability of the product
• ensuring adequate budget is available for ongoing development and continuous improvement throughout the product’s lifecycle, in response to changes in user expectations or technology
• managing the level of funding to allow for technical maintenance that can respond to changes in technology and the online threat landscape
• ensuring system managers and publishers receive adequate training, according to their need, in accessibility, privacy management and security.

Responsibilities of product managers

Product managers take responsibility for the day-to-day operations of an online product and are responsible for maintaining its operational readiness online.

If you are a manager of an online product you are responsible for:

• monitoring and reporting the metrics to enable business owners to provide assurance that the online product remains fit for purpose and continues to justify investment
• maintaining the required suite of documentation for the product, which should include:
  • standard operating procedures
  • incident response procedures
  • risk register
  • system security plan
  • security risk management plan
  • accessibility risk management plan

• managing periodic reviews, testing or assessment of compliance with required security, accessibility and privacy management standards
• ensuring maintenance procedures are carried out in accordance with service level agreements (SLAs) with hosting providers (internal or external)
• ensuring publishers and administrators of sites or services maintain appropriate levels of knowledge of accessibility, security and privacy management.