Explore UCD

UCD Home >

Exemplar Digital Applications Ownership RASCI

Every application must have both an Application Business Owner and an Application Technical Owner - typically a UCD unit or school that has the sufficient authority, skills, and resources to fulfil the role effectively.  See Application Ownership Roles & Responsibilities

The two Exemplar Digital Applications Ownership RASCI, shown below, cover Application Ownership and Technical Management Responsibilties for Cloud-based and 3rd Party Managed Applications.

These should be reviewed, adapted, and agreed between the Application Business Owner and Application Technical Owner prior to acquiring, deploying, or developing an application.  

1. Responsibility Matrix for Application Ownership

Responsibilities / Tasks

Application Business Owner

Application Technical Owner

Governance

  • Adherence to Digital Governance Policy
  • Ensuring that a capable and resourced Technical Owner is appointed.

Proposed applications must adhere to the Digital Governance Policy, and have been reviewed by the Technical Assessment/Advisory Group.

A, R

S

Defining Business Requirements

  • Defining vision and roadmap related to the application from a business perspective.
  • Strongest knowledge of the existing and emerging functional capabilities of the application.
  • Engaging with all stakeholders, including end users who use the application, to understand their needs and perspectives
  • Defining and assessing functional requirements, and performance and user satisfaction metrics.

A,R

I

Defining Technical Requirements

  • Defining vision and roadmap from a technical perspective for the application.
  • Strongest knowledge of the existing and emerging technical capabilities of the application.
  • Defining and assessing technical requirements.
  • Making technical decisions relating to the application.

I

A,R

Application Development/Selection

  • Ensuring that the application serves its intended purpose, meets the standards deemed acceptable by all stakeholders, and delivers value to the business.

An application should be selected based on evaluation of both functional and technical requirements, as provided and assessed by the Business Owner and Technical Owner.  

A,R

S

Risk Management Decisions

  • Overall documentation, assessment, and acceptance of overall risks associated with the application.
  • Updating of the school/unit/university risk register as needed

Business Owner makes final decision on risk acceptance with Technical Owner consultation.

All users, including Business and Technical Owners, are expected to raise risks on discovery.

A,R

C

Compliance with Regulatory and Legal considerations

  • Ensuring timely understanding of, and compliance with, laws and regulations.

A,R

S

Performance Monitoring

  • Ensure appropriate key performance indicators and metrics are in place
  • Monitors application performance (availability, incidents and events, etc..)

The Business Owner is informed of significant issues.

I

A, R

Business Continuity

  • Business Continuity Planning in the event the application is not available.
  • Identify Business Criticality of this application.
  • Establish Recovery Objectives for this application, including how long the university can operate in the event that this application is unavailable.

A, R

C

Procurement and Budget

  • Considering all aspects, capital and operational expenditures, including licencing, maintenance, and contracting for technical and business support services.
  • Securing funding
  • Ensuring that procurement is undertaken in accordance with university guidelines and public procurement regulations
  • Cost control

Technical Owner supports development of technical budget needs; Business Owner allocates and approves the budget.

A, R

S

Vendor Management

  • Contract Management
  • Defining and review of Service Level Agreements (SLAs)
  • Ensuring Terms and Conditions incl agreed SLAs are upheld
  • Maintaining overall relationship with vendor(s) and consult with on areas of concern
  • Working with providers and vendors to understand new features and functionality.
  • Working with providers and vendors to understand new technical features and functionality.

Includes management of service provider(s) and third party contractors.

A, R

S

Change Management and User Support

  • Customer Focus, ensuring that the application meets user needs and provides a positive user experience
  • Enabling user capability on the application e.g. leads communication, awareness & training.
  • Organisational change management activities 
  • Providing operational support for business users,  including overseeing of policies, procedures and training documentation.
  • Understanding of the business capabilities and processes that the application supports.
  • Adherence to Accessibility standards (e.g. W3C WCAG2.1, ISO/IEC 40500) and legislation (EU Directive 2016/2102)

A, R

C

Identity, Account Management and Role Based Access

  • Lifecycle management of user accounts (provisioning, ongoing management and deprovisioning) 
  • Enforcing policies and procedures to ensure the proper separation of duties, role based access, and least-privileged access for all users

A, R

S

Data Management and Protection

  • Protecting data from unauthorised access, theft, and loss
  • Ensure compliance to regulations, including addressing GDPR compliance.
  • Notify UCD DPO of any data breach in line with data sharing agreement
  • Providing features to help customers comply with their privacy and legal obligations

For applications that process or store confidential or sensitive personal information, UCD IT Services strongly recommends the use of an external company to conduct a (opens in a new window)security assessment. IT Services will be able to provide you with a list of security partners to assist with the assessment. 

Other key considerations that fall under Data Protection include Privacy Statements, DPIA, DPA, ROPA.

A, R

S

Periodic Quality Review and Evaluation

  • Determining the business fit of the application on an ongoing basis.
  • Determining the technical fit of the application on an ongoing basis.

A, R


I

I


A,R

Technical Delivery and Support

  • Providing appropriate level of technical skills and competency to understand the technical architecture
  • Providing technical support for the application and putting in place appropriate measures to ensure the security and availability of the application.
  • Managing how the application integrates and interoperates with other systems
  • Advising of the intended use of application programming interface (API) services or other integrations.
  • Lifecycle management of system accounts (provisioning, ongoing management and deprovisioning) 
  • Disaster Recovery Planning. 
  • Ensuring that a capable and resourced Technical Management * resources in place, for the configuration and management of technical components.  

* The “Technical Management Responsibilities Matrix” below outlines in detail the responsibilities related to technical management (as opposed to Technical Ownership)  

C

A,R

Application Security

  • Overall security of the application.
  • Ensuring appropriate security measures to prevent and detect security risks
  • Continuously monitoring logs for threats, intrusion prevention measures such as MFA, Anti-Virus protection, etc.
  • Ensure appropriate security measures to safeguard data, such as encryption, access controls, and system and data backups (including verifying that backups are being performed according to expectations).
  • Protecting data from unauthorised access, theft, and loss.
  • Defining and assessing security requirements
  • Establishing security best practices, standards and policies
  • Requesting, engaging and reviewing external security review and third party assurances from application vendor regarding relevant security measures
  • Providing feedback on security risks to the business owner
  • Notify IT Services of security incidents

S

A,R

Application Upgrades and Patches

  • Scheduling and coordinating upgrades

A, R

S

Change Control and Communications

  • Ensuring that technical changes are raised with, and assessed by the appropriate technical governance authority, before changes are made.
  • Ensuring that functional changes are adequately assessed, tested and verified for use within UCD and communicated to all stakeholders impacted 

Technical Owner manages technical changes; Business Owner approves and communicates changes to stakeholders.

R, S

A, R

2. Technical Management Responsibility Matrix for Cloud-based and 3rd Party Managed Applications

There must always be an Application Technical Owner in UCD ultimately accountable for the technical delivery and security of the application, even where responsibility for carrying out specific technical management tasks has been shared or devolved to one or more third parties. As such, it is critical that a clear demarcation of roles and responsibilities is established. 

The table below may assist. It should be completed by the Application Technical Owner in conjunction with the third party service provider(s) (e.g. cloud service provider, vendor, third party teams), so that it is clear and unambiguous who is responsible for the outlined management tasks related to the delivery of the service.

This is aligned to the UK National Cyber Security Centre’s (opens in a new window)Cloud Security shared responsibility model

Technical Management Responsibilities Matrix for Cloud-based and 3rd Party Managed Applications

Responsibilities / Tasks

(UCD) Application Technical Owner

Third Party Service Provider (e.g. cloud service provider, vendor, third party teams)

Ensuring that the service can meet UCDs technical requirements

A, R

  

Securely configuring the services that you have chosen to use

A, R

  

Deciding which data you store in the services you use

A, R

  

Management of the Application Configuration (including accuracy of customer/UCD data)

A, R

  

Management of Identify and Access Controls

A, R

  

Management of Application Data Storage (e.g.  database schema, block and file level storage systems)

  

A, R

Management of Application

  

A, R

Management of Operating System

  

A, R

Management of Network Flow Controls

  

A, R

Management of Host Infrastructure

  

A, R

Management of Physical Security

  

A, R

RASCI Roles and Descriptions

RASCI

Description

R

Responsible

Does the work. Others can be asked to assist in a supporting role. There is just one responsible person for any given task.

A

Accountable

Ultimately answerable for the correct and thorough completion of the work.

There is just one accountable person for any given task.

S

Supports

As part of a team, roles with a support function work with the person

responsible. The support role helps complete the task.

C

Consulted on

Those whose opinions are requested and with whom there is two-way

communication. The consulted role does not help complete the task.

I

Informed

Those who are kept informed of progress.

UCD IT Services

Computer Centre, University College Dublin, Belfield, Dublin 4, Ireland.

Contact us via the UCD IT Support Hub: www.ucd.ie/ithelp