Module 3 – Project Planning

A project plan (sometimes called an implementation plan) sets out how each element of an IoT-enabled project will be delivered. It can help to mitigate risks that can undermine the success of a project. 

This module outlines considerations for the project planning phase:

  • roles, responsibilities and accountability – the multifaceted nature of IoT means it is essential that roles and responsibilities are assigned and understood for each aspect of a project, including data, cyber security, privacy, hardware, software applications and system architecture.
  • stakeholder engagement - proactive consultation with stakeholders at the planning phase (and revisited at major milestones) is vital to ensure that the project meets their requirements and will maximise the benefits.
  • data needs assessment and data obligations - a data needs assessment is needed to design the data requirements. This means understanding the desired business outcome, the data needs of stakeholders, limitations in the operating environment, and data governance and management practices. Data generated by government needs to be treated as a public asset and made available as widely as possible, in accordance with the NSW Open Data Policy.
  • Risk and obligations - IoT projects are susceptible to a wide range of risks due to the connected nature of IoT and the rapid pace of technological change. Risks may relate to cyber security, privacy, contract, data, procurement, people safety, legislation or technology. A risk and compliance assessment can help the project team to identify the internal and external obligations and risks, and outline actions to manage or treat them.
  • Privacy - Privacy by design is the process of proactively identifying privacy risks during the development of a project or initiative, so that risks can be mitigated as part of the design of the project. Privacy by design allows privacy to be ‘baked-in’ from the beginning so that your IoT solution is privacy-protective by default. This is important because once information is collected (personal or de-identified) there are obligations under NSW legislation (and Commonwealth legislation in some cases) about how data is held and accessed. It is recommended that NSW Government agencies do not collect personal information unless it is necessary.
  • cyber security - The devices that make up an IoT network are well-known in the information security community for being inherently insecure. It is essential that IoT devices do not contain vulnerabilities that are frequently observed in consumer IoT products (e.g. weak, guessable or hardcoded passwords; insecure network services; insecure ecosystem interfaces; lack of secure update mechanisms). It is important that the cyber security life cycle requirements are understood during the project scoping and planning phases, including those required by the NSW Cyber Security Policy.
  • Technology for IoT – the IoT architecture needs to consider the performance requirements, business continuity and back up requirements, and interoperability. This section summarises the key considerations when deciding what technology is needed.
  • Assurance - the process of providing independent confidence for projects. It can increase confidence in the project benefits and reduce the likelihood of investing in IoT solutions that are not fit for purpose, present unmanageable risks, do not deliver benefit or are not interoperable with existing or future technologies. The NSW Gateway Policy establishes three NSW Government assurance frameworks.