TechniClick - GWEA & EA Governance

GWEA Framework & EA Governance By Willie Needham (Chief Enterprise Architect, SITA) 11 September 2009 (GITOC Techni-Click – Durban)

Agenda

Introduction – “The Problem”

A Governance perspective

GWEA Perspective

Conclusion

Objective: Sell more Cola in Middle East

Challenge: Language

Solution: Use Pictures

Outcome: Drop in Cola $ales

Why: They read from RIGHT-TO-LEFT

More than a technical challenge

Introduction – The Problem “ One's mind, once stretched by a new idea, never regains its original dimensions.” - Oliver Wendell Holmes

The Interconnectedness of Government

Activities in Government do not occur in isolation

Government is large, complex and interconnected

Its systems are large, complex but disconnected

The disconnected nature of systems within Government has a major impact on the lives of its Citizens and the quality and efficiency of the services Local Provincial National Social Development Correctional Services DTI Labour SARS Agriculture Home Affairs Justice Secret Service Water Affairs & Forestry Transport Housing Education Public Works SAPS SASSA Health Safety & Security

Information Sharing in Government Today

Limited ‘integration’ is based on exchange of flat-files established on an as-needed basis:

Requires time consuming negotiations with individual organisations

Entities not set-up for information sharing (no established infrastructure or dedicated and skilled resources)

Have to redefine mechanisms from scratch

No use of standards

No consistency across government

Based on ‘make-do’ infrastructure

No reusability

Tends to be batch based with long update cycles

Disconnectedness - Social Cluster Example

Tackling poverty remains one of Government’s top moral and political imperatives yet getting help from Government remains difficult

Citizen has to ‘integrate’ Government by following arduous administrative processes

Gathering proof-of-eligibility alone can often take up to 24 months

Other impacts include:

Duplication of administrative processes

Fraud and double-dipping

Labour SARS Home Affairs UIF Housing Education Public Works SASSA Local Gov Land Affairs Gather proof of plight Prioritisation and access for public works programme Exemption from school fees Access to housing subsidy Diversion to economic activity and enrolment totraining programme Access to Free Basic Services Access to Grant Accessing Social protection services

Disconnectedness - Justice Cluster Example

The justice system is still plagued with inefficiencies

Crime reporting and response is a nightmare for citizens

Evidence gathering and collaboration for prosecution a challenge (missing dockets etc)

Prisoner Identity swapping

Children in conflict with the law imprisoned with hardened criminals

Cases involving child abuse not reported to social workers

Inadequate probation services

SAPS SARS Home Affairs Other Gather evidence and related info Probation Service Juvenile detention Child Protection Investigate Arrest NPA DoJ DCS DSD Prosecute Adjudicate Detention Person Exhibit ID Case

Challenges

Diverse and Fragmented ICT Planning Frameworks and Processes.

Proprietary “extensions” to Open Standards.

Technical standards quagmire (balancing the right mix).

The priority of Performance over Conformance result in low levels of interoperability.

Regulation and Security complexities often default to isolation of systems.

Incomplete ICT System inventories in Government.

So where are we? ?

A Governance perspective “ Sometimes when I consider what tremendous consequences come from little things… I am tempted to think there are no little things.” - Bruce Barton

Talk to each other

“ Government IT systems must talk to each other”…

Minister Public Service & Administration,

7 October 2000

Government ICT House of Values* * From e-Government Policy, SITA Regulations & SITA Act (amended) Security Interoperability Reduced Duplication Economies of Scale Digital Inclusion Lower Cost Citizen Convenience Increased Productivity ICT Planning (GWEA) -> ICT Acquisition -> ICT Operations ICT Value Principles Means/Services

Regulatory drivers*

Chap 1, Part III:B,C – Strategic Planning

Define Core Objectives

Describe Core and Support Activities

Specify the Functions & Structures

Specify the Main Services to customers

Chap 1, Part III.E – Information Planning

Establish an Information Plan

Establish an Information Infrastructure Plan ; and

Establish an Operational Plan to implement the above

Chap 5 – e-Government Compliance

Comply with “ICT House of Values”

Comply with MISS (Security Standard)

Comply with MIOS (Interoperability Standard)

* Public Service Regulations, 2001 (amended Mar 2009)

ICT Governance Overview

Governance defined

Governance is derived from the Greek verb κυβερνάω [ kubernáo ] which means to steer.

Corporate governance is the set of processes , customs, policies, laws, and institutions affecting the way a corporation (or company) is directed , administered or controlled. The principal stakeholders are the shareholders/members, management, and the board of directors.

ICT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise’s ICT sustains and extends the organisation’s strategies and objectives.

So, it’s a … Virtual Structure of Leaders (PEOPLE) responsible to “ DIRECT”, “MONITOR” & “ENSURE” Performance and Conformance of Strategic Resources

ICT Governance in Context

King III on ICT Governance (ICTG)

5.1 ICTG is Board responsibility

On the Board Agenda

IT charter & policies implemented.

Awareness & common ICT language.

ICT control framework implemented

Effectiveness of ICT controls.

5.2 Align ICT and company objectives

ICT strategy integrated with company’s strategy/processes.

Improve performance through ICT.

5.3 ICTG Framework

Structures, processes and mechanisms for the ICT governance.

ICT SteerCom to support ICTG

Appoint a CIO; as executive.

5.4 Monitor ICT investments and expenditure

Value delivery of ICT and monitor ROI.

IP in information systems are protected.

ICTG for outsourced ICT services.

5.5 ICT an integral part of risk management

Adequate business resilience for disaster recovery.

Complies with ICT laws and that ICT related rules, codes and standards.

King III on ICT Governance

5.6 Information assets are managed effectively

systems in place for the management of information which should include information security, information management and information privacy.

All personal information is treated by the company as an important business asset and is identified.

Information Security Management System is developed and implemented.

Approve the information security strategy and delegate and empower management to implement the strategy.

5.7 A risk committee and audit committee should assist the board in carrying out its ICT responsibilities

IT risks are adequately addressed.

appropriate assurance that controls are in place and effective in addressing IT risks.

Consider IT as it relates to financial reporting and the going concern of the company.

Consider the use of technology to improve audit coverage and efficiency.

COBIT – IT Governance Focus Areas

Strategic alignment

Link Business and IT plans (IT Value proposition)

Align IT operations with Business Operations

Value delivery

Ensure IT delivers to promised benefits/value

Optimising costs and Value of IT.

Resource management

Optimal investment

Manage IT resources (applications, information, infrastructure and people).

Risk management

Risk awareness and appetite by senior corporate officers.

Understanding of compliance requirements

Assign risk management responsibilities into the organisation.

Performance measurement

Tracks/Monitors strategy implementation - BSC (projects, resource, process and services)

COBIT - Align Business with EA for IT

COBIT Processes (34)

ISO 38500 Principles

Principle 1: Responsibility

Individuals and groups within the organization understand and accept their responsibilities.

Principle 2: Strategy

The organization’s business strategy takes into account the current and future capabilities of IT.

Principle 3: Acquisition

IT acquisitions are made for valid reasons; clear and transparent decision making (balance between benefits, opportunities, costs, and risks).

Principle 4: Performance

IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.

Principle 5: Conformance

IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.

Principle 6: Human Behaviour

IT policies, practices and decisions demonstrate respect for Human Behaviour

ISO38500 ICT Governance Model Business Processes DIRECT EVALUATE MONITOR ICT PROJECTS ICT OPERATIONS Proposals Plans Policies Performance Conformance ICT Governance

Are Governance Models all aligned?

GWEA / MIOS Governance Structure (draft) Minister PSA SITA Exec Gov CIO GITOC AGB GITO ARB GWEA/MIOS National Provincial Public Entities AGB = Architecture Governing Board (Central) ARB = Architecture Review Board/Committee (Departmental) SCARC ISS e-Gov Projects Procure KIM OSS Other GITOC Committees EACOM

GITO Council

Departmental Engagement Model CIO/GITO ICT Planning & Governance DEPARTMENT 1 2 3 4 … 5 6 7 Internal Service Agreements/Contracts Procurement & Development ICT Operation & Support SITA Business Agreement & Service Level Agreements (SITA ACT) EA Services Procurement & Development Services ICT Infrastructure Services INDUSTRY Transversal Contracts

EA In Government “ All models are wrong, but some are useful” George Box, Edward Deming

MIOS / GWEA Product Evolution 2001 - 2003 ODF GWEA v1.0 GWEA v1.2 MIOS XML MIOS v1&2 UK e-GIF UML TOGAF9 MIOS v4.1 MIOS = Minimum Interoperability Standards GWEA = Government Wide Enterprise Architecture GWEA 2007 - 2009 2004 - 2006 GITA v1.0 GITA v1.1 MIOS v3 MIOS v4 Zachman UML TOGAF8, Zachman

EA Context * From Forsberg & Mooz and ISO 15288; Corporate Governance not shown Architecture / Planning Design / Development Production / Operation GWEA / MIOS ISO 12207 (SDLC) ITIL / ISO 20000 COBIT / ISO 38500 Buy Business Architecture Technical Design Build IS/ICT Architecture Business Integration Component Verification IS/ICT Integration ICT Ops Buss Ops Business Design & Dev (e.g. OD, Srv Dev) ENTERPRISE ARCHITECTURE CAPABILITY SYSTEM ACQUISITION CAPABILITIES (Solution Architecture, Project Management, Procurement, Solution Development, Integration) ICT OPERATION CAPABILITIES PUBLIC SERVICE CAPABILITIES PUBLIC SERVICE DEVELOPMENT CAPABILITIES

GWEA Framework composition TOGAF ADM Phase TOGAF-9 GWEA 1.2 Prelim: FW & Contract 5P+1A = 6 3P = 3 A: Vision, Scope & Principles 6P+2A = 8 3P+1A = 4 B: Business Architecture 3P+(2x17)A = 39 2P+(2x5)A = 12 C1: Data Architecture 3P+(2x9)A = 21 2P+(2x3)A = 8 C2: Application Architecture 3P+(2x14)A = 31 2P+(2x3)A = 8 D: Technology Architecture 3P+(2x8)A = 19 2P+(2x3)A = 8 E: Opportunities/Solutions 5P 1P F: Migration Planning 10P 2P TOTAL DELIVERABLES 38P+99A = 137 (89 Non-Duplicated) 17P+29A = 46 (32 Non-Duplicated)

P = Project Deliverables (e.g. Charters, Contracts, Analysis Reports, Schedules)

A = Architecture Deliverables (e.g. Models, Diagrams, Matrices, Catalogues)

Non-Duplicated = As-Is or To-Be models of the same format

GWEA Framework INTEROPERABILITY CONSISTENCY ALIGNMENT Purpose The minimum standard by which to use an Enterprise Architecture approach to develop and construct National and Departmental ICT Plans and Blueprints Technology Architecture Views (D) Application Architecture Views (C2) Business Architecture Views (B) Data Architecture Views (C1) Organisation Structure Model Application Reference & Standards Model Business Process Model Business Function/Service Model Business Performance Model Business Information Model Application Distribution Model Technology/Network Distribution Model Technology Platform Model Technology Reference & Standards Model Data Reference & Standards Model Data Security Model Data Gap Application Gap Technology Gap Data-Application Model Application Stakeholder Model Opportunities & Solution (E) and Implementation Plan (F) Views (Programmatic Views) Business Gap Preliminary (P) & Vision (A) Views EA Org Model EA FW EA Request EA Principles EA Vision EA SOW Comm Plan Business Roadmap Data Roadmap Application Roadmap Technology Roadmap Consolidated Roadmap & Transition Architecture Implementation and Migration Plan Implementation Governance Model

EA Planning concept Government Departments, Bodies & Clusters Departmental Plans/Blueprints IFMS, e-Gov, GIS, e-Natis, e-HR, NISIS, Who-Am-I, LURITS… NGN, Data Centres, Help Desk, Security, … Business Services Core Services Common Services Shared Non-Shared ICT Infrastructure Information Systems Core Common / Transversal Resource Management Services (“Backend”) Public Services (“Front-End”)

Interoperability – [Re-]defined

Interoperable (Dictionary)

adj; able to operate in conjunction [Concise Oxford Dictionary, 9th Edition]

Interoperability (from the Web)

The ability to exchange and use information. [Princeton]

The ability of diverse systems and organizations to work together (interoperate). [Wikipedia]

The ability of systems, units, or forces to provide data, information, materiel, and services to and accept the same from other systems, units, or forces, and to use the data, information, materiel, and services so exchanged to enable them to operate effectively together. [US DoD, DoDD 5000.1]

The capability of systems to communicate with one another and to exchange and use information including content, format, and semantics [NIST]

Mathematician's definition

Interoperability levels* * Tolk, Andreas. “Beyond Technical Interoperability – Introducing a Reference Model for Measures of Merit for Coalition Interoperability. Business Architecture & Standards MIOS V4.1 MIOS V5 Network Centric Thinking (Joint-up Government) Information- Centric Thinking Techno- Centric Thinking IS/ICT Architecture & Standards Physical Interoperability Protocol Interoperability Data/Object Interoperability Information Interoperability Knowledge/Awareness Aligned Procedures Aligned Operations Harmonised Strategy/Doctrine Political Objectives

Organisational Interoperability

organisational components

are able to perform seamlessly together.

Technical Interoperability - technical issues of linking computer systems and services. Semantic Interoperability - ensuring the precise meaning of exchanged information between different kind of Information Systems.

MIOS v4.1 Composition* OPEN STANDARDS from IETF, ISO, W3C, OASIS, ITU-T, ANSI, IEEE, ECMA, ETSI * Minimum Interoperability Standards (MIOS) v4.1, DPSA, Aug 2007 Category Component (Standards) Connectivity Web/Internet (HTTP) E-Mail (SMTP, MIME, IMAP, S/MIME) Directory & Naming (X.500 and DNS) Network (FTP, TCP/IP, TLS) Security (e.g. RC4, RSA, AES, ) Web Services (SOAP, WSDL, UDDI) Internet Conferencing (H.323, SIP) Mobile Phones (WAP2, GPRS, SMS, MMS) Data Interoperability Meta-Data (XML, XSL) Data Security (SAML) PKI (X.509) Modelling (UML, XMI) Ontology (OWL) Geospatial (GML) Information Access & Content Standards Web/Hypertext (HTML, XHTML, JavaScript) Office Documents (UTF-8, ODF, CSV, PDF) Still images and Video (JPEG, PNG, TIFF, MPEG) File Compression (TAR, ZIP, GZIP) Relational DB Access (SQL-93) Meta-Data Content Management (Dublin Core) Syndication (RSS)

Challenges & Conclusion “ Sometimes when I consider what tremendous consequences come from little things… I am tempted to think there are no little things.” - Bruce Barton

Some challenges Identity issues Compliance Issues Conflicting Policies Cooperation

The road ahead (“for ICT”)…

Promulgate GWEA Framework to standardise ICT Planning across government.

Enhance the Minimum Interoperability Standards (MIOS)

Add compliance guidelines for Suppliers and Acquirers.

Add Transversal Data Standards and Schema’s (e.g. Health, Social, Safety, Finance, HR, SCM Data Schema)

Constitute National EA Governing Body.

Enhance Certification of ICT systems for compliance with MIOS.

Validate conformance of Departmental EA against GWEA.

Establish Training mechanisms for EA.

Establish EA Tool & Repository.

Conclusion

Relevant Legislation to be enacted to make EA & integration work.

Strong ownership and responsibilities of Business Architecture .

Appropriate governance structures, performance and funding model.

A Common Reference Model to serve as reference for integration.

Complete Information System Inventory

A new set of Semantic Interoperability standards (e.g. XML Schema)

Compliance to Open Technical Standards (non-functional requirement) as part of all acquisition processes.

Require a cross government “Integration Bus” .

Stronger “ Shared Service ” infrastructure

Improved “ System Integration ” capabilities (skills, methods & tools).

A fully integrated government will remain a Vision – a journey that strives for higher levels of maturity in the Technical, Semantic and Organisational Interoperability areas.

Thank You Dankie Siyabonga Ke a leboha Siyathokoza Willie Needham Chief Enterprise Architect Strategic Services State IT Agency (Pty) Ltd Pretoria, South Africa Tel: 012 482 2774 [email_address] www.sita.co.za

Sometimes I think we try to …