1. All rights reserved.
This Document is the property of George Olago.
All un-authorized use, presentation, copy, reproduction or storage in a retrieval system is
prohibited
ICT GOVERNANCE IMPLEMENTATION
FRAMEWORK
CASE STUDY: PRIDE PROJECT
2. TABLE OF CONTENTS
1.0 Background.………………………………………………………………….4
1.1 Introduction…………………………………………………………5
2.0 Project Proposal………………………………………………...……………5
2.1 Vision, Strategy, Governance & Policy Planning………………...6
2.2 Key ICT Strategies………………………………….......................6
3.0 Policy, Legal & Regulatory reforms ………………………………………..7
4.0 ICT Infrastructure Objectives………………………………………………7
5.0 Broadband Connectivity…………………………………………………….7
6.0 ICT Capacity Strategy……………………………………………………….8
7.0 Human Resource Development & Training……………………………….8
8.0 Context & Application Development Strategy…………………………….9
9.0 Communication & Access to Information Strategy………………………10
10.0 Implementation Methodology Framework……………………………….11
11.0 Implementation Matrix…………………………………………………….13
12.0 Assurance Schedule for ICT Operations………………………………….20
13.0 Project Budget……………………………………………………………...39
14.0 Referees…………………………………………………………………….43
Conclusion……………………………………………………………………...49
3. 1.0 Background
The Ministry of Education, Science and Technology in collaboration with Kenya GPE
Primary Education Development (PRIDE) Project, intend to implement a robust
Strategies for Information and Communication Technology (ICT) and MOE System to
streamline the operations and use ICT Systems within the project. This process on
implementation is essential to the project, and it help in the following areas of the project
operational:
Supporting the development and sharing of online information and e-resources
Supporting collaborative research among PRIDE and the Ministry of Education,
Research and Higher Educational Institutions (in addition to collaborative research
with others)
Running joint online courses and sharing expertise
Sharing of experiences and best practices
Providing opportunities for Student and Staff exchange
The ICT applications in view, include:
Management Information System
Enterprise Resource Planning Deployment (ERP)
E- courseware
E-library
Video conferencing
Voice over Internet Protocol (VoIP)
Subscription to e-journals
Staff/student management & administration etc
Enterprise wide anti-spam & anti-virus solution
Virtual libraries
A high capacity connectivity that allows institutions to communicate and
collaborate effectively with each other (VoIP, Video Conferencing, remote
experimentation etc)
Adequate Internet bandwidth to access internet based resources for research and
learning;
Centralization of applications and resources (e-books, e-journals, open courseware
etc) that are best hosted at a ‘hub’ location
Other Competences recommended for the project are:
Adequate, continuous and focused ICT capacity building
Adequate helpdesk support for all users
Sensitization of the general community
4. 1.1 Introduction
ICT has caused a paradigm shift introducing the age of network intelligence, reinventing
businesses, governments and institutions.
Kaufman (1977) observes, “the traditional bureaucratic paradigm, characterized by internal
productive efficiency, functional rationality, departmentalization, hierarchical control and
rule-based management is being replaced by competitive, knowledge based
requirements, such as: flexibility, network organization, vertical/horizontal
integration, innovative entrepreneurship, organizational learning, speed up in
service delivery, and a customer driven strategy, which emphasize coordinated
network building, external collaboration and customer services” all of which are
supported by ICT.
In order to deliver a ‘silver bullet’ solution, our approach to the project is to define the
operational network infrastructure, which is largely obsolete, and provide an array of
options to GSU via their education on the implication of executing each solution. Major
options include having a Fibre Distributed Data Interface, FDDI made up of a number of
LANs connecting the various departments; the topology has to be designed to fit the
requirements. The choices of a ring or star topology are available.
2.0 Project Proposal
The consultancy project will be realigned in in the following areas outlined in the TOR of
the Expression of Interest:
Leading the development of MOEST ICT Vision, Strategy, Governance and Policy
planning.
Leading the Management of the daily ICT Operations, which are in aligned to the
approved policies and procedures.
Leading the process of planning, implementation of all ICT Systems to be used in
the PRIDE project.
Leading in training all the stakeholders within the ministry to ensure effective utilization of
all ICT Systems installed and all hardware and software projects used in the Ministry.
2.1 MOEST ICT Vision, Strategy, Governance & Policy Planning
This part articulates the key Priority Strategic Areas (issues) the PRIDE project, ICT
department will address to achieve its strategic ICT objectives for the planned period. It
also outlines the strategies (activities) that will be undertaken to meet the strategic
objectives. The strategic areas will be derived from the situational analysis of the current
utilization of ICT systems within the Ministry and the project. The progress towards
achieving these strategic objectives will be monitored and evaluated against specific
outputs and performance indicators as detailed in the Implementation Matrix Table 1 to7
below.
2.1.1 KEY ICT STRATEGIC AREAS
The Ministry will focus on the following strategic issues during the Plan period;
Strategic Area 1: Policy, Legal, and Regulatory Reforms.
Strategic Area 2: ICT Infrastructure
5. Strategic Area 3: Broadband Connectivity.
Strategic Area 4: ICT Capacity.
Strategic Area 5: Human Resource Development.
Strategic Area 6: Content and Application Development.
Strategic Area 7: Communication and Access to Information
2.1.1 MOEST ICT Vision, Strategy, Governance & Policy Planning
This part articulates the key Priority Strategic Areas (issues) the PRIDE project, ICT
department will address to achieve its strategic ICT objectives for the planned period. It
also outlines the strategies (activities) that will be undertaken to meet the strategic
objectives. The strategic areas will be derived from the situational analysis of the current
utilization of ICT systems within the Ministry and the project. The progress towards
achieving these strategic objectives will be monitored and evaluated against specific
outputs and performance indicators as detailed in the Implementation Matrix Table 1 to7
below.
2.1.2 KEY ICT STRATEGIC AREAS
The Ministry will focus on the following strategic issues during the Plan period;
Strategic Area 1: Policy, Legal, and Regulatory Reforms.
Strategic Area 2: ICT Infrastructure
Strategic Area 3: Broadband Connectivity.
Strategic Area 4: ICT Capacity.
Strategic Area 5: Human Resource Development & Training.
Strategic Area 6: Management Information Systems & ERP.
Strategic Area7: Communication and Access to Information
3.0 Strategic Area 1: Policy, Legal, and Regulatory Reforms. Strategic
Objectives:
Ensure development and adoption of policies, standards and regulations.
Strategies:
Introduce the required legislation and legal frameworks needed to support usage of the
new IT technology and ensure compatibility, interoperability and secure sharing of
information in all the functional units of the ministry and engage key stakeholders of the
PRIDE project to utilize the ICT systems that have been implemented.
Develop and implement Ministry’s ICT Policy to guide in proper usage and
application of ICT equipment, systems and services.
Develop and implement Ministry’s Security Policy to guide in secure usage and
application of ICT equipment, systems and services
6. 4.0 Strategic Area 2: ICT Infrastructure Strategic Objectives:
1. To build and maintain a Local Area Network (LAN) infrastructure at Ministry
Headquarters and all departments that are supported by the PRIDE project.
2. To build and maintain a Ministry’s Data Center i.e a well-conditioned secure
and equipped Server Room at the Ministry’s Head Office and link it to different
functional offices of the ministry, this will host the servers which includes; Mail
Server, File Servers, Application Servers etc.
Strategies:
Install and upgrade local area network (LAN) infrastructure at the Ministry
Education and extend the WAN/LAN connection to different areas within the
ministry department.
Extend the usage and reliability of the Ministry Common Core Network to enhance
security in access of key data resources.
Install Wireless Network in all the above locations
Carry out ICT infrastructure needs assessment for the field stations
Provide end-users with adequate access to the LANs and computing facilities.
Consolidate previous departmental Data Canters i f any to minimize
duplication and enhance value.
5.0 Strategic Area 3: Broadband Connectivity
Strategic Objectives:
1. Provide and maintain adequate internet bandwidth to meet Ministry and PRIDE
needs.
Strategies:
Carry out bandwidth needs assessment and current usage by the Ministry at and all
departments connected to main pipe.
Procure adequate bandwidth to meet the entire ministry needs as
redundancy to supplement the other PRIDE bandwidth link to allow
redundancy in communication and information sharing.
Procure and install bandwidth management tools to monitor internet
traffic with the view to increasing efficiency of internet resources
Procure Internet modems for use while away from the ministry
premises
6.0 Strategic Area 4: ICT Capacity Strategic Objectives:
1. To equip Ministry and PRIDE staff with the ICT tools that they need to
efficiently and cost-effectively carry out their work.
7. Strategies:
Develop standard for acquisition, maintenance and disposal of ICT equipment
Equip officers with appropriate computers and other requisite ICT equipment
Procure and install recommended genuine operating systems, Office suites,
Antivirus etc
Manage the delivery of services cost-effectively through shared printing, scanning
and storage solutions over a local area network
7.0 Strategic Area 4: Human Resource Development & Training
Strategic Objectives:
1. To organize and manage ICT human capacity to sustain productivity
2. Strengthen the ICT Department
Strategies:
Undertake ICT training needs assessment
Developing an ICT Training Curriculum
Coordinate and carry out regular ICT Basic training to staff
Establish an ICT Resource Centre to facilitate access to ICT facilities to all
staff and the citizens who visit the ministry
Review the ICT Staff Establishment and deploy appropriate staff.
8.0 Strategic Area 6: Content and Application Development
Strategic Objectives:
1. To facilitate the Ministry to implement knowledge-based databases and
applications to support ease of doing business i.e efficient and effective service
delivery to the staff and all clients within the Ministry and PRIDE environment
network. To achieve this the following strategies shall be implemented.
Strategies:
Digitize all main registries in the ministry and PRIDE files
Build related databases which are aligned to the objective functional areas of the
Ministry department and PRIDE to support core business processes.
Simplify and automate core business Processes to support effective service delivery
by implementing the following core applications:
i. Project Management System
ii. Electronic Document Management System
iii. Asset Management System
iv. Enterprise Resource Planning
v. Customer Relation Management System
vi. Biometric Access Control System
vii. CCTV Surveillance System
viii. Market Information System
9.0 Strategic Area 7: Communication and Access to Information
Strategic Objectives:
8. 1. Establish Communication and Online access to Ministry information and enable
easy collaboration and information sharing between PRIDE and other Ministry
stakeholders.
Strategies:
Develop and implement a dynamic, database driven ministry portal i.e website
Develop and implement a collaborative ministry official email system and
intranet.
Develop and implement a Management Information System to facilitate online
access to up to date market information on all educational materials within the
Ministry and PRIDE.
Upgrade the telephone system to embrace the VOIP technology that is more
efficient and reliable.
Install the following communication facilities:
i. Tele/Video Conference System
ii. Conference Public Address System
iii. Electronic Notice boards
10.0 Implementation Methodology Framework (COBIT & ITIL)
As the lead consultant in this project, I will use the outlined implementation methodology
framework to ensure all ICT Systems are implemented using the approved methodology.
My implementation of the ICT Systems and Infrastructure will be based acceptable
framework in implementation of the ICT Systems.
Implementation Framework
The need for assurance about the value of IT, the management of IT-related risks and
increased requirements for control over information are now understood as key elements
of enterprise governance. Value, risk and control constitute the core of IT governance.
IT governance is the responsibility of executives and the board of directors, and
consists of the leadership, organizational structures and processes that ensure
that the enterprise’s IT sustains and extends the organization’s strategies and
objectives.
IT governance integrates and institutionalizes good practices to ensure that the
enterprise’s IT supports the business objectives. IT governance thus enables the
enterprise to take full advantage of its information, thereby maximizing benefits,
capitalizing on opportunities and gaining competitive advantage. These outcomes require
a framework for control over IT that fits with and supports the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—
Integrated Framework, the widely accepted control framework for enterprise governance
and risk management, and similar compliant frameworks.
9. Organizations should satisfy the quality, fiduciary and security requirements for their
information, as for all assets. Management should also optimize the use of available IT
resources, including applications, information, infrastructure and people. To discharge
these responsibilities, as well as to achieve its objectives, management should understand
the status of its enterprise architecture for IT and decide what governance and control it
should provide.
Control Objectives for Information and related Technology (COBIT®) provides good practices
across a domain and process framework and presents activities in a manageable and
logical structure. COBIT’s good practices represent the consensus of experts.
These practices will help optimize IT-enabled investments, ensure service delivery and
provide a measure against which to judge when things do go wrong.
For IT to be successful in delivering against business requirements, management should
put an internal control system or framework
in place. The COBIT control framework contributes to these needs by:
Making a link to the business requirements
Organizing IT activities into a generally accepted process model
Identifying the major IT resources to be leveraged
Defining the management control objectives to be considered
The business orientation of COBIT consists of linking business goals to IT goals,
providing metrics and maturity models to measure their achievement, and identifying
the associated responsibilities of business and IT process owners.
The process focus of COBIT is illustrated by a process model, which subdivides IT
into 34 processes in line with the responsibility areas of plan, build, run and monitor,
providing an end-to-end view of IT. Enterprise architecture concepts help identify
those resources essential for process success, i.e., applications, information,
infrastructure and people.
In summary, to provide the information that the enterprise needs to achieve its
objectives, IT resources need to be managed by a set of naturally grouped processes.
I will work with management to ensure that control objectives that define the ultimate
goal of implementing policies, procedures, practices and organizational structures
designed to provide reasonable assurance that are met.
I will use key frameworks like COBIT and ITIL to ensure effective delivery of all the ICT
Systems, my COBIT framework will be benched marked on the key pillars like:
Strategic alignment focuses on ensuring the linkage of business and IT plans; on
defining, maintaining and validating the IT value proposition; and on aligning IT
operations with enterprise operations.
Value delivery is about executing the value proposition throughout the delivery
cycle, ensuring that IT delivers the promised benefits against the strategy,
concentrating on optimizing costs and proving the intrinsic value of IT.
10. Resource management is about the optimal investment in, and the proper
management of, critical IT resources: applications, information, infrastructure and
people. Key issues relate to the optimization of knowledge and infrastructure.
Risk management requires risk awareness by senior corporate officers, a clear
understanding of the enterprise’s appetite for risk, understanding of compliance
requirements, transparency about the significant risks to the enterprise, and
embedding of risk management responsibilities into the organization.
Performance measurement tracks and monitors strategy implementation,
project completion, resource usage, process performance and service delivery,
using, for example, balanced scorecards that translate strategy into action to
achieve goals measurable beyond conventional accounting.
Analyze Current ICT Environment - COBIT Framework
Relevant information concerning the current ICT environment is to be gathered in this
stage. The objective of this stage is to understand how ready is the agency in using ICT and
what are the weaknesses or challenges agency is facing.
In analyzing the current ICT environment, three key areas will be assessed for the agency's
current and future needs.
1. Systems
Application systems be it agency specific or otherwise are assessed for its functionality,
usability and performance adequacy to support business functions. Application issues are
to
be identified for improvement.
2. Technology
Network infrastructure components such as server, router, switch etc are assessed for it's
reliability and performance. Software such as application development tools, network
monitoring system, management software etc are reviewed in order to capitalize on
advances brought about by technology.
3. People
The purpose of the assessment of ICT and operational skills is to identify gaps which will
have direct consequence on the implementation of ICT initiatives. Level of ICT skill sets
of
technical personnel and knowledge of users in the agency are to be examined and
ascertained. Agency need to leverage existing personnel skill sets and experience in
implementing and maintaining initiatives, else necessary trainings must be planned.
Develop New ICT Strategy
Technological progress presents new challenges and opportunities to develop new ICT
strategies to improve Public Service Delivery. Users become more ICT savvy and demand
innovative and creative solutions using ICT. Cross functional team championed by top
management with ICT personnel as members to conceive new ICT initiatives to close the
gaps identified. Appropriate evaluation process for e-Government initiatives can conduct
pilot runs or prototyping to evaluate usability and functionality of e-service with the goal of
improving the user experience and adoption by users.
11. One of the e-services is to improve user experience and adoption by users, before that
government processes and functions may need to be reengineered. Possible strategy in e-
governance solutions include Cloud Computing, Gov 2.0 concept, Mobile computing etc.
13. 14
Table 2 - Strategic Area 2: ICT Infrastructure
Strategic Objectives:
1. To build and maintain a Local Area Network (LAN) infrastructure at Ministry Headquarters and all departments that are
supported by the PRIDE project.
2. To build and maintain a Ministry’s Data Center i.e a well-conditioned secure and equipped Server Room at the Ministry’s
Head Office and link it to different functional offices of the ministry, this will host the servers which includes; Mail Server,
File Servers, Application Servers etc.
Strategies Expected
Output
Key
Performance
Indicator(s)
Timeframe
Month 1 Month 2 Month 3 Month 4 Month 5
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
Install and
upgrade
(LAN) at
Ministry
departments
and PRIDE
Offices
LAN in Place LSO
Extend
Government
Common
Core Network
(GCCN)
GCCN
connected
Letter
Install
Wireless
Network
Wireless
Network in
Place
LSO
14. Carry out ICT
infrastructure
needs
assessment for
the field stations
Infrastructure
needs
assessment
report
Memo &
report
1.0
Set up and
operationalize
primary Data
Center with
Backup
System
Data Centre in
place
LSO 4.5 3.5
15
15. 16
Table -Strategic Area 3: Broadband Connectivity
Strategic Objectives:
1. Provide and maintain adequate internet bandwidth to meet Ministry and PRIDE needs.
Strategies Expected
Output
Key
Performance
Indicator(s)
Timeframe
Month 1 Month 2 Month 3 Month 4 Month 5
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
Procure
adequate
internet
bandwidth
&
monitoring tools
Internet/
monitoring tools
available
LSO
Procure
Internet
modems
Modems
available
LPO
16. 17
Table 4-Strategic Area 4: ICT Capacity
Strategic Objectives:
1. To equip Ministry and PRIDE staff with the ICT tools that they need to efficiently and cost-effectively carry out their work.
Strategies Expected
Output
Key
Performance
Indicator(s)
Timeframe
Month 1 Month 2 Month 3 Month 4 Month 5
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
Develop standard
for
acquisition,
maintenance and
disposal of ICT
equipment
Standards
available
Report
Procure &
maintain ICT
equipment
Equipment
serviced &
procured
LSO’s/LPOs
Install
genuine
operating
systems,
Office
suites,
Antivirus
Software
Licenses
procured
LPO’s
Facilitate
sharing of
printers,
scanners over
the local area
network
Shared
services
Shared equipment
17. 19
Table 5-Strategic Area 5: Human Resource Development
Strategic Objectives:
1. To organize and manage ICT human capacity to sustain productivity
2. Strengthen the ICT Department
Strategies Expected
Output
Key
Performance
Indicator(s)
Timeframe
Month 1 Month 2 Month 3 Month 4 Month 5
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
Undertake
ICT training needs
assessment
ICT training needs
assessment
report
Report
Develop an
ICT Training
Curriculum
ICT Training
Curriculum
report
Report
Carry out regular
ICT
Basic training
Officers
trained
Attendance
reports
Establish an
ICT Resource
Centre
ICT resource
Centre in place
LPO/memo
Review the ICT Staff
Establishment
Revised ICT
Establishment
ICT Establishment
18. 20
Table 6-Strategic Area 6: Content and Application Development
Strategic Objectives:
1 To facilitate the Ministry to implement knowledge-based databases and applications to support ease of doing business i.e
efficient and effective service delivery to the staff and all clients within the Ministry and PRIDE environment network.
Strategies Expected
Output
Key
Performance
Indicator(s)
Timeframe
Month 1 Month 2 Month 3 Month 4 Month 5
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
Digitize all main
registries in
the ministry
Digitized
records
LSO/Memos
Automate core
business
processes
IT
applications
developed
LSO/memos
19. Table 7-Strategic Area 7: Communication and Access to Information
Strategic Objectives:
1. Establish Communication and Online access to Ministry information and enable easy collaboration and information sharing between PRIDE
and other Ministry stakeholders.
Strategies Expected
Output
Key
Performance
Indicator(s)
Timeframe
Month 1 Month 2 Month 3 Month 4 Month 5
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
Develop and implement a
dynamic,
database driven
ministry portal
Portal
developed
LSO/Memos
Facilitate online access to Fish and
Livestock
Import and Export
documents
Forms
uploaded
Memos/content
Upgrade the telephone system to
embrace the
VOIP technology
VOIP
installed
LSO’s/memo
Install the following
communication
facilities:
Tele/Video
Conference System
Conference Public
Address System
Electronic
Notice board
Systems in
place
20. 1. DETAILED ASSURANCE SCHEDULE FOR ICT OPERATIONS
Below are the assurance activities that will I will use in management of the ICT Operations of the Project:
Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
1, 0 User access
reviews
Access to network
/ system / folders
is authorised
ICT sends list of current
users to department heads
and supplier managers, also
noting users with remote
access. Department heads
review and sign off attesting
that access for users in their
area is appropriate.
Exceptions must be noted
with evidence of follow-up
attached. ITSM reviews for
completeness.
CIO Department
heads,
Supplier
managers
ITSM reviews
for completeness
Information may be accessed
/ accessible by unauthorised
person.
Staff may be using unlicensed
software and this may result
in a legal penalty or security
breach.
21. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
1.1 Remote
access token
audit
Remote access is
authorised.
Physical stocktake of remote
access tokens and comparison
with token register
maintained by ICT.
ITSM Security team Information may be accessed
/ accessible by unauthorised
person.
22. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
1.2 User access
controls
audit
Logical access is
generally well-
controlled.
Review of the design and
effectiveness of user access
controls. Internal Audit
produces a report with
recommendations.
Management (department
heads) are responsible for
providing a response and
remedial actions for any
findings.
Manager,
Internal
Audit
Departme
nt heads
(response
and
actions)
Internal audit Information may be accessed
/ accessible by unauthorised
person.
1.3 Encryption
testing
Data is encrypted as
per our security
standards
Security staff run a series of
tests on network segments or
functions where encryption is
required.
ITSM Security team Information may be accessed
/ accessible by unauthorised
person.
23. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
1.4 Review of
privileged
user access
(logs)
Super-user access to
the network,
operating system
and direct access to
the databases is
authorised and
monitored.
Risk team reviews system
activity logs on a sample basis
to determine whether activity
by privileged users is
appropriate.
Risk
Manager
Risk team Information may be accessed
/ accessible by unauthorised
person.
1.5 Review of
privileged
user access
(controls)
Super-user access to
the network,
operating system
and direct access to
the databases is
authorised and
monitored.
Internal Audit reviews the
design and effectiveness of
controls related to super user
and direct data access.
Manager,
Internal
Audit
Internal Audit Information may be accessed
/ accessible by unauthorised
person.
Suppliers may not be
protecting our information
(including DR).
1.6 Sensitive
data alert
review.
Super-user access to
the network,
operating system
and direct access to
the databases is
authorised and
monitored.
Internal audit tests alerts on
sensitive data tables to ensure
triggers are working, and
reviews a sample of historical
alerts to see whether
appropriate follow-up was
done.
ITSM Internal Audit Information may be accessed
/ accessible by unauthorised
person.
24. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
1.7 Site alarm
testing and
report
review
Data centre is
alarmed at
perimeter and at
internal doors.
Service provider tests alarms,
and the data centre manager
reviews and reports on the
results of testing, and on
alerts and alarms raised
during the week.
Supplier
manager
Data centre
provider
Information may be accessed
/ accessible by unauthorised
person.
1.8 Review of
door /
server rack
access logs
Data centre door
access is limited to
authorised staff.
Data centre manager reviews
access logs for doors and
server racks and compares
against authorised access list.
Signs check sheet to evidence
review.
Supplier
manager
Data centre
provider
Weekly,
reported
in data
centre
provider’s
monthly
report
Information may be accessed
/ accessible by unauthorised
person.
1.9 Inspections
of locks,
cabling,
network
jacks at all
offices
Sensitive ICT
equipment and
access points at our
offices are secured.
Security team members
inspect for physical security
exposures at all sites using a
good practice checklist.
ITSM Security team Information may be accessed
/ accessible by unauthorised
person.
25. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
2.0 Review of
site visitor
logs
Visitors to the data
centre are
authorised.
Supplier manager compares
visitor access log and system-
generated logs to the list of
pre-authorised visitors.
Supplier manager signs off
that all visitors were
authorised.
Supplier
manager
Supplier manager
(Based on
documentation
provided by data
centre manager)
Monthly Information may be accessed
/ accessible by unauthorised
person.
Suppliers may not be
protecting our information
(including DR).
2.1 Report on
data centre
controls
Physical access is
generally well-
controlled.
Devices / processes
ensure
uninterruptible
power.
PRIDE Service Organisation
Controls Report on Trust
Service Principles.
ITSM Data centre
provider orders
report by an
independent
service auditor
(Data centre
provider funds
the review)
Information may be accessed
/ accessible by unauthorised
person.
Suppliers may not be
protecting our information
(including DR).
2.2 External
penetration
test
Network perimeter
is secured against
intrusion.
Set of tests run by a security
contractor simulating an
attack via the Web. Security
contractor provides a report
with findings and
recommendations.
Supplier
manager
Security
contractor
Information may be accessed
/ accessible by unauthorised
person.
26. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
2.3 Internal
penetration
test
Systems are secured
against internal
attack.
Set of tests run by a security
contractor simulating an
attack from within the agency.
Security contractor provides a
report with findings and
recommendations.
ITSM Security
contractor
Information may be accessed
/ accessible by unauthorised
person.
2.3 Fraud Risk
Review
Systems are secured
against internal
attack.
Fraud risks are assessed and
ranked, possibly identifying
ICT exposures. Report
produced, and actions
identified.
CISO
(with
regard to
the ICT-
related
risks)
Internal audit Information may be accessed
/ accessible by unauthorised
person.
2.4 Critical and
high security
patch level
reporting
Important software
patches are applied.
Security team reports on
outstanding critical and high
security patches, noting any
approved exemptions and
timetable for patching.
ITSM,
Technical
leads
(response
and
actions)
Security team
provides report.
Technical leads
are assigned to
complete
remediation.
Monthly Information may be accessed
/ accessible by unauthorised
person.
2.5 Vulnerability
mitigation
reports
Vulnerabilities are
managed.
Security team reports on
known vulnerabilities and
mitigations. Report is
updated monthly.
ITSM Security team
(requires input
from technical
leads)
Monthly Information may be accessed
/ accessible by unauthorised
person.
27. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
2.6 Privacy
breach
reporting
and analysis
Privacy breaches are
reported and
assessed.
Privacy officer reviews and
reports on breaches reported
during the previous month,
identifying trends, internal
control weaknesses, and
lessons learned.
Privacy
officer
Privacy officer Monthly Information may be accessed
/ accessible by unauthorised
person.
2.7 Privacy
controls
review
Privacy controls are
being followed.
Internal audit assesses the
privacy controls in place,
testing to for control
effectiveness.
Chief
executive
Internal audit Information may be accessed
/ accessible by unauthorised
person.
2.8 Privacy
impact
analysis
(PIA)
updates
Privacy risks are
revisited when
systems undergo
changes impacting
privacy.
Triggered by CAB flagging of
changes that might have a
privacy impact, systems are
re-assessed for privacy.
Artefacts are produced that
supplement the original SQA.
Privacy
officer
Privacy team in
collaboration
with system
owner and
technical leads
Upon
changes
to systems
that could
impact
privacy
Information may be accessed
/ accessible by unauthorised
person.
2.9 Privacy
maturity
assessment
Our privacy
maturity is known
and continuously
improved.
Privacy specialists conduct
high-level maturity
assessment of privacy
practices, assessing against the
Privacy Act.
Privacy
officer
Privacy
contractor
Information may be accessed
/ accessible by unauthorised
person.
28. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
3.0 Security
training /
induction
summary
reporting.
Employees and
contractors are
inducted and
periodically trained
on their security
responsibilities.
Security team verifies all new
starters during the previous
month (employees and
contractors) have received
security induction and have
signed off on acceptable use
policy.
ITSM Security team Monthly Information may be accessed
/ accessible by unauthorised
person.
3.1 Internal
security
breach
analysis
We use learnings
from internal
security breaches to
strengthen our
security
programme.
Roll-up analysis of any
internal security breaches that
occurred during the previous
two quarters, to include
instances of security policy /
acceptable use violations.
ITSM Security team Information may be accessed
/ accessible by unauthorised
person.
3.2 System
accreditation
Systems are
accredited.
Systems are formally
accredited and the residual
risk accepted, following a
robust certification process.
(Cost estimate includes
certification)
Chief
executive
CISO Upon
renewal of
accreditati
on
Information may be accessed
/ accessible by unauthorised
person.
3.3 Accreditatio
n status
reporting
Systems are
accredited.
Monthly updates from CISO
to CIO on the certification
and accreditation status of
systems.
CIO CISO Monthly Information may be accessed
/ accessible by unauthorised
person.
29. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
3.4 Application
portfolio
analysis
We know where our
systems are
providing value and
where they are not.
We know what
options are available
in the market.
Complete the CIO
Application Portfolio
Management (APM) survey,
which will give insights into
our application portfolio,
including risks and
opportunities to increase
value.
CIO /
GCIO
CIO (One off,
but other
related
assurance
activities
will
follow)
Our ICT services could be
providing greater value.
3.5 Ageing
systems
report
Software that is no
longer supported
and outdated
infrastructure is
replaced.
Quarterly tracking of
outdated software and
infrastructure to give visibility
on status of systems. Report
to the CIO.
CIO ICT Operations
Manager
Our ICT services could be
providing greater value.
3.6 Infrastructur
e status and
strategy
report.
Infrastructure is
well managed to
ensure it is
providing business
value.
Current and target state of
infrastructure is reported and
linked to current business
strategy /objectives. Report
to the CIO.
CIO Infrastructure
Manager
Our ICT services could be
providing greater value.
3.7 Network
monitoring
summary
The network is well
managed and meets
business needs.
Performance reporting to
CIO with commentary on
linkage to changing business
requirements.
CIO Network
Administrator
Monthly ICT systems may not provide
sufficient storage and
performance.
30. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
3.8 User survey The network is well
managed and meets
business needs.
We track and follow
up on incidents
related to storage
and performance.
Other objectives
Users complete a survey on a
number of areas such as
network latency, download
speeds, application crashes.
Users are asked to identify
how IT applications and
infrastructure can better help
them achieve their goals.
CIO ICT Operations
Manager
Our ICT services could be
providing greater value.
ICT systems may not provide
sufficient storage and
performance.
3.9 Storage
monitoring
summary
Storage is well
managed and meets
business needs.
Performance reporting to
CIO with commentary on
linkage to changing business
requirements.
CIO Network
Administrator
Monthly ICT systems may not provide
sufficient storage and
performance.
4.0 Software
license audit
All our software is
properly licensed.
Compliance review and
report of software licenses
across the application
portfolio.
CIO Risk team Our ICT services could be
providing greater value.
Staff may be using unlicensed
software and this may result
in a legal penalty or security
breach.
31. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
4.1 Unapproved
software
audit
Staff are installing
only approved
software.
Compliance review of
installed software using
automated tools.
ITSM Security team Monthly Information may be accessed
/ accessible by unauthorised
person.
4.2 Unapproved
cloud / web
service audit
Staff are not using
unapproved cloud
services (Dropbox,
Gmail).
Compliance review of
installed software using
automated tools.
ITSM Security team Monthly Information may be accessed
/ accessible by unauthorised
person.
4.3 Disaster
recovery test
and report
Disaster recovery
can restore systems
in accordance with
business
requirements
Test of disaster recovery plan,
and report of results with
analysis and
recommendations.
CISO ICT Operations
Manager
Capability / capacity to
provide IT services may be
lost following a disaster /
outage.
Suppliers may not be
protecting our information
(including DR).
4.4 Independent
review of
BCP / DR
plans
Disaster recovery
plans and controls
are robust and fit
for purpose.
Review of disaster recovery
plans and comparison to
recognised good practice
controls and procedures.
CISO Internal audit Capability / capacity to
provide IT services may be
lost following a disaster /
outage.
32. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
4.5 Reporting on
success of
power tests
Devices / processes
ensure
uninterruptible
power
Results of power testing
included in monthly SLA
reporting pack.
Supplier
Manager
Data centre
provider
Monthly Capability / capacity to
provide IT services may be
lost following a disaster /
outage.
Suppliers may not be
protecting our information
(including DR).
4.7 Test restore
of data from
backup
Our data can be
restored from
backup.
Test restore of data, with
summary report and
recommendations.
ITSM ICT Operations
Manager
Capability / capacity to
provide IT services may be
lost following a disaster /
outage.
4.8 Verification
of DR plan
key contact
numbers
Details in our
disaster recovery
plans are up to date.
Administrator verifies and
updates details.
ITSM ICT
administrator
Monthly
and as
needed
Capability / capacity to
provide IT services may be
lost following a disaster /
outage.
4.9 Business
Impact
Analysis
Disaster recovery
plans are aligned
with business
requirements.
Critical functions are assessed
in a BCP / DR context and
RPO and RTO are
reconfirmed.
CIO Business
continuity
response team
leads, with
business input
Capability / capacity to
provide IT services may be
lost following a disaster /
outage.
33. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
5.0 Performance
/ storage
incident
reporting
We track and follow
up on incidents
related to storage
and performance.
Performance and storage
summary, including metrics
and incident summary.
ICT
Operation
s Manager
Service desk Monthly ICT systems may not provide
sufficient storage and
performance.
5.1 CIO cloud
assessment
tool
Cloud systems can
provide sufficient
storage and
performance
We have considered
good practice in
managing cloud
suppliers.
Complete risk assessment and
related tool as per the CIO
publication “Cloud
Computing: Information
Security and Privacy
Considerations.”
Chief
Executive
CIO One per
cloud
supplier.
For new
systems
this will
be done
alongside
certificati
on. For
existing
systems,
refer to
schedule.
Information may be accessed
/ accessible by unauthorised
person.
Suppliers may not be
protecting our information
(including DR).
34. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
5.2 Operational
staffing
needs
analysis
We have sufficient
operations and
management staff
with the right skills.
Analysis of current staffing
levels vs. forecasted needs,
considering existing skill sets.
Reporting to CIO.
CIO ICT Operations
Manager
New
updates
monthly
following
last year’s
big
review.
We may not have enough
staff with the right skills to
meet our objectives related to
ICT.
5.3 Supplier
Management
Framework
Review
We have considered
good practice in
managing cloud
suppliers.
Analysis of the framework
and templates for supplier
management plans.
CIO Internal Audit (One-off) Suppliers may not perform
and/or opportunities to
increase value may be missed.
5.4 Key supplier
SLA
dashboard
We monitor and
assess the reports
provided by
suppliers.
SLA reports from suppliers
rolled up into monthly report
on key KPIs with additional
analysis.
CIO ICT Operations
Manager
Monthly Suppliers may not perform
and/or opportunities to
increase value may be missed.
5.5 Supplier
issues /
breach
report
We track important
supplier issues to
resolution.
Incident and breach reporting
from suppliers rolled up into
monthly summary with
additional analysis.
CIO ICT Operations
Manager (Based
on ongoing
monitoring of
breach / incident
register).
Monthly Suppliers may not be
protecting our information
(including DR).
35. Risk
Area
(see
Legen
d)
Assurance
Activity
Control Objective Specific Activity and
Deliverable
Owner Assurance
Provider
Frequenc
y /
Timing
Key Risk
High / Medium
5.6 Verification
of supplier
certifications
Supplier
independent
certifications /
reports are
sufficient and
current.
Review of current status of
any relevant third-party
certifications claimed by
suppliers.
ITSM Security team Suppliers may not be
protecting our information
(including DR).
5.7 Strategic
analysis of
projected
needs vs.
supplier
capability
Supplier strategy is
aligned with longer
term business goals.
Check-up on alignment of
business strategy, ICT
strategy, and supplier
capability projected to 1, 2
and 5 years.
CIO CIO Current suppliers may not be
able to continue to meet
business needs into the future.
36. Risk
Area
(see
Legend
)
Assurance
Activity
Control
Objective
Specific Activity and
Deliverable
Owner Assuranc
e Provider
Frequency Key Risk
High / Medium
5.8 Review of supplier
management plans
Controls and
procedures are
in place to
manage
suppliers
consistently
and effectively.
Internal audit assessment of
a sample of plans to see if
they align with the supplier
management framework.
ICT
Operations
Manager
Internal
audit
Bi-annual Suppliers may not be
protecting our information
(including DR).
Suppliers may not perform
and/or opportunities to
increase value may be
missed.
5.9 Supplier health
checks
Suppliers are
reviewed for
their viability.
Analysis of factors that could
impact future performance
key of suppliers.
CIO ICT
Operations
Manager
Annual Current suppliers may not
be able to continue to meet
business needs into the
future.
6.0 ICT governance
review
Our
governance
groups have
sufficient ICT
understanding.
Survey of ICT and non-ICT
governance groups that
impact ICT. Do they need
more training to better
inform decisions related to
ICT?
CIO External
consultant
Bi-annual We may not have enough
staff with the right skills to
meet our objectives related
to ICT.
37. Risk
Area
(see
Legend
)
Assurance
Activity
Control
Objective
Specific Activity and
Deliverable
Owner Assuranc
e Provider
Frequency Key Risk
High / Medium
6.1 Functional staffing
needs analysis
We have
sufficient
second and
third line
(functional)
staff with the
right ICT skills.
(e.g. Security,
Risk, Internal
Audit).
Input is solicited from ITSM,
Privacy Officer, Risk and
Internal Audit on the state of
their current skill sets with
regard to ICT.
CIO
(Other
functional
leads retain
accountability
for their
staffing)
Functional
Managers,
reporting
to CIO
Annual We may not have enough
staff with the right skills to
meet our objectives related
to ICT.
4 Capacity planning We forecast
demand to plan
strategically for
capacity.
Using modelling tools,
update capacity forecast,
applying scenario analysis.
Report.
CIO ICT
Operations
Manager
Quarterly ICT systems may not
provide sufficient storage
and performance.