A Municipal Guide / Roadmap To Successful ICT … Focus/Municipal... · A Municipal Guide / Roadmap...

A Municipal Guide / Roadmap

To Successful ICT Governance

Tuesday, 19 June 2012

Prepared by

With support from:

Original compiled by:

Peet Smith http://www.rmsafrica.co.za

REVISION HISTORY

Version Date Status Who

V1.0 March

2012

Final Draft: Submitted & Approved by SALGA

NEC

Douglas Cohen

V1.1 April

2012

Incorporated National Treasury input. Douglas Cohen

V1.2 June

2012

Updated / aligned with DPSA Corporate ICT

Governance Policy

Douglas Cohen

Municipal ICT Governance Guidelines

of 93

GOLSSARY OF TERMS AND DEFINITIONS

Term Definition

AG Auditor-General

Accounting Officer Each municipal council is headed by a municipal

manager who is the head of administration and also the

accounting officer. The municipal manager advises

council and its committees on administrative matters

such as policy issues, financial matters, organisational

requirements, personnel matters.

As accounting officer, the municipal manager is

comparable to a director-general in the public service.

He/she has to personally provide reasons to council for

the way in which the financial affairs of the departments

of council had been conducted.

BCM Business Continuity Management

BITA Business IT Alignment

BS 25999 British standard for business continuity management (BCM)

Business Goals Statements that describe what the business will accomplish,

or the business value a project will achieve - A clear vision

of what you want to achieve; and how

Charter A document that defines the purpose of the initiative, how it

will work, and what the expected outcomes is e.g. a project

charter is a statement of the scope, objectives and

participants in a project. It provides a preliminary delineation

of roles and responsibilities, outlines the project objectives,

identifies the main stakeholders, and defines the authority of

the project manager

CobiT Control Objectives for Information and Related Technology.

An IT governance framework and toolset that allows

managers to bridge the gap between control requirements,

technical issues and business risks

CFO Chief Financial Officer

CIO Chief Information Officer

Control A procedure or policy that provides a reasonable assurance

that the information technology (IT) used by an organisation

operates as intended

Corporate Governance The set of responsibilities and practices exercised by the

Council and executive management with the goals of

providing strategic direction, ensuring that objectives are

achieved, ascertaining that risks are managed appropriately

and verifying that the enterprise’s resources are used


of 93

Term Definition

responsibly

Deliverable A term used in project management to describe a tangible or

intangible object produced as a result of the project that is

intended to be delivered to a customer

DRP Disaster Recovery Planning

DPSA Department of Public Service and Administration

EXCO Executive Management

Executive Authority Executive Authority means Executing Authority

In a Constitutional Institution: The Chairperson of the

Constitutional Institution in relation to a Constitutional

Institution with a body of persons, and in relation to a

Constitutional Institution with a single office bearer, the

incumbent of that office;

According to section 11(1) of the Municipal Systems Act

(Act No. 32 of 2000) the executive and legislative

authority of a municipality is exercised by the council of

the municipality.

Executive Management Executive Management could include the Municipal

Manager and the section 57 management. This normally

constitutes the Executive Committee of the municipality.

Each municipal council is headed by a municipal

manager who is the head of administration and also the

accounting officer. The municipal manager advises

council and its committees on administrative matters

such as policy issues, financial matters, organisational

requirements, personnel matters.

As accounting officer, the municipal manager is

comparable to a director-general in the public service.

He/she has to personally provide reasons to council for

the way in which the financial affairs of the departments

of council had been conducted.

Framework A basic conceptual structure with items which supports a

particular approach to a specific objective. E.g. CobiT is an

IT governance framework

GICT Governance of ICT

Governance of ICT The effective and efficient management of IT resources to

facilitate the achievement of company strategic objectives.

(King III: 2009)

Is the responsibility of executives and the board of directors,


of 93

Term Definition

and consists of the leadership, organisational structures and

processes that ensure that the enterprise’s IT sustains and

extends the organisation’s strategy and objectives (ITGI

2005)

Governance Principles The vehicle to translate the desired behavior into practical

guidance for day-to-day management

ICT Information and Communication Technology also referred to

as IT

ISACA®

Information Systems Audit and Control Association

ISMS Information Security Management System

IT Goals Processes that ensure that IT sustains and extends the

organisation’s strategy and objectives

IT Information Technology

ITIL IT Infrastructure Library

ISO/IEC International Standards Organisation (ISO) and the

International Electro Technical Commission (IEC)

ISO/IEC 20000 The first international standard for IT service management. It

was developed in 2005, by ISO/IEC JTC1 SC7 and revised

in 2011

ISO/IEC 24762 International standard - Security techniques - Guidelines for

information and communications technology disaster

recovery services

ISO /IEC 27001/2 Part of the ISO/IEC 27000 family of standards, is an

Information Security Management System (ISMS) standard

published in October 2005

ISO 38500 Corporate governance of information technology standard.

Provides a framework for effective governance of IT to assist

those at the highest level of organisations to understand and

fulfill their legal, regulatory, and ethical obligations in respect

of their organisations’ use of IT

JSE Johannesburg Stock Exchange

JTC1/SC27 Joint Technical Committee 1 / Sub Committee 27 (ISO/IEC

Technical Committee with responsibility for IT standards)

KGI Key Goal Indicator. A KGI is a measure of "what" has to be

accomplished

King III The King Code of Corporate Governance for South Africa

2009

KPI Key Performance Indicator. While KGI’s focus on “what”, the

KPI’s are concerned with “how”

http://en.wikipedia.org/wiki/Information_Systems_Audit_and_Control_Association

http://en.wikipedia.org/wiki/IT_service_management

http://en.wikipedia.org/wiki/ISO/IEC_27000-series

http://en.wikipedia.org/wiki/Information_security

http://en.wikipedia.org/wiki/Management_system

http://en.wikipedia.org/wiki/ISMS


of 93

Term Definition

LG Seta Local Government Sector Training Authority

LGTS Local Government Turnaround Strategy

Metrics A measure of an organisation's activities and performance

MFMA Municipal Finance Management Act

NT National Treasury

OGC Office of Government Commerce (UK Government

Department, custodian of ITIL)

Policy A principle or rule to guide decisions and achieve rational

outcome(s)

PAIA Promotion of Access to Information Act

Process Sequence of interdependent and linked procedures which,

at every stage, consume one or more resources

Procedure A fixed, step-by-step sequence of activities or course of

action (with definite start and end points) that must be

followed in the same order

Responsible

Refers to the person who must ensure that activities are

completed successfully

Risk The potential that a chosen action or activity (including the

choice of inaction) will lead to a loss (an undesirable

outcome).

SABS South African Bureau of Standards

SANS System Administration, Network and Security Institute.

SANS is by far the largest source for information security

training and security certification in the world

SALGA South African Local Government Association

SCOA Standard Charter of Accounts

Strategy The direction and scope of an organisation over the long-

term: which achieves advantage for the organisation through

its configuration of resources

http://www.sans.org/

http://www.sans.org/

http://www.giac.org/


of 93

TABLE OF CONTENTS

REVISION HISTORY .......................................................................................................... 2

GOLSSARY OF TERMS AND DEFINITIONS ........................................................... 3

1. INTRODUCTION & GUIDELINES OVERVIEW .......................................... 10 1.1. SALGA’S ICT AGENDA ................................................................................................ 10 1.2. SALGA’S OBJECTIVES ................................................................................................. 10 1.3. DIFFERENTIATION BETWEEN LOCAL GOVERNMENT ENTITIES ............................. 11 1.1. GUIDELINE OVERVIEW ................................................................................................... 13

2. OBJECTIVE OF THE GUIDELINE ................................................................. 14 This document provides suggestions on how to improve the status of ICT

Governance within municipalities and is to be used as a guideline to understand and get familiar with the concept of IT Governance. .................. 14

2.1. WHY ICT GOVERNANCE? ............................................................................................. 14 2.2. THE ICT FUNCTION WITHIN MUNICIPAL STRUCTURES .......................................... 14 2.3. ADVANTAGES OF ADOPTING AN ICT GOVERNANCE FRAMEWORK ..................... 15 2.4. CHALLENGES OF ADOPTING AN ICT GOVERNANCE FRAMEWORK ..................... 15

3. RELATIONSHIP BETWEEN CORPORATE GOVERANCE & ICT GOVERNANCE ..................................................................................................... 17

The purpose of corporate governance is to create value for the stakeholders of an institution. ........ 17 3.1. “GOOD” CORPORATE GOVERNANCE ........................................................................ 17 3.2. CORPORATE GOVERNANCE IN RELATION TO ICT GOVERNANCE ........................ 18 3.3. THE IMPORTANCE OF ICT GOVERNANCE IN THE LOCAL GOVERNMENT SECTOR

............................................................................................................................................ 19

4. CORPORATE GOVERNANCE OF ICT: MUNICIPAL STRUCTURES & LAYERS .............................................................................................................. 20

Municipal councils exercise both legislative and executive functions. This is intended to facilitate hands-on governance and synergy between elected representatives, the executive and the administration. The proximity is meant to facilitate a more vibrant and responsive municipality that would ultimately result in efficient service delivery. ICT Governance therefore is the responsibility of both the political and executive management. ................. 20

4.1. MUNICIPAL STRUCTURES ............................................................................................. 20 4.2. THREE LAYERS OF CORPORATE GOVERNANCE OF ICT ....................................... 20 4.3. SUMMARY OF CORPORATE GOVERNANCE OF ICT PRINCIPLES .......................... 23

5. ROADMAP TOWARDS MUNICIPAL ICT GOVERANCE ....................... 24 5.1. INITIAL CONSIDERATIONS ............................................................................................. 24 5.2. DEFINING OBJECTIVES & MISSION ............................................................................. 25 5.3. CRITICAL SUCCESS FACTORS FOR A BUSINESS / IT RELATIONSHIP .................. 26 5.4. DEFINING APPROPRIATE ORGANISATIONAL STRUCTURES..................................... 27 5.4.1. MUNICIPAL ICT STEERING COMMITTEE ..................................................................... 28 5.4.2. THE MUNICIPAL CIO / IT MANAGER OR DIRECTOR ................................................. 29 5.4.3. RECOMMENDED PLACEMENT OF THE ICT FUNCTION IN MUNICIPAL

STRUCTURES ................................................................................................................... 30 5.5. IT GOVERNANCE IMPLEMENTATION ROADMAP ....................................................... 32 5.2.1 IDENTIFY NEEDS .............................................................................................................. 32 5.2.2 ENVISION SOLUTION ...................................................................................................... 32 5.2.3 PLAN SOLUTION .............................................................................................................. 33 5.2.4 IMPLEMENT SOLUTION ................................................................................................... 33 5.2.5 OPERATIONALISE SOLUTION ....................................................................................... 33


of 93

5.6. RACI CHART ................................................................................................................... 33

6. RECOMMENDED SHORT AND MEDIUM TERM APPROACHES ...... 35 6.1. SHORT TERM ................................................................................................................... 35 9.2.1 SECURITY MANAGEMENT .............................................................................................. 35 9.2.2 USER ACCESS CONTROL .............................................................................................. 36 9.2.3 PROGRAM CHANGE MANAGEMENT ............................................................................ 36 9.2.4 DATA CENTRE MANAGEMENT ..................................................................................... 36 9.2.5 FACILITIES AND ENVIRONMENTAL CONTROLS ......................................................... 37 9.2.6 ICT SERVICE CONTINUITY ............................................................................................ 37 9.2.7 IT INFRASTRUCTURE ...................................................................................................... 37 6.2. MEDIUM TO LONG TERM ............................................................................................... 38

7. SKILLS REQUIREMENTS FOR GOOD ICT GOVERNANCE ............... 39 7.1. ADDRESSING TRAINING NEEDS ................................................................................... 41

8. MEASURING, MONITORING AND BENCHMARKING ........................... 43 8.1. ICT GOVERNANCE MATURITY LEVELS ...................................................................... 43 8.2. MEASURING AND MONITORING ACTIVITIES ............................................................... 43 8.3. ICT GOVERNANCE MEASUREMENTS ......................................................................... 44

9. SUPPORT FOR MUNICIPAL ICT GOVERNANCE ................................... 45 9.1. THE ROLE OF SALGA................................................................................................... 45 9.2. NATIONAL TREASURY .................................................................................................... 45 9.2.1. STANDARD CHART OF ACCOUNTS (SCOA) ............................................................ 46 9.3. OTHER STAKEHOLDERS ................................................................................................ 46 9.3.1. COOPERATIVE GOVERNANCE AND TRADITIONAL AFFAIRS (COGTA) ............... 46 9.3.2. DEPARTMENT OF PUBLIC SERVICE AND ADMINISTRATION (DPSA) ................... 47 9.3.3. THE AUDITOR GENERAL ............................................................................................... 47 9.3.4. LOCAL GOVERNMENT SECTOR TRAINING AUTHORITY (LGSETA) ..................... 47

10. METHODOLOGY USED TO COMPILE THE GUIDELINE ..................... 48 10.1. CONCEPTUAL APPROACH ............................................................................................ 48 10.2. ICT GOVERNANCE FRAMEWORK COMPONENTS ..................................................... 48 10.3. THE DRAFT DPSA ICT GOVERNANCE FRAMEWORK ............................................. 49 10.4. INTEGRATION OF BEST PRACTICE .............................................................................. 49

ADDENDUM A – STANDARDS, CODES AND BEST PRACTICE .................. 51 A1 GOVERNANCE .................................................................................................................. 51 A1.1 KING III CODE OF GOVERNANCE ................................................................................. 51 A.1.2 SANS 38500: 2008 ICT GOVERNANCE STANDARD .............................................. 54 A 1.3 COBIT GOVERNANCE FRAMEWORK ........................................................................... 56 A.2 SERVICE MANAGEMENT ................................................................................................ 58 A.2.1 ITIL V2/3 .......................................................................................................................... 58 A. 2.2 ISO/IEC 20000 ............................................................................................................... 61 A 3 SECURITY MANAGEMENT .............................................................................................. 63 A 3.1 ISO/IEC 27001 ............................................................................................................... 63 A 3.2 ISO/IEC 27001 CONTROLS ......................................................................................... 64 A.4 BUSINESS CONTINUITY / DISASTER RECOVERY ...................................................... 66 A 4.1 BS 25999 ......................................................................................................................... 66 A 4.2 ISO/IEC 24762 ............................................................................................................... 69 A 4.2.1 ISO/IEC 24762 CONTROLS ......................................................................................... 70 A 5 MINIMUM IT GENERAL CONTROLS .............................................................................. 72 A 5.1 AIM ..................................................................................................................................... 72 A5.2 IT GOVERNANCE ............................................................................................................. 72 A5.3 SECURITY MANAGEMENT .............................................................................................. 73 A5.4 USER / ACCOUNT ACCESS CONTROL ........................................................................ 73


of 93

A5.5 PROGRAM CHANGE MANAGEMENT ............................................................................ 73 A5.6 DATA CENTRE MANAGEMENT ..................................................................................... 74 A5.7 FACILITIES AND ENVIRONMENTAL CONTROLS ......................................................... 74 A5.8 IT SERVICE CONTINUITY ............................................................................................... 74 A6 TYPICAL STRUCTURE OF AN ICT ORGANISATION ................................................... 75 A7 SUGGESTED TRAINING CURRICULUM ........................................................................ 77 A7.1 KING III CORPORATE CODE OF GOVERNANCE ........................................................ 77 A7.2 CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY .......... 77 A7.3 SERVICE MANAGEMENT ................................................................................................ 78 A7.4 SECURITY MANAGEMENT .............................................................................................. 79 A7.5 BUSINESS CONTINUITY .................................................................................................. 79 A7.8 DISASTER RECOVERY .................................................................................................... 80

ADDENDUM B – SELF ASSESSMENT .................................................................... 81


of 93

1. INTRODUCTION & GUIDELINES OVERVIEW

The South African Local Government Association (SALGA) represents local government on

numerous intergovernmental forums. SALGA is funded through a combination of sources,

including a national government grant, membership fees from provincial and local government

associations that are voluntary members, and donations from the donor community for

specific projects.

1.1. SALGA’S ICT AGENDA

At the 2010 SALGA National Members Assembly the following recommendations were

proposed and adopted:

Recognition that ICT’s can be better leveraged to effective administration, service

delivery and socio-economic development and are therefore integral to the

functioning of any well run municipality;

Raising the political and actual profile of ICT within local authorities (and down to the

community level); and

To mandate and capacitate SALGA to be an effective coordinator and champion in

driving for more effective use of ICT’s for and in local government

SALGA’s agenda to Local Government, in terms of ICT’s, lies within the Directorate of

Economic Development & Planning. In terms of the crucial role ICT play, the focus of the

directorate falls within four broad focus areas:

Internal ICT systems, processes and infrastructure;

Broadband connectivity and access;

e-Government and provision of services; and

Awareness of ICT’s and the capacity of communities to engage/participate

1.2. SALGA’S OBJECTIVES

SALGA aims to:

Transform local government to enable it to fulfill its developmental role;

Enhance the role of provincial local government associations as provincial

representatives and consultative bodies on local government;

Raise the profile of local government;

Ensure full participation of women in local government;

Act as the national employers’ organisation for municipal and provincial member

employers; and


of 93

Provide legal assistance to its members, using its discretion in connection with

matters that affect employee relations.

To support SALGA in applying these principles, the Association has decided to establish

a Corporate Governance ICT Guideline which comprises the definition and importance of

Governance within the public sector, alignment to legislation and standards for

municipalities, definition and clarity on decision making mechanisms, and alignment to the

public service ICT Governance Framework.

The objective is also that these components should be supported by the identification of

any factors which may hinder the adoption of this Guideline.

1

1.3. DIFFERENTIATION BETWEEN LOCAL GOVERNMENT ENTITIES

Cognisance must be taken that there are low, medium and higher capacity municipalities,

as well as those in urban and rural settings across the divisions of local, district and metro

municipalities.

This is reflected in the phasing-in of the Municipal Finance Management Act (MFMA),

whereby the National Treasury has categorised all municipalities according to their

financial management capacity as high, medium or low capacity. In this regard, the

Division of Revenue Act 2004 provides information on transfers to local government and

budget per capita per district and for each of the metropolitan municipalities. A basic

calculation using this information provides a rough estimate of the resource availability in

each municipality, or the ability of the municipality to raise revenue. A further elementary

calculation places each municipality in one of three categories of fiscal capacity: poor,

adequate or resource rich. If the above two categories are used together they produce

five distinct categories of municipalities. These are:

Rich in resources and high-capacity;

Adequate resources and medium-capacity;

Poor resources and medium-capacity;

1 http://www.pmg.org.za/report/20110413-department-objects-local-government-municipal-systems-

amendment-bill-

The Auditor-General identified the South African Local Government Association (SALGA), National Treasury, the National Council of Provinces and National Assembly as key role players in working towards clean audits. In his assessment of the NA and NCOP’s monitoring effectiveness, he advised that there had to be visible action plans and recommendations showing intervention in the following areas of focus: Supply Chain Management, Predetermined Objectives, Financial Management, Turnaround Plans, IT Controls, Human Resource Management, Use of Consultants, Municipalities under Administration and Governance structures.


of 93

Adequate resources and low-capacity; and

Poor resources and low-capacity.

Unfortunately the last category represent about 30% of all municipalities and it therefore

also goes without saying that these municipalities need more rigorous organisational

reforms and restructuring initiatives than other categories listed.

There are also other classifications – for example:

As directed by the Constitution, the Local Government: Municipal Structures Act, 1998

(Act 117 of 1998) [PDF] contains criteria for determining when an area must have a

category-A municipality (metropolitan municipalities) and when municipalities fall into

categories B (local municipalities) or C (district municipalities).

The Act also determines that category-A municipalities can only be established in

metropolitan areas. Metropolitan councils have single metropolitan budgets, common

property ratings and service-tariff systems, and single employer bodies.

Briefly the three categories of municipalities can be described as follows:

Category A municipalities, which have exclusive municipal executive and legislative

authority in their area. In other words, there is only one municipal council in an area

with a category "A" municipality. Category "A" municipalities are established in

metropolitan areas.

Category B municipalities, which share municipal executive and legislative authority

in their area with a category C municipality within whose area they fall. A local

municipality is an example of category B municipality.

Category C municipalities, which have municipal executive and legislative authority in

an area that includes more than one municipality, for example, a district municipality.

On the 30th June 2011 National Treasury released its State of local government finances and financial management Report into the public domain, to enhance transparency in this topical and dynamic area, with a HSRC report, highlighting widespread financial distress in local government. Despite improvements in the area of local government finance (reflected in marginally improved audit outcomes), the National Treasury report also highlighted a number of chronic concerns, including under spending on capital budgets and high levels of consumer debt. The report’s public release is extremely important in supporting informed debate as to the state of local government finances, with its naming and shaming “element” also serving as an important incentive for municipalities to improve reporting and public accountability.


of 93

1.1. GUIDELINE OVERVIEW


of 93

2. OBJECTIVE OF THE GUIDELINE

This document provides suggestions on how to improve the status of ICT Governance within

municipalities and is to be used as a guideline to understand and get familiar with the concept

of IT Governance.

2.1. WHY ICT GOVERNANCE?

By adopting this Corporate Governance ICT Guideline, the following objectives are

anticipated:

Raising the profile of ICT within municipalities

Raising the profile of ICT as a strategic enabler for effective administration and

service delivery;

Bringing international good practices into the municipal arena

Further strengthening corporate governance of ICT as well as ensuring the CIO (head

of ICT) be an integral part of the executive management of a municipality;

Institutionalising IT governance as an integral part of municipal corporate

governance;

Creating a process whereby IT governance standards across and within the local

government sector can be introduced;

Improving the IT governance literacy and lingo within municipalities

2.2. THE ICT FUNCTION WITHIN MUNICIPAL STRUCTURES

Developing countries such as South Africa have a tremendous potential for rapid and sustainable

economic and social development by leveraging the potential of ICT and applying it appropriately

within the local government sector. As such, the Local Government Turnaround Strategy (LGTAS)

vision states that:

Each municipality has the necessary ICT infrastructure and connectivity; and that

ICT systems must be put in place across all municipalities to accelerate service

delivery, improve efficiency and accountability

However, technology on its own cannot achieve anything and it must be supported by capable

people and tested processes will provide services that the public can have confidence in.

Disparities both from within the municipal sector as well as in the larger South African ICT

landscape have impacted in the manner municipalities make successful use of ICT’s. The result is

that when it comes to ICT’s municipalities:

Operate in a very isolated non-uniform manner;


of 93

Are ill-prepared to face the required ICT resource, skill and budget constraints; and

Have limited access to or support from other spheres of government and are often left

to the mercy of the market.

The huge ICT skills shortage in South Africa also has a negative impact on the Public Sector,

specifically Local Governments. Unfortunately the reality is that staff is made up of under-qualified

professionals with watered-down skills that are not geared for real-life ICT crises and challenges.

This negatively affects the optimal running of ICT departments and delivery of government ICT

projects.

2.3. ADVANTAGES OF ADOPTING AN ICT GOVERNANCE FRAMEWORK

ICT has become an integral part of doing business today, as it is fundamental to the

support, sustainability and growth of municipalities. ICT cuts across all aspects,

components and processes in business and is therefore not only an operational enabler

for a municipality, but an important strategic asset which can be leveraged to create

opportunities and to gain competitive advantage.

As well as being a strategic asset to the municipality, ICT also presents municipalities

with significant risks. The strategic asset of ICT and its related risks and constraints

should be well governed and controlled to ensure that ICT supports the strategic

objectives of the organisation.

By adopting an ICT Governance Framework, Mayors and Municipal Managers are in

compliance with King III Code of Governance which stipulates that prudent and

reasonable steps must be taken with respect to ICT governance.

Adopting a strategic approach to ICT Governance extends the horizon of thinking beyond

the boundary of “are we compliant, yes or no?” towards performance management,

guiding optimal allocation of a municipality’s finite resources and providing the means to

capture value back from the investment.

2.4. CHALLENGES OF ADOPTING AN ICT GOVERNANCE FRAMEWORK

One of the major challenge in implementing an ICT Governance Framework stems from

the difficult task of taking a strategic viewpoint to assess and improve governance. The

decision to go ahead has to come from the highest office. If the major benefits of adopting

In the 2009/10 local government audit report, the Auditor General, revealed that municipalities were struggling to manage and integrate their ICT systems. Of the municipalities audited, 96% had deficiencies in their governance processes, more specifically related to Service Management processes such as ICT Continuity (disaster recovery) and Change Management. Management, Turnaround Plans, IT Controls, Human Resource Management, Use of Consultants, Municipalities under Administration and Governance structures.


of 93

an ICT Governance Framework are not realised at this level, implementation attempts are

most certainly doomed.

Successful adoption requires orientation, education, and training which does not happen

overnight. The availability of suitably skilled staff to perform the many different tasks

associated with a framework implementation comes with its own challenges. Training staff

in the various required disciplines are often expensive and is time consuming.

One size does not fit all. Although there is an abundance of guidance available, these still

has to be tailored to municipal specific requirements. The ability to improve governance

is intrinsically tied to the ability to effectively measure it, the tacit knowledge of employees

and successfully navigating the complex jungle of best practice, regulations, legislation,

standards and the strategic intent of management.

For ICT governance to be successful, it should be a workable solution able to deal with

the challenges and pitfalls presented by ICT. It should not only prevent problems but also

enable competitive advantage. ICT risks are closely related to business risks, because

ICT is the enabler for most business strategies. The management and control of ICT

should therefore, be a shared responsibility between the business and the ICT functions,

with the full support and direction of executive management. ICT governance provides the

oversight and monitoring of these activities within a wider enterprise governance scheme.


of 93

3. RELATIONSHIP BETWEEN CORPORATE GOVERANCE & ICT GOVERNANCE

The purpose of corporate governance is to create value for the stakeholders of an institution.

3.1. “GOOD” CORPORATE GOVERNANCE

A governance system refers to all the means and mechanisms that enable the Accounting

Officer and Executive Management of an Institution to have a structured and organised

say in:

Evaluate internal and external context, strategic direction and risk to conceptualise

the Institution’s strategic goals and how it will be measured;

Direct the Institution in the execution of the strategic goals to ensure that value is

realised and risk is managed; and

To monitor the execution of the strategic goals within an Institution against the

measures identified for attaining the strategic goals.

Corporate governance is also concerned with individual accountability and responsibilities

within an Institution. It describes how the institution is directed and controlled and is in

particular concerned with:

Organisation - the organisational structures, and coordinating mechanisms (such as

steering forums) established within the institution and in partnership with external

bodies;

Management – the individual roles and responsibilities established to manage

business change and operational services; and

Policies - the frameworks established for making decisions and the context and

constraints within which decisions are taken.

The strategic direction, together with the external and internal context, influences the

strategic goals. Corporate Governance and the Corporate Governance of ICT are

executed on Executive Management level through the function of evaluation, direction

and monitoring. The management of business execution is done through the

organisational structure and utilisation of the relevant resources.

The executive leadership and management of an Institution are accountable and

responsible to implement a governance system.

According to CobiT (Control Objectives for IT and Related Technology) Corporate Governance is the set of responsibilities and practices exercised by the Council and executive management with the goals of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.


of 93

3.2. CORPORATE GOVERNANCE IN RELATION TO ICT GOVERNANCE

While governance developments have primarily been driven by the need for transparency

of enterprise risks and the protection of shareholder value, the pervasive use of

technology has created a critical dependency on ICT that calls for a specific focus on ICT

governance. The corporate governance of ICT is a subset of corporate governance and is

an integral part of the governance system:

The Executive Authority provides the political leadership;

The Accounting Officer provides the strategic leadership; and

Executive Management is responsible to ensure that governance of ICT is

implemented and managed.

The corporate governance of ICT involves evaluating and directing the plans for the use

of ICT to support the Institution and monitoring it. It includes the strategy and policies for

using ICT within an Institution. The executive authority and executive management is

accountable and responsible to ensure that governance of ICT is implemented in their

institution in line with this framework.

ICT Governance:

Provides the structure that links ICT processes, ICT resources and information to

enterprise strategies and objectives;

Enables the integration and institutionalization of best practices of planning and

organizing, acquiring and implementing, delivering and supporting, and monitoring

and evaluating ICT performance to ensure that the enterprise’s information and

related technology support its business objectives;

Allows the enterprise to take full advantage of its information; and

Identifies control weaknesses and assures the efficient and effective implementation

of measurable improvements.

According to King III Code of Governance, good governance is essentially about effective leadership. Responsible leaders direct Council strategies and operations with a view to achieving sustainable economic, social and environmental performance. To ensure that this happens, the King III Code requires the Council to ensure that there is an effective risk based internal audit; and, that internal audit perform an objective assessment of the effectiveness of the governance processes, risk management and the internal control framework. Internal controls should be established not only over financial matters, but also operational, compliance and sustainability issues. Municipalities must therefore maintain an effective governance, risk management and internal control framework.


of 93

3.3. THE IMPORTANCE OF ICT GOVERNANCE IN THE LOCAL GOVERNMENT SECTOR

The effective management of information, information systems and communications is of

critical importance to the success of the Public Sector, especially Local Government. This

criticality arises from:

The pervasiveness of and dependence on information and the services and

infrastructure that deliver the information

The increasing scale and cost of current and future technology-related investments

The potential for technologies to enable the transformation of enterprises and

business practices

There is an increasing demand from Local Government and executive management for

generally accepted guidelines for decision making and benefits realisation related to ICT-

enabled business investments. The management practices that traditionally have been

applied are no longer sufficient. There is a clear incentive for management to ensure that

effective governance and management processes are in place to create value through

optimising benefits at an affordable cost with an acceptable level of risk.

As the successful use of ICT becomes more and more critical to municipalities’ success,

the cost of doing nothing will far outweigh the cost of implementing ICT governance,

which can reduce the losses caused by, for example, adverse or qualified audit opinions,

failed projects, security incidents and operational outages, and increase the financial and

intangible benefits created by ICT-enabled operational efficiency and competitive

advantage.

Governance of ICT “The effective and efficient management of IT resources to facilitate the achievement of the company strategic objectives” (King III: 2009:52)

Corporate Governance of ICT "The system by which the current and future use of IT is directed and controlled. It involves evaluating and directing the plans for the use of IT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organisation." (ISO 38500: 2008:9)

ICT governance can be seen as a structure of relationships and processes to direct and control the enterprise use of ICT to achieve the enterprise’s goals by adding value while balancing risk vs. return over ICT and its processes.


of 93

4. CORPORATE GOVERNANCE OF ICT: MUNICIPAL STRUCTURES & LAYERS

Municipal councils exercise both legislative and executive functions. This is intended to

facilitate hands-on governance and synergy between elected representatives, the executive

and the administration. The proximity is meant to facilitate a more vibrant and responsive

municipality that would ultimately result in efficient service delivery. ICT Governance therefore

is the responsibility of both the political and executive management.

4.1. MUNICIPAL STRUCTURES

Local government legislation establishes various organs within the municipality and

broadly defines the functions of these organs. It also creates various instruments for

accountability and oversight. Importantly, municipalities themselves must define the

precise roles of their organs in delegations and terms of reference.

These role definitions, terms of reference and instruments of accountability are intended

to produce clear and sound internal municipal governance arrangements. This, in turn, is

meant to define and shape the relationships within the municipal council and between the

council and the administration.

4.2. THREE LAYERS OF CORPORATE GOVERNANCE OF ICT

Given the different types of municipalities (A, B and C), it is logical that leadership

structures between these also differ. Some have executive mayors, some mayoral, and

others collective or plenary executive. For this reason it would be necessary to have

different options for different types of municipalities. However, in all scenarios, the

corporate governance of ICT is a subset of corporate governance and is an integral part

of the governance system:

The Executive Authority provides the political leadership;

The Accounting Officer provides the strategic leadership; and

Executive Management is responsible to ensure that governance of ICT is

implemented and managed.


of 93

Level General Description

Political

Leadership

The Executive Authority must:

Provide political leadership and strategic direction

Determine policy and provide oversight;

Ensure that ICT service delivery enables the attainment of the

strategic plan;

Take interest in the Governance of ICT to the extent necessary to

obtain comfort that a properly established and functioning

governance of ICT is in place to enable the Institution to leverage

ICT as a business enabler.

Assist the Accounting Officer to deal with inter-governmental,

political and other ICT – related municipal business issues beyond

their direct control or influence;

Ensure that the municipality’s organizational structure makes

provision for the corporate governance of ICT.

Strategic

Leadership

The Accounting Officer must:

Provide strategic leadership and management;

Ensure alignment of the ICT strategic plan with the municipal

strategic plan / IDP;

Ensure that the corporate Governance of ICT is placed on the

municipal strategic agenda;

Ensure that the municipality’s organizational structure makes

provision for the corporate governance of ICT.

Ensure the realization of the municipal-wide value through ICT

service delivery and management of municipal and ICT related

risks;

The delegation of authority, personal responsibility and –

accountability to the Executive Management with regards to the

Corporate Governance of ICT;

The provision of appropriate ICT capability and capacity and the

appointment of a suitably qualified and experienced CIO / IT

Manager. The CIO / IT Manager should have access to and

regularly interact on strategic ICT matters with the Accounting

Officer and Executive Management;

Monitor and evaluate the effectiveness of the Corporate

Governance of ICT.


of 93

Level General Description

Governance of

ICT

The Executive / Senior Management must:

Ensure that ICT goals are aligned with the municipal strategic

goals and support strategic business processes;

ICT strategy is integrated with strategic business processes and

that related risks are managed;

Significant ICT investments and expenditure are informed by the

municipal enterprise architecture, motivated (Business Cases),

monitored and evaluated; and

Advice is provided to the Accounting Officer on the

implementation and management of the Corporate Governance of

ICT.


of 93

4.3. SUMMARY OF CORPORATE GOVERNANCE OF ICT PRINCIPLES

•The Corporate Governance of ICT must enable the municipality’s political mandate

•The Executive Authority must ensure that the Corporate Governance of ICT achieves the political mandate of the municipality. Principle 1: Political

Mandate

•The Corporate Governance of ICT must enable the municipality’s strategic mandate

•The Accounting Officer must ensure that the Corporate Governance of ICT assists in achieving the municipality’s strategic plans. Principle 2: Strategic

Mandate

•The Accounting Officer is responsible for the Corporate Governance of ICT.

•The Accounting Officer must create an enabling environment in respect of the Corporate Governance of ICT within the applicable legislative and regulatory landscape and information security context.

Principle 3: Corporate

Governance of ICT

•ICT service delivery must be aligned with the strategic goals of the municipality.

•The Executive Management must ensure that ICT service delivery is aligned with the municipality’s strategic goals and that the municipality accounts for current and future capabilities of ICT. It must ensure that ICT is fit for purpose at the current service levels and quality for both current and future municipal needs.

Principle 4: ICT Strategic Alignment

•The Executive Management must monitor and evaluate significant ICT expenditure.

•Executive Management must monitor and evaluate major ICT expenditure, ensure that the ICT expenditure is made for valid municipal business enabling reasons and monitor and manage the benefits, opportunities, costs and risks resulting from this expenditure, while ensuring that information assets are adequately managed.

Principle 5: Significant ICT Expenditure

•Executive Management must ensure that ICT risks are managed and that then ICT function is audited.

•Executive Management must ensure that ICT risks are managed within the municipal risk management practice. It must also ensure that the ICT function is audited as part of the municipal audit plan.

Principle 6: Risk Management and

Assurance

•Executive Management must ensure that ICT service delivery is sensitive to organizational behavior / culture.

•Executive Management must ensure that the use of ICT demonstrates the understanding of and respect for the organisational behaviour / culture.

Principle 7: Organisational

Behavior


of 93

5. ROADMAP TOWARDS MUNICIPAL ICT GOVERANCE

5.1. INITIAL CONSIDERATIONS

The roadmap to implement control and governance over ICT is a generic approach for

implementing ICT governance. It ensures that the focus is on municipal needs when

improving control and governance of ICT processes. The roadmap is applicable

regardless of the size of the initiative; it encourages management commitment and

involvement and follows good project management practices. The road map is a

continuous improvement approach that is followed iteratively, building a sustainable

‘business as usual’ process over time.

Building sustainability entails:

Defining appropriate organisational structures

Integrating ICT governance with enterprise governance

Ensuring accountability for ICT throughout the enterprise

Drafting and clearly communicating policies, standards and processes for ICT

governance and control

Effecting cultural change (commitment at all levels in the enterprise—from the

executive office to the ‘shop floor’)

Driving a process and culture of continuous improvement

Creating optimum monitoring and reporting structures

A municipality implementing ICT governance will need to do so in phases based on

business priorities and ICT risks. The road map achieves this by prioritising the ICT goals

and processes (including controls) based on the consideration of business goals and

risks.

There are some obvious, but pragmatic, rules that management should follow:

Treat the implementation initiative as a program activity with a series of phases rather

than a ‘one-off’ step

Remember that implementation involves cultural change as well as new processes.

Therefore, a key success factor is the effective management of organisational

change.

Make sure there is a clear understanding of the objectives

Manage expectations. In most enterprises, achieving successful oversight of ICT

takes time and is a continuous improvement process


of 93

5.2. DEFINING OBJECTIVES & MISSION

SALGA hosted its flagship LGICT event ‘ConnectIT’ in Johannesburg held between the

16th and 17th of August 2011. The conference brought together key players within local

government and ICT professionals to brainstorm ideas on the way ICT could be better

harnessed to benefit the municipalities and overcome common challenges.

One of the key themes which featured on the ‘ConnectIT’ agenda at the conference

included how the profile of ICT could be raised within municipalities, including introducing

IT governance into the business of local government. See extracts from the presentation

by Mr. Jaap Van Staden (Business Analyst IT Systems, Overstrand Municipality).

The full presentation is available online at http://lgict.org.za/connectit

To provide ICT infrastructure and ICT

business systems solutions what will assist

the _______________ municipality to

delivery sustainable services that is

operationally efficient and cost effective to

all its stakeholders and communities.

http://lgict.org.za/connectit


of 93

Cost effective solutions

Quality Service Delivery

Ongoing performance monitoring

Aligned to business processes

5.3. CRITICAL SUCCESS FACTORS FOR A BUSINESS / IT RELATIONSHIP

Understand your client’s business requirements

Good business acumen - Understand areas where ICT can add business value

ICT Strategy sessions: - Building a shared vision

One-on-one sessions with management & peers– Talk in business terms

Manage your client’s expectations

Good Governance – Monthly ICT Steering Committee

ICT Architecture Forums/Workgroups: Co-management – Collaborative approach

towards building ICT solutions for business

Best practice project management – on time/ within spec/ within budget

Cost-effective solutions and at market related prices

Never promise more than you can deliver

Deliver a consistent and quality service

ICT support - ICT know-how & experience

Contingency planning – ICT and Business: Core competencies

Contract only with reputable service providers with access to competent skills &

knowledge resources: SP relationships = Long term investments

Manage the relationships between your clients and with all other stakeholders

Contracts Management – Co-management: financial & technical transparency –

Value for money

SDA’s - Performance Management & Monitoring with penalties for non-performance

Change Management - Planned and tested - Mitigation of operational & financial

risks


of 93

Problem Management and corrective measures – Prevent re-occurrences – trends

analysis

Monitor and track new service requests and projects

5.4. DEFINING APPROPRIATE ORGANISATIONAL STRUCTURES

A Municipal Manager is part of the Executive Management of a municipality is both the

Accounting Officer and the Information Officer of the municipality. He/she may delegate

certain duties/tasks to the Chief Financial Officer, who would be accountable to him/her.

The Municipal Manager is therefore accountable:

For all transactions entered into by his designates.

For sound record management (information management).

In this regard it is important to ensure that there is no confusion between the Municipal

Manager, as the Information Officer, and the Chief Information Officer (CIO) as defined by

King III.

The job description of a CIO has been revamped with the release of the King III Code of

Governance for South Africa. IT governance is now a separate chapter of the corporate

governance code, separate from risk management, compliance and audit.

The risk of placing ICT governance with internal audit is that the intention of KING III will not be reached and ICT will continue to have a low profile.

From an administrative perspective, every municipality must have an internal audit function as per section 165 of Municipal Finance Management Act (MFMA) and other related Legislations. Internal Audit serves as “an independent objective assurance and consulting activity designed to add value and improve organisation's operations. It helps organisations by bringing a systematic discipline approach to evaluate and improve the effectiveness of risk management, controls and governance processes”.

The Promotion of Access to Information Act, 2000 (Act No 2 of 2000) gives effect to the constitutional right of a person to any information held by the state or any other person, and such information is required for the exercise or protection of any rights. What does this mean for the municipality? Legally, an information officer has to be appointed. In terms of the Act, the Municipal Manager, is the information officer of the municipality. He / She is required to produce a manual in three official languages on the functions of the municipality as well as an index of all the records held by the municipality as well as various other details.


of 93

Following the intentions of King III, it is suggested that:

I. The municipal ICT function, reside under office of the Municipal Manager, in

parallel to Internal Audit;

II. The implementation of the governance of ICT is delegated from the office of the

Municipal Manager to a Municipal ICT Steering Committee made of the relevant

executive / senior management (section 57 managers) as well as the municipal

ICT management (CIO / IT Manager or Director);

5.4.1. MUNICIPAL ICT STEERING COMMITTEE

The Municipal ICT Steering Committee is to ensure that everyone in the municipality

understands the link between business and ICT goals and accepts their

responsibilities with respect to the supply and demand for ICT. The Municipal ICT

Steering Committee will ensure that:

I. The necessary ethical culture, structures (including outsourcing), policies,

procedures, processes, mechanisms and controls regarding all aspects of

ICT use (business and ICT) are clearly defined, implemented and enforced;

II. ICT performance are assured through independent audit (Auditor General);

and

III. An information security strategy is approved;

IV. Intellectual property in information systems is appropriately protected; and

V. ICT assets, privacy, security and personal information of employees are

effectively managed.


of 93

5.4.2. THE MUNICIPAL CIO / IT MANAGER OR DIRECTOR

The implementation and operation of IT governance is the responsibility of the

municipal CIO / IT Manager who is expected to report to the IT Steering Committee

and the Council about the effective and efficient management of IT resources to

facilitate the achievement of corporate objectives.

King III also requires the CIO to define, maintain and validate the IT value proposition,

align IT activities with environmental sustainability objectives, implement an IT control

framework and ensure all parties in the chain from supply to disposal of IT services

and goods apply good governance principles.

The formation of Architecture Forums / Workgroups would be a key theme of an ICT Steering Committee (extracted from Overstrand Governance Presentation) Principles of Co-Management:

i. Establish & maintain an enterprise architecture for ICT and Systems in

the municipality

ii. Assess and review (new) systems requirements against agreed

enterprise

iii. Architectures (Business and ICT)

iv. Assist with the deployment of new architectures, technologies &

systems through a total SDLC

v. Assist with systems performance audits and benchmarking as may be

required

vi. Assist to establish core competencies required in the Overstrand ICT

and systems environment.

Architecture Forum Members:

ICT Business Analyst & ICT Manager, co-opted staff from Directorates

Representatives from service providers as may be required from time

to time


of 93

5.4.3. RECOMMENDED PLACEMENT OF THE ICT FUNCTION IN MUNICIPAL STRUCTURES

The diagram/s below shows a suggested placement for ICT within a typical

municipality.

Note that ICT is shown to have a direct link to the Municipal Manager’s office.


of 93


of 93

5.5. IT GOVERNANCE IMPLEMENTATION ROADMAP

Using CobiT as a reference, the following steps could be used as a guideline for

implementing an ICT Governance Framework.

5.2.1 IDENTIFY NEEDS

Raise awareness and obtain management commitment - it is important to ensure

that the background and drivers behind the initiative are understood clearly and

that there is good support from top management

Define Scope - it is important for the implementation team to be knowledgeable

about the business environment and to have an insight into influencing factors

such as competition, business goals, service providers, and legal and regulatory

issues.

Define risks - It is important to know the enterprise’s risk profile, acceptance

position and risk awareness so that an appropriate risk management attitude is

taken

Define resources and deliverables – It is possible that some municipalities have

some existing preferred IT models, standards and best practices that they are

already using, so it is important to make sure that these are understood to

consider how they can be used

Plan program - Based on the agreed-upon program and resource requirements,

the resources need to be acquired and allocated to the program. Funding may be

required to support the cost of these resources, and it may be necessary to

acquire external consultants or experts

5.2.2 ENVISION SOLUTION

Assess actual performance - It is necessary to establish how well existing

processes are managed and executed, based on process descriptions, policies,

standards, procedures, technical specifications, etc., to determine whether they

are likely to support the business and IT requirements.

Define target for improvement - Based on the assessed current-state process

maturity levels, an appropriate maturity level should be determined for each

process

Analyse gaps and identify improvements - After the current capability of the

processes has been determined and the target capability planned, the gaps

description between as-is and to-be should be evaluated and opportunities for

improvement identified


of 93

5.2.3 PLAN SOLUTION

Define projects - When all the potential initiatives for IT governance improvement

have been identified, these initiatives should description be prioritised into formal

and justifiable projects

Develop improvement plan - Based on the project definitions, the resource plan

and the IT budget, the prioritised improvements are now turned into a set of

documented projects that support the overall improvement program

5.2.4 IMPLEMENT SOLUTION

Implement the improvement - The approved improvement projects, including

required change activities, are now ready for implementation, so the solutions as

defined by the program can now be acquired or developed and implemented into

the enterprise.

Monitor implementation performance - It is essential that the improvements can

be monitored via ICT goals and ICT process description goals.

Review program effectiveness - determine whether the ICT governance program

delivered against expectations.

5.2.5 OPERATIONALISE SOLUTION

Build sustainability - Build on the successes and lessons learned from the

governance implementation project(s) to build and reinforce commitment

amongst all ICT stakeholders for continuously improved governance of ICT.

Identify new governance requirements - Using the feedback and lessons learned,

monitoring of the improvements on performance and current understanding of

business and ICT goals, the enterprise should consider new governance

requirements

5.6. RACI CHART

The RACI Chart (Responsible, Accountable, Consulted, and Informed) clarifies the

assignment of responsibilities and decision-making rights across a number of roles. The

RACI model is built around a simple 2-dimensional matrix which shows the 'involvement'

of Functional Roles in a set of Activities. 'Involvement' can be of different kinds:

Responsibility, Accountability, Consultancy or Informational. The model is used during

analysis and documentation efforts in all types of Service Management, Quality

Management, Process- or Project Management. A resulting RACI chart is a simple and

powerful vehicle for communication. Defining and documenting responsibility is one of the

fundamental principles in all types of Governance (Corporate or ICT-Governance).


of 93

The following chart gives an example of the RACI principles. Based on the capacity of the

municipality, its resources and ICT requirements, the chart can be completed accordingly.

Example of the RACI Chart

Roles and Responsibility Categories

Functional Level Designation

Strategic Mayoral Office, Council & Municipal

Manages Office

Tactical Municipal Manager

Internal Audit

PMO

Operational Business process owner

Head of administration

Service desk


of 93

6. RECOMMENDED SHORT AND MEDIUM TERM APPROACHES

Recommendations provided below are based on the premise that roles and responsibilities

should be allocated to each activity. It is also crucial to the success of the deliverable that

timelines (anticipated start and end dates), be allocated for each activity. Guidelines for

measuring and monitoring success of actual deliverables (see chapter 7 of this document)

should be used.

Cognisance must also be taken of the fact that “one size does not fit all”. Due to the fact that

municipalities may differ greatly from each other in terms of size and capacity, (see section

2.2 .for a description of different categories of municipalities), it is understandable that

category A municipalities may have more resources in the form of for manpower, budget etc.

than category B and C municipalities. While the following list of recommendations should be

considered by all categories of municipalities, category A and B municipalities should take

specific notice of those recommendations denoted with “**”.

6.1. SHORT TERM

Control objectives and metrics should be assessed at operational level on an ongoing

basis. These include the following:

9.2.1 SECURITY MANAGEMENT

** Dedicate responsibilities for information security to a dedicated information

security officer, independent of the system administrator

** Design and implement ICT Security policies and procedures for the

administration of security measures over the network, operating system and

application systems. These need to be enforced and updated on a regular basis.

Carry out an ICT security awareness initiatives and campaigns

Manage and maintain ICT security at the highest appropriate organisational level

Implement strong password controls to authenticate system access

Correctly configure firewalls and routers within the network environment to ensure

optimal protection against unauthorised access

Implement patch management processes to prevent exploitation of vulnerabilities

Implement antivirus software across the organisation to protect information

systems and technology from malware

Ensure that system configurations detect security vulnerabilities and that

incidents are monitored, reported and resolved on a regular basis


of 93

Ensure that activities within the system network, including databases are tracked

by using audit trails by someone independent of administration functions

Firewall, Anti-Virus and Spyware solutions to make sure that your email, intranet

and internet are protected from attack including:

o Monitored and Managed Firewall Services

o Managed Network-based Intrusion Detection Services

o Managed Integrated Security Appliance Services

o Internet Vulnerability Assessment Services

o Managed Virus Protection Services

9.2.2 USER ACCESS CONTROL

Formally documented and approve user account management standards and

procedures

Complete and get management approval for access request documentation for

registering users, changing of access rights, password resets and termination of

access rights

Minimise the number of users with administrator privileges that can perform all

functions pertaining to user account management

Independently monitor activities of system administrators

Periodically review employee access rights and privileges to ensure it is in line

with their job responsibilities

9.2.3 PROGRAM CHANGE MANAGEMENT

** Establish and implement documented and approved program change control

policies and procedures

** Ensure that programmers do not have access to the production environments.

Where programmers have been granted access, ensure that this access is

monitored.

Complete and get management approval for change request documentation for

all program changes

Conduct user acceptance testing on all changes before migration to the

production environment

9.2.4 DATA CENTRE MANAGEMENT

Control changes to database management software


of 93

Restrict access to system software with access control software to personnel with

corresponding job responsibilities

** Log and review installation of all system software to establish an audit trail

** Schedule hardware equipment changes/maintenance and testing to minimise

the impact on operations and users.

9.2.5 FACILITIES AND ENVIRONMENTAL CONTROLS

Control physical access to sensitive areas (e.g. computer room, operations,

printing rooms, storage rooms, ups/generators, network rooms, tape library,

offsite backup storage facility)

** Periodically test environmental controls within data centres / computer rooms

(e.g. water and smoke detectors, fire suppression system, fire extinguishers, air

conditioning systems)

9.2.6 ICT SERVICE CONTINUITY

Incorporate the ICT continuity and disaster recovery plans into the organisational

business continuity plan.

Distribute, update and test the ICT continuity plan and DRP and store at an

offsite location.

Implement an ICT backup and retention strategy

Perform backup procedures for data and programs according to above strategy.

Store backups in a secure offsite storage facility

Implement physical access and environmental controls over offsite the storage

facility

9.2.7 IT INFRASTRUCTURE

This includes management of hardware such as Servers, Desktops, Notebooks

and other IT equipment.

Assess the warranty status of all machines

Develop an upgrade plan as hardware comes out of vendor support or to the end

of serviceable life

Document your current server hardware and create a report that shows where all

of your essential network services are currently located

Develop a data map so that you can see where data is currently stored


of 93

Server based Remote Management of Desktops Managing remotely manages

virus detection and protection, operating system and application updates and

patches and nightly backups of employees’ hard disk images

6.2. MEDIUM TO LONG TERM

Based on ICT Governance measures, the following initiatives should be considered:

Develop an ICT strategic Plan that supports business requirement

** Prepare an organisation structure, indicating roles and responsibilities to ensure

that ICT investments are aligned and delivered in accordance with enterprise

strategies and objectives

** Establish an IT steering committee, chaired by the MM and secretariat by the CIO

with CFO and Corporate Services permanent members and other senior managers

are on invitation. This will ensure that decisions taken in respect of IT are on a

coordinative manner.

** What cannot be measured cannot be monitored. Define KGI’s for ICT Governance

at executive level (Municipal Manager’s Office)

** Assess KPI’s for ICT Governance on municipal ICT organisation level for

compliancy

Review ICT service performance periodically against targets

Conduct regular ICT risk assessments to identify emerging risks

** Manage the relationship with suppliers through signed service level agreements

(SLAs) to ensure the quality thereof

** Adopt a project management framework that defines the scope and boundaries of

managing ICT projects

Consider training initiatives such as those discussed in chapter 6 of this document

Conduct improvement projects and initiatives to ensure compliancy

The proposed elevated placement of the CIO reporting directly to the MM office on

the organogram as head of ICT and as custodian of the information of the

municipality are supported, however, the responsibility need to be captured or

regulated in legislation. Furthermore the new SCOA will also have to be aligned

accordingly. SALGA needs to engage CoGTA’s view regarding this.


of 93

7. SKILLS REQUIREMENTS FOR GOOD ICT GOVERNANCE

While the shortage of ICT skills will not be solved overnight, it makes common sense to identify

critical ICT skills to be able to manage potential crisis areas. The following list gives an indication of

the type and level of expertise of ICT skills that is required to move towards and manage a

functional ICT Governance Framework.

Skill General Description

Information

Management

The overall management of information, as a fundamental

business resource, to ensure that the information needs of the

business is met.

Business risk

management

The planning and implementation of organisation-wide

processes and procedures for the management of operational

risk.

Information security The management of, and provision of expert advice on, the

selection, design, justification, implementation and operation of

information security controls and management strategies to

maintain the confidentiality, integrity, availability, accountability

and relevant compliance of information systems.

Security administration The authorisation and monitoring of access to IT facilities or

infrastructure in accordance with established organisational

policy. Includes the investigation of unauthorised access,

compliance with data protection and performance of other

administrative duties relating to security management.

Information assurance The protection of systems and information in storage,

processing, or transit from unauthorised access or

modification. Denial of service to unauthorised users; or the

provision of service to authorised users.

Systems architecture The specification of systems architectures, identifying the

components needed to meet the present and future

requirements, both functional and non-functional (such as

security) of the business as a whole, and the interrelationships

between these components.

Continuity The provision of service continuity planning and support. This

includes the identification of information systems that support


of 93


management critical business processes, the assessment of risks to those

systems’ availability, integrity and confidentiality and the

coordination of planning, designing, testing and maintenance

procedures and contingency plans to address exposures and

maintain agreed levels of continuity.

Network design The production of network designs and design policies,

strategies, architectures and documentation, covering voice,

data, text, e-mail, facsimile and image, to support business

requirements and strategy.

Network operations The day to day operation and maintenance of networked

systems to ensure that the communication needs of the

business is met

Programming/software

development

The design, creation, testing and documenting of new and

amended programs from supplied specifications in accordance

with agreed standards.

Web site specialism The design, creation, testing, implementation and support of

new and amended collections of pages of information on the

world wide web or an intranet or extranet.

Project management The management of projects, typically (but not exclusively)

involving the development and implementation of business

processes to meet identified business needs, acquiring and

utilising the necessary resources and skills, within agreed

parameters of cost, timescales and quality.

Configuration

management

The systematic management of information relating to the

documentation, software, hardware and firmware assets of an

organisation. This will involve identification and appropriate

specification of all configuration items (CIs). Required

information will relate to storage, access, problem reporting

and change control of CIs.

Change management The management of all changes to the components of a live

infrastructure, from requests for change (RFC) through to

implementation and review, to support the continued


of 93


availability, effectiveness and safety of the infrastructure.

Capacity management The management of the capability and functionality of

hardware, software and network components to meet current

and predicted needs in a cost-effective manner.

Availability

management

The overall control and management of services and their

availability to ensure that all services meet all of their agreed

availability targets.

Financial management

for ICT

The overall financial management, control and stewardship of

the ICT assets and resources used in the provision of ICT

services, ensuring that all governance, legal and regulatory

requirements are complied with.

Management and

operations

The management and operation of the ICT infrastructure

(typically hardware, software and communications) and the

resources required to plan for, develop, deliver and support

properly engineered ICT services and products to meet the

needs of a business.

7.1. ADDRESSING TRAINING NEEDS

A formal training certification process across the board for knowledge that may not be

used at the same level by all areas of the business is not the recommended. Instead,

training programs on specific business focus areas within specific functional levels within

the various organisational branches of municipalities should be encouraged.

Municipalities all contribute to the National Skills Fund, managed by the Local

Government Sector Training Authority (LG SETA). LGSETA is expected to support

municipalities to:

Initiate learner ships;

Approve workplace skills plans that potential employers produce;

Provide funds for employers, trainers and workers; and

Observe and scrutinize education and training in their particular sector.

The following diagram illustrates areas of ICT governance where municipalities must

engage with LGSETA for appropriate training programs. It is categorised into three areas,

namely Strategic, Tactical and Operational as follows:


of 93

Deliverables can be achieved through a combination of on-the-job training and mentoring

as well as certified short courses and vendor certifications.


of 93

8. MEASURING, MONITORING AND BENCHMARKING

8.1. ICT GOVERNANCE MATURITY LEVELS

The King III Code defines a wide range of requirements that need to be fulfilled by all

organisations (also Local Government) in South Africa, including an awareness of levels

of maturity in the governance of ICT. Levels of maturity are recognised using the criteria

of assigned responsibility to fulfill the King III principles and practices, the activities

executed in support of the principles and practices, the supporting documents in place

and the nature of performance measurements being monitored.

8.2. MEASURING AND MONITORING ACTIVITIES

It’s not about doing things right, it is about doing the RIGHT things right. How does this

relate to Governance?

Typically decisions have to be made on a continual basis on how to allocate and

reallocate resources and how to prioritise ICT activities and plans. Information on the

importance of all current projects and ICT processes and how they are performing as an

integral part of the overall ICT strategy is required on an on-going basis. Are they on track

to reach business benefits? Does it require improvement, what are the business risks,

how well are risks managed?

Amongst the many definitions for ICT governance, it can also be defined as:

“A framework that consists of the leadership, organisational structures and processes that

ensure that the organisation’s ICT sustains and extends the organisation’s strategies and

objectives.”

This translates into several responsibilities and activities areas:

Business-IT strategic alignment, so that current ICT operations support the business

and future ICT organisation enable the business;

ICT value delivery, identify and perform those ICT activities that actually deliver value

to the business;

Risk management, that must become an integral part of all ICT processes so that

risks are identified and be dealt with;

Performance measurement, to monitor if goals are reached and provide directions for

improvement where deviations are observed.

It comes down to the well-known ‘plan-do-check-act’ cycle

The next figure provides the logic of proper governance principles, supported through a

chosen technology for information analyses and governance compliancy.


of 93

8.3. ICT GOVERNANCE MEASUREMENTS

The measurement of ICT Governance in Local Government needs to be taken over a

medium to long term. It consists of a number of steps as follows:

Definition phase - ICT Governance goals or Key Goal Indicators (KGI’s) need to be

established at the top organisational level (Municipal Manager’s Office). These goals

are then cascade down in the municipal ICT organisation. A KGI is a measure of

"what" has to be accomplished.

Translation phase - A cascading (breakdown) of the KGI into measurable (weighing

factor) Key Performance Indicators (KPI’s) and sources/processes cross the

municipal divisions. A KPI define and measure progress toward organisational goals.

While KGI’s focus on “what”, the KPI’s are concerned with “how”

Measurement phase - Audits/assessments (self-assessments) are conducted across

the ICT environment on relevance of Governance activities/plans/processes /RACI

within the business value chain. The level of accomplished ICT Governance process

roll-out per business requirement is measured

Management phase - From the audit/assessment results, the cascaded KPI/KGI are

analysed for shortfalls and potential business risks coming from these (where not

predefined) to enable corrective actions.

Opportunity phase - Performance measures are then compared against the goals and

the goals are checked for validity. Goal may be redefined because of business

dynamics. Adjustments are budgeted for and implemented and where necessary

KGI/KPIs are adjusted and the cycle starts over, periodically.


of 93

9. SUPPORT FOR MUNICIPAL ICT GOVERNANCE

9.1. THE ROLE OF SALGA

By establishing this Corporate Governance ICT Guideline, SALGA realize that a support

function will be a requirement to enable successful adoption and implementation. Apart

from the usual support structures that are already in place, SALGA will provide the

following support structures:

Skills development and awareness sessions: - In line with the suggested skills

requirements as discussed in chapter 6 of this guideline, SALGA will provide

educational workshops and awareness sessions on the various categories. These

workshops and sessions will be made available on a regular basis and more detail

will be made available in the near future

ICT Governance Awards: - In order to encourage the early adoption of ICT

Governance within the various municipalities, SALGA is planning to award those

municipalities which have shown a keen interest and enthusiasm to embrace the

governance of ICT as a means to improve overall service delivery

ICT Governance Assessments: - A certain amount of ICT governance assessments

are planned over the medium to long term to assist municipalities to measure ICT

governance maturity levels. More detail will be made available in the near future

Conferences and Information Sharing: - A number of conferences on ICT

Governance and related topics are planned for the short to medium term. Apart from

sharing valuable information on ICT governance and related topics, these

conferences will also be invaluable with regards to networking and sharing

information and ideas with colleagues and peers

9.2. NATIONAL TREASURY

National Treasury is dependent on financial information received from municipalities to

inform national policy. Municipalities on the other hand, are more dependent on financial

system vendors to maintain their financial systems and to retrieve financial information

and associated reports. National Treasury realized the problems of poor quality reporting

and made an undertaking to put in motion a process to resolve the problems. Since 2009

there have been several discussions at strategic level regarding a possible systems

solution for local government. National Treasury is currently leading a project that seeks

to close the information gap and at the same time improve the credibility of reports

submitted which will ultimately influence policy debates and policy direction.

National Treasury commissioned the above project in 2010 at first in order:


of 93

To assess the cost and capabilities of current financial systems utilised at

municipalities

To document business processes flows within the finance environment

To establish the minimum requirements of municipal financial management systems

and compile such guidelines to be regulated as part of the Standard Chart of Account

(SCOA) project.

Other issues such as IT Governance and IT infrastructure, on which financial and

related systems are dependent, became increasingly evident as the project unfolded.

Subsequently, a working committee of the Technical Committee for Finance (TCF) was

established towards the end of last year where National Treasury met with stakeholders

amongst others Provincial Treasuries, SALGA, CoGTA, IMFO to discuss these issues.

The Technical Committee on Finance (TCF) is comprised of officials from the National

Treasury and provincial treasuries and supports the Budget Council.

9.2.1. STANDARD CHART OF ACCOUNTS (SCOA)

The National Treasury embarked on a budget reform program in 1999 aiming at

improving accountability and modernising the accounts of government; primarily by

bringing budget and expenditure reporting in line with international best practice. The

ultimate aim of this reform remains unchanged – it is to provide better quality

information to legislatures to assist in the policy making process and to reinforce

Parliament’s oversight role.

The first part of the reform was the introduction of a new, standardised chart of

accounts and new economic reporting format for national and provincial government

departments in 2004. In this SCOA a standard list of expenditure items aligned with

international accounting and economic reporting standards replaced the original

“standard item” configuration in the financial systems.

The SCOA in essence comprises the coding of items used for classification,

budgeting, recording and reporting of revenues and expenditures within the

accounting system, in order to facilitate the recording of all transactions affecting

assets and liabilities.

9.3. OTHER STAKEHOLDERS

9.3.1. COOPERATIVE GOVERNANCE AND TRADITIONAL AFFAIRS (COGTA)

CoGTA should monitor and influence improvements to address system deficiencies

and duplication at municipalities.


of 93

9.3.2. DEPARTMENT OF PUBLIC SERVICE AND ADMINISTRATION (DPSA)

DPSA, in consultation with the GITO council, should extend the IT governance

framework developed for national and provincial departments to incorporate local

government. Consideration should be given to extending SITA’s mandate to provide

technical support to local government.

9.3.3. THE AUDITOR GENERAL

The Auditor-General provides National Treasury with the Provincial and Local Audit

Notes which will assist in analyzing the outcomes and to consider the

recommendations made. From the above it is clear that the performance of the

financial systems is depended on the way the IT governance structures are managed

by the municipality and need to be addressed as part of these reforms.

9.3.4. LOCAL GOVERNMENT SECTOR TRAINING AUTHORITY (LGSETA)

Municipalities all contribute to the National Skills Fund, managed by the Local

Government Sector Training Authority (LG SETA). LGSETA is expected to support

municipalities to:

o Initiate learner ships;

o Approve workplace skills plans that potential employers produce;

o Provide funds for employers, trainers and workers; and

o Observe and scrutinize education and training in their particular sector.


of 93

10. METHODOLOGY USED TO COMPILE THE GUIDELINE

10.1. CONCEPTUAL APPROACH

An ICT Governance Framework is a system by which the current and future use of ICT is

directed and controlled. This management system includes policies, plans, organisational

structures, processes and governance mechanisms to enable the effective management

of ICT resources.

An ICT governance framework comprises 3 tiers:

At the Executive Authority level: Mayors, Municipal Managers Evaluate, Direct and

Monitor the performance of ICT against plans, internal policies, external obligations

and strategic objectives.

At the Executive Management Level: Municipal Managers / Executives Plan,

Supervise, Check and Act to effectively and efficiently leverage ICT resources.

Establish an IT steering committee, chaired by the Municipal Managers and

secretariat by the CIO with CFO and Corporate Services permanent members and

other senior managers are on invitation. This will ensure that decisions taken in

respect of IT are on a coordinative manner.

At the Process Level: activities are performed controlled and checked in alignment

with business objectives.

10.2. ICT GOVERNANCE FRAMEWORK COMPONENTS

A Governance Framework is a management system which enables the effective

management of ICT resources. More specifically a Governance Framework should (at

least) include the following components:

An ICT Governance Charter - The Charter outlines the decision making rights and

accountability for ICT governance that will enable the desirable culture in the use of ICT

within the municipality. This is achieved by requiring ICT management to provide timely

information to comply with direction and to conform to the principles of good governance.

A RACI Chart (Responsible, Accountable, Consulted, Informed) - The RACI chart clarifies

the assignment of responsibilities and decision-making rights across a number of roles.

Role descriptions are mapped to the key tasks that underpin the ICT services provided

using Best Practice such as CobiT and ITIL process models as a reference.

Measurement and Monitoring – Performance maturity levels are established using the

criteria of assigned responsibility to execute tasks in support of the principles and

practices.

ICT Controls - Control activities are the policies, procedures, general, application, user

and company level responses that help ensure risk responses are properly executed.


of 93

Internal Audit - Internal audit perform the following functions:

Evaluate the municipality’s governance processes;

Perform an objective assessment of the effectiveness of risk management and

internal controls;

Analyse and evaluating business processes and associated controls; and

Provide a source of information regarding instances of fraud, corruption, unethical

behaviour and irregularities.

10.3. THE DRAFT DPSA ICT GOVERNANCE FRAMEWORK

The Draft Public Service Governance of Information and Communication Technology

Framework were published in November 2011 by the Department of Public Service and

Administration. The purpose of the Framework is to institutionalise the Corporate

Governance of ICT and the Governance ICT as an integral part of governance within

Institutions. The scope of the Framework applies to all national and provincial institutions

as defined by the Public Service Act of 1994 as amended (Schedules 1 to 3).

The Municipal Guide / Roadmap to Successful ICT Governance (this document), should

be seen as complimentary to the DPSA Framework as it builds on to the concepts,

standards, codes and best practice that is listed in the DPSA Framework. While the

DPSA Framework is strategically positioned, the Guideline, although also strategic in

nature, are more tactically and operationally focused. The Guideline should be used as a

reference when implementing the Framework. It should be considered as moving from

“strategic intent” (the DPSA Framework) to “operational excellence”.

10.4. INTEGRATION OF BEST PRACTICE

A solid ICT Governance Framework, supported by effective processes is a must for any

municipality that wants to ensure good governance covering all its business support

mechanisms. These best practices have a complexity attached to it that requires a smart

approach to be successful in realising a final deliverable. By combining these best

practices in a logical sense, mapping them against each other, it becomes

complementary as one logical model, in line with the requirements of local government

environments. The main standards and best practices that should be referenced in an ICT

Governance Framework are listed below:

ICT Governance

o COBIT®; Control Objectives for Information and related Technologies

o ISO 38500; Corporate Governance Standard

o King III Code of Governance (specifically chapter 5)

Service Management


of 93

o ITIL; IT Infrastructure Library, version 2 & 3

o ISO 20000; IT Service Management Standard

Information Security Management

o ISO 27001/2 Information Security Standard

Business Continuity and Disaster Recovery Management

o BS 25999; Business Continuity Management

o ISO 24762; Disaster Recovery Management

From an ICT Governance perspective, CobiT, ISO 38500 and King III provides clear

guidelines and control objectives for measurable governance, metrics and practices.

From a security and continuity of business perspective ISO 27001/2, ISO 24762 and BS

25999 provide clear guidelines and controls for confidentiality, integrity and availability of

services and the required risk mitigation.

EFFECTIVE BEST PRACTICE INTEGRATION

By adding ITIL to the equation the answer of how to do what, is then addressed

adequately. Roles, responsibilities and information process flows can now be established

according to the priority for governing ICT and within the enabling processes and

activities. These combined practices enable ICT governance that is based on business

requirements through appropriate delivery & support structures, mitigated risks and

measured improvements.


of 93

ADDENDUM A – STANDARDS, CODES AND BEST PRACTICE

A1 GOVERNANCE

A1.1 KING III CODE OF GOVERNANCE

The King Code on Governance for South Africa ("King III") was launched on 1

September 2009. It came into effect and replaced the then existing King II Code on

Corporate Governance ("King II") on 1 March 2010.

King III sets out a number of key governance principles which should be read

together with best practice recommendations on how to carry out each principle. A

number of Practice Notes have also been issued by the Institute of Directors to assist

entities in implementing King III.

King III's principles and recommendations must be seen against the legislative

requirements contained in the 2008 Act and the Public Finance Management Act of

1999. This is reflected in the terminology used in King III with "must" indicating a legal

requirement and "should" indicating where application of King III will result in good

governance.

Significantly, King III also applies to all entities incorporated in and resident in SA

irrespective of their manner or form of incorporation or establishment. The application

of King III is also mandatory for JSE listed companies.

In a change of approach, King III moves from a "comply or explain" approach to an

"apply or explain" approach. The "apply and explain" approach requires a greater

consideration of how a principle or a recommended practice in King III could be

applied. A board may conclude that applying a recommended practice is not

necessarily in the best interests of the company and apply a different practice

provided that it explains the practice adopted and its reasons for doing so.

At a high level, the King III Code of Governance addresses the following governance

components:

Ethical leadership and corporate citizenship

Boards and directors

Audit committees

The governance of risk

The governance of information technology

Compliance with laws, rules, codes and standards

Internal audit

Governing stakeholder relationships


of 93

Integrated reporting and disclosure

In addition, the King Committee also commissioned a number of Practice Notes to

assist with the insight into and practical application of King III. Practice Notes are

aimed at providing high-level guidance to those individuals charged with governance

to enable them to execute those duties and are not intended to serve as detailed

implementation guides

The table below summarises chapter 5 of the code. Chapter 5 focus specifically on

ICT:

Principles Recommended Practice

King III section

Principle Sub

section Practice

5.1

The board should be responsible for information technology (IT)

governance

5.1.1 The board should assume the responsibility for the governance of IT and place it on the board agenda

5.1.2 The board should ensure that an IT charter and policies are established and implemented.

5.1.3 The board should ensure promotion of an ethical IT governance culture and awareness and of a common IT language.

5.1.4 The board should ensure that an IT internal control framework is adopted and implemented

5.1.5 The board should receive independent assurance on the effectiveness of the IT internal controls

5.2

IT should be aligned with the

performance and sustainability

objectives of the company

5.2.1 The board should ensure that the IT strategy is integrated with the company’s strategic and business processes

5.2.2

The board should ensure that there is a process in place to identity and exploit opportunities to improve the performance and sustainability of the company through the use of IT

5.3

The board should delegate to

management the responsibility for

the implementation

of an IT governance framework

5.3.1

Management should be responsible for the implementation of the structures, processes and mechanisms for the IT governance framework

5.3.2 The board may appoint an IT steering committee of similar function to assist with its governance of IT

5.3.3 The CEO should appoint a Chief Information Officer responsible for the management of IT

5.3.4

The CIO should be a suitably qualified and experienced person who should have access and interact regularly on strategic IT matters with the board and/or appropriate board committee and executive management

5.4 The board should

monitor and evaluate

5.4.1 The board should oversee the value delivery of IT and monitor the return on investment from significant IT projects


of 93

Principles Recommended Practice

King III section

Principle Sub

section Practice

significant IT investments and

expenditure 5.4.2

The board should ensure that intellectual property contained in information systems are protected

5.4.3 The board should obtain independent assurance on the IT governance and controls supporting outsourced IT services

5.5

IT should form an integral part of the company’s

risk management

5.5.1

Management should regularly demonstrate to the board that the company has adequate business resilience arrangements in place for disaster recovery

5.5.2 The board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered

5.6

The board should ensure that information assets are managed effectively

5.6.1

The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy

5.6.2 The board should ensure that all personal information is treated by the company as an important business asset and is identified

5.6.3 The board should ensure that an Information Security Management System is developed and implemented

5.6.4 The board should approve the information security strategy and delegate and empower management to implement the strategy

5.7

A risk committee and audit committee

should assist the board in carrying

out its IT responsibilities

5.7.1 The risk committee should ensure that IT risks are adequately addressed

5.7.2 The risk committee should obtain appropriate assurance that controls are in place and effective in addressing IT risks

5.7.3 The audit committee should consider IT as it relates to financial reporting and the going concern of the company

5.7.4 The audit committee should consider the use of technology to improve audit coverage and efficiency


of 93

A.1.2 SANS 38500: 2008 ICT GOVERNANCE STANDARD

The ISO\IEC 38500 standard on the Corporate Governance of ICT was published by

International Standards Organisation (ISO) and the International Electro Technical

Commission (IEC) in June 2008. The standard originated from an Australian standard

AS 8015.

This standard provides a framework for effective governance of ICT, to assist those at

the highest level of organisations to understand and fulfill their legal, regulatory, and

ethical obligations in respect of their organisations’ use of ICT. This standard was

adopted and published by South African Standards Bureau in July 2009 and is

available from the SABS.

The standard was published by the SABS for the South African environment in July

2009 and included the following as part of its national forward:

“SANS 38500:2008 provides guidance on the effective and efficient use of corporate

governance of information technology (IT) operations within organisations.

Organisations that subscribe to SANS 38500:2008 as an international guideline to

construct its corporate governance of ICT environment, should note that efficient and

effective corporate governance of ICT is derived from the interpretation,

implementation and execution of the guidelines of SANS 38500:2008 in an

organisational environment.

Adherence to SANS 38500:2008 guidelines assures stakeholders the confidence in

the effective corporate governance of IT in the organisation. This assurance is not

absolute and depends on how the guidelines of SANS 38500:2008 are interpreted,

implemented and executed in order to govern the corporate use of IT effective and

efficiently.

SANS 38500:2008 should be implemented in conjunction with South African

legislation and regulations. SANS 38500:2008 compliments and dovetails with de

facto corporate governance codes of practices such as the KING II and KING III

reports on corporate governance for South Africa.

Definitions within SANS 38500:2008 were developed in order to cater for a global

audience. Local definitions of terms can therefore, where relevant, be adopted in

order to align the standard with the South African environment.

SANS 38500:2800 is a principle based standard, so when the governing body adopt

these principles it should provide the fundamental reference that influences their

behaviour when governing the use of ICT. The standard offers the following six

principles:


of 93

SANS 38500:2008 – Principles

Description

Principle 1: Responsibility

This responsibility principle states that individuals or groups will be granted the required authority to accept and dispose of their responsibilities in the use of IT. Although not explicitly stated, the governing body may delegated certain responsibilities, but remain accountable for the outcome

Principle 2: Strategy

This strategy principle states that the business strategy considers the capabilities of IT (both current and future) and that IT strategic plans enables the on-going realisation of the business’ strategic intent

Principle 3: Acquisition

This acquisition principle states that IT is procured through sound and transparent investment decisions; that these decisions will consider the appropriate balance between risk and reward; and that investment benefits/outcomes are tracked to realisation

Principle 4: Performance

This performance principle states that the organisation should deliver fit for purpose, quality IT services, at the required service levels that will contribute to the organisation delivering on its strategic intent

Principle 5: Conformance

This conformance principle states that the organisation in the use of IT, continually complies with all applicable legislation and regulation by embedding it in their policies and practices

Principle 6: Human behaviour

This human behaviour principle states that the organisation should respect the needs of people in the use IT by embedding it in their policies and practices


of 93

A 1.3 COBIT GOVERNANCE FRAMEWORK

Control Objectives for Information and related Technology (CobiT®) provides good

practices across a domain and process framework and presents activities in a

manageable and logical structure. CobiT’s good practices represent the consensus of

experts. They are strongly focused more on control, less on execution.

For ICT to be successful in delivering against business requirements, management

should put an internal control system or framework in place. The CobiT control

framework contributes to these needs by:

Making a link to the business requirements

Organising ICT activities into a generally accepted process model

Identifying the major ICT resources to be leveraged

Defining the management control objectives to be considered

The business orientation of CobiT consists of linking business goals to ICT goals,

providing metrics and maturity models to measure their achievement, and identifying

the associated responsibilities of business and ICT process owners

The process focus of CobiT is illustrated by a process model that subdivides ICT into

four domains and 34 processes in line with the responsibility areas of plan, build, run

and monitor, providing an end-to-end view of ICT. Enterprise architecture concepts

help identifies the resources essential for process success, i.e., applications,

information, infrastructure and people.

CobiT ICT Governance focus areas can be summarised as follows:


of 93

Strategic alignment focuses on ensuring the linkage of business and ICT plans;

defining, maintaining and validating the ICT value proposition; and aligning IT

operations with enterprise operations.

Value delivery is about executing the value proposition throughout the delivery

cycle, ensuring that ICT delivers the promised benefits against the strategy,

concentrating on optimising costs and proving the intrinsic value of ICT.

Resource management is about the optimal investment in, and the proper

management of, critical ICT resources: applications, information, infrastructure

and people. Key issues relate to the optimisation of knowledge and infrastructure.

Risk management requires risk awareness by senior corporate officers, a clear

understanding of the enterprise’s appetite for risk, understanding of compliance

requirements, transparency about the significant risks to the enterprise and

embedding of risk management responsibilities into the organisation.

Performance measurement tracks and monitors strategy implementation, project

completion, resource usage, process performance and service delivery, using, for

example, balanced scorecards that translate strategy into action to achieve goals

measurable beyond conventional accounting.


of 93

A.2 SERVICE MANAGEMENT

A.2.1 ITIL V2/3

ITIL was developed by the Office of Government Commerce (OGC) within the UK

Treasury Department in the late 1980s to improve the efficiency and effectiveness of

government procurement. Today, OGC uses ITIL to create centers of excellence in

program management to serve as examples of best practices across government.

The common terminology and consistent service levels and processes presented by ITIL are

particularly valuable to companies looking to standardise their best practices across

business units and geographical locations. Incorporating ITIL into IT service

management is one way to assure customers that they'll receive a consistent quality

of service and efficiency, whether they're dealing with operations in different

geographical locations.

Although the current version is version3, all the core processes of version 2 have

been retained, albeit in a different category. ITIL version 2 defined service

management best practices as 10 core processes divided into two major functional

areas: Service Support and Service Delivery. Within each of the 10 core areas is a

series of activities designed to help ICT not only manage and maintain current

demands for service, but also react quickly to change as the nature of ICT-

dependency evolves.

Service Support is all about delivering the ICT services customers need to stay up

and running. This includes fixing the root cause of problems to prevent repetition of

incidents and ensure that any modifications don't introduce new problems. ITIL

identifies five key components of service support:

Incident management focuses on restoring service to the customer as quickly as

possible to the agreed-upon service levels


of 93

Problem management explores the root cause of an incident and focuses on

determining a solution or solutions that will eliminate it from the ICT infrastructure

Change management deals with maintaining control over the ICT infrastructure to

prevent changes from creating new incidents

Configuration management links ICT assets to their relationships, both physical

and in respect to key business processes, so that management can make

intelligent decisions about service priorities

Release management addresses how to introduce new hardware and software

into an organization as smoothly as possible without creating new incidents and

problems.

Service Delivery is all about making sure that ICT has everything in its environment to

deliver support on a day-to-day basis to the agreed-upon service levels the customer

demands. This includes sufficient people on the service desk, sufficient capacity,

enough lines, equipment, software, and so on. ITIL identifies five key components of

service delivery:

Service-level management emphasizes the importance of determining service

needs from the customer inward, not from ICT outward. First, define the

customer's service needs and then build a service-level agreement around those

needs.

Financial management focuses on understanding exactly what it costs to supply a

particular service to a customer. It involves thinking of ICT as a business rather

than just an internal department.

Capacity management looks at managing both the capacity of assets and the

performance of those assets to provide the level of service the customer needs.

Availability management is all about providing service to the customer -- to

agreed service levels -- as well as continually examining the reliability of the ICT

infrastructure to improve upon the availability of service.

Continuity management identifies the critical services a business needs to stay in

business and focuses on providing the right level of service to maintain continuity

during typical day-to-day operations as well as under adverse circumstances

such as disaster recovery.

With the publication of version 3, a number of additional components as listed below

have been added:

Strategy generation

Service design aspects


of 93

Supplier management

Outsourced models

Service knowledge management system

Application design and management

Technology architecture design and management

Service measurement

Event measurement

Request fulfillment

The list below shows how Service Delivery and Service Support have been

positioned in version 3:


of 93

A. 2.2 ISO/IEC 20000

ISO/IEC 20000-1:2005 defines the requirements for a service provider to deliver

managed services.

It may be used

by businesses that are going out to tender for their services;

to provide a consistent approach by all service providers in a supply chain;

to benchmark ICT service management;

as the basis for an independent assessment;

to demonstrate the ability to meet customer requirements;

to improve services.

ISO/IEC 20000-1:2005 promotes the adoption of an integrated process approach to

effectively deliver managed services to meet business and customer requirements.

For an organisation to function effectively it has to identify and manage numerous

linked activities. Co-ordinate integration and implementation of the service

management processes provides the ongoing control, greater efficiency and

opportunities for continual improvement.

Organisations require increasingly advanced facilities (at minimum cost) to meet their

business needs. With the increasing dependencies in support services and the

diverse range of technologies available, service providers can struggle to maintain

high levels of customer service. Working reactively, they spend too little time

planning, training, reviewing, investigating, and working with customers. The result is

a failure to adopt structured, proactive working practices. Those same service

providers are being asked for improved quality, lower costs, greater flexibility, and

faster response to customers.

In contrast, effective service management delivers high levels of customer service

and customer satisfaction. It also recognizes that services and service management

are essential to helping organizations generate revenue and be cost-effective. The

ISO/IEC 20000 series enables service providers to understand how to enhance the

quality of service delivered to their customers, both internal and external.


of 93

The ISO/IEC 20000 series draws a distinction between the best practices of

processes, which are independent of organisational form or size and organisational

names and structures. The ISO/IEC 20000 series applies to both large and small

service providers, and the requirements for best practice service management

processes are independent of the service provider's organisational form. These

service management processes deliver the best possible service to meet a

customer's business needs within agreed resource levels, i.e. service that is

professional, cost-effective and with risks which are understood and managed.


of 93

A 3 SECURITY MANAGEMENT

A 3.1 ISO/IEC 27001

ISO/IEC 27001 is the formal standard against which organisations may seek

independent certification of their Information Security Management Systems

(meaning their frameworks to design, implement, manage, maintain and enforce

information security processes and controls systematically and consistently

throughout the organisations).

The standard covers all types of organisations (e.g. commercial enterprises,

government agencies and non-profit organisations). It specifies the requirements for

establishing, implementing, operating, monitoring, reviewing, maintaining and

improving documented ISMS within the context of the organisation’s overall risk

management processes. It specifies requirements for the implementation of security

controls customized to the needs of individual organizations or parts thereof.

ISO/IEC 27001 provides an ISMS model for adequate and proportionate security

controls to protect information assets and give confidence to interested parties.

According to JTC1/SC27, the ISO/IEC committee responsible for the ’27000 series

and related standards, ’27001 “is intended to be suitable for several different types of

use, including:

Use within organisations to formulate security requirements and objectives;

Use within organisations as a way to ensure that security risks are cost-effectively

managed;

Use within organisations to ensure compliance with laws and regulations;

http://www.ni.din.de/sixcms/media.php/1377/SC27N4997rev1_SD7_Catalog_Proj%26Stand_May2006.htm?backend_call=true#27006


of 93

Use within an organisation as a process framework for the implementation and

management of controls to ensure that the specific security objectives of an

organisation are met;

The definition of new information security management processes;

Identification and clarification of existing information security management

processes;

Use by the management of organisations to determine the status of information

security management activities;

Use by the internal and external auditors of organisations to demonstrate the

information security policies, directives and standards adopted by an organisation

and determine the degree of compliance with those policies, directives and

standards;

Use by organisations to provide relevant information about information security

policies, directives, standards and procedures to trading partners and other

organisations that they interact with for operational or commercial reasons;

Implementation of a business enabling information security; and

Use by organisations to provide relevant information about information security to

customers.”

The information security controls from ISO/IEC 27002 are noted in an appendix to

ISO/IEC 27001, rather like a menu. Organisations adopting ISO/IEC 27001 are free

to choose whichever specific information security controls are applicable to their

particular information security situations, drawing on those listed in the menu and

potentially supplementing them with other a la carte options. As with ISO/IEC 27002,

the key to selecting applicable controls is to undertake a comprehensive assessment

of the organisation’s information security risks.

A 3.2 ISO/IEC 27001 CONTROLS

ISO/IEC 27002 Controls

Clause Sec Control Objective

Organisation of Information security

6.1 Internal Organisation

6.2 External Parties

Asset Management 7.1 Responsibility for Assets

7.2 Information classification

Human Resource Security

8.1 Prior to Employment

8.2 During Employment

8.3 Termination or change of employment

Physical and Environmental 9.1 Secure Areas

http://www.iso27001security.com/html/27002.html

http://www.iso27001security.com/html/27002.html


of 93



Security 9.2 Equipment security

Communications and Operations Management

10.1 Operational Procedures and responsibilities

10.2 Third Party Service Delivery Management

10.3 System Planning and Acceptance

10.4 Protection against Malicious and Mobile Code

10.5 Back-Up

Communications and Operations Management

10.6 Network Security Management

10.7 Media Handling

10.8 Exchange of Information

10.9 Electronic Commerce Services

10.10 Monitoring

Access Control

11.1 Business Requirement for Access Control

11.2 User Access Management

11.3 User Responsibilities

11.4 Network Access control

11.5 Operating System Access Control

11.6 Application access control

11.7 Mobile Computing and Teleworking

Information Systems Acquisition Development and Maintenance

12.1 Security Requirements of Information Systems

12.2 Correct Processing in Applications

12.3 Cryptographic controls

12.4 Security of System Files

12.5 Security in Development & Support Processes

12.6 Technical Vulnerability Management

Information Security Incident Management

13.1 Reporting Information Security Events and Weaknesses

13.2 Management of Information Security Incidents and Improvements

Business Continuity Management

14.1 Information Security Aspects of Business Continuity Management

Compliance

15.1 Compliance with Legal Requirements

15.2 Compliance with Security Policies and Standards and Technical compliance

15.3 Information System Audit Considerations


of 93

A.4 BUSINESS CONTINUITY / DISASTER RECOVERY

A 4.1 BS 25999

Continued operations in the event of a disruption, whether due to a major disaster or

a minor incident is a fundamental requirement for any organisation. BS 25999, the

world’s first British standard for business continuity management (BCM), has been

developed to help you minimize the risk of such disruptions.

By helping to put the fundamentals of a BCM system in place, the standard is

designed to keep a company’s business going during the most challenging and

unexpected circumstances – protecting its staff, preserving its reputation and

providing the ability to continue to operate and trade.

BS 25999 has been developed by a broad based group of world class experts

representing a cross-section of industry sectors and the government to establish the

process, principles and terminology of Business Continuity Management.

BS 25999 is suitable for any organisation, large or small, from any sector. It is

particularly relevant for organisations which operate in high risk environments such as

finance, telecommunications, transport and the public sector, where the ability to

continue operating is paramount for the organisation itself and its customers and

stakeholders.

BS 25999 comprises two parts:

BS 25999-1:2006 Part 1, the Code of Practice, provides BCM best practice

recommendations. Please note that this is a guidance document only.


of 93

BS 25999-2:2007 Part 2, the Specification, provides the requirements for a

Business Continuity Management System (BCMS) based on BCM best practice.

This is the part of the standard that can be used to demonstrate compliance via

an auditing and certification process.

The contents of the Code of Practice are as follows:

Section 1 - Scope and Applicability. This section defines the scope of the standard,

making clear that it describes generic best practice that should be tailored to the

organisation implementing it

Section 2 - Terms and Definitions. This section describes the terminology and

definitions used within the body of the standard

Section 3 - Overview of Business Continuity Management. A short overview is the

subject of the standard. It is not meant to be a beginner’s guide but describes the

overall processes, its relationship with risk management and reasons for an

organization to implement along with the benefits

Section 4 - The Business Continuity Management Policy. Central to the

implementation of business continuity is having a clear, unambiguous and

appropriately resourced policy

Section 5 - BCM Program Management. Program management is at the heart of the

whole BCM process and the standard defines an approach

Section 6 - Understanding the organisation. In order to apply appropriate business

continuity strategies and tactics the organization has to be fully understood, its critical

activities, resources, duties, obligations, threats, risks and overall risk appetite.

Section 7 - Determining BCM Strategies. Once the organisation is thoroughly

understood the overall business continuity strategies can be defined that are

appropriate.

Section 8 - Developing and implementing a BCM response. The tactical means by

which business continuity is delivered. These include incident management

structures, incident management and business continuity plans.

Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture.

Without testing the BCM response an organization cannot be certain that they will

meet their requirements. Exercise, maintenance and review processes will enable the

business continuity capability to continue to meet the organizations goals.

Section 10 - Embedding BCM into the organizations culture. Business continuity

should not exist in a vacuum but become part of the way that the organization is

managed.


of 93

The contents of the Specification (BS 25999-2) are as follows:

Section 1 - Scope. Defines the scope of the standard, the requirements for

implementing and operating a documented business continuity management system

(BCMS)

Section 2 - Terms and Definitions. This section describes the terminology and

definitions used within the body of the standard

Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of

the standard is predicated on the well-established Plan-Do-Check-Act model of

continuous improvement. The first step is to plan the BCMS, establishing and

embedding it within the organisation.

Section 4 - Implementing and Operating the BCMS (DO) Actually implement ones

plans. This section includes a number of topics that are found in Part 1 although Part

1 should only be used for general guidance and information. Only what is in Part 2

can be assessed.

Section 5 - Monitoring and Reviewing the BCMS (CHECK). To ensure that the BCMS

is continually monitored the Check stage covers internal audit and management

review of the BCMS

Section 6 Maintaining and Improving the BCMS (ACT) To ensure that the BCMS is

both maintained and improved on an ongoing basis this section looks at preventative

and corrective action.


of 93

A 4.2 ISO/IEC 24762

ISO/IEC 24762 is aimed at aiding the operation of an Information Security

Management System (ISMS) by providing guidance on the provision of Information

and Communications Technology Disaster Recovery (ICT DR) services as part of

business continuity management.

Information security management is the process by which management aims to

achieve effective confidentiality, integrity and availability of information and service.

When an organisation implements an ISMS the risks of interruptions to business

activities for any reason should always be identified. ISO/IEC 27001 and ISO/IEC

27002 include a control objective for information security aspects of business

continuity management (refer to Control Objective 14.1 in ISO/IEC 27002:2005), the

implementation of which will reduce those risks. That control objective is supported by

controls to be selected and implemented as part of the ISMS process. Business

continuity management is an integral part of a holistic risk management process that

safeguards the interests of an organisation’s key stakeholders, reputation, brand and

value creating activities through:

identifying potential threats that may cause adverse impacts on an organization’s

business operations, and

associated risks;

providing a framework for building resilience for business operations;

providing capabilities, facilities, processes, action task lists, etc., for effective

responses to disasters and failures.

In planning for business continuity, the fallback arrangements for information

processing and communication facilities become beneficial during periods of minor

outages and essential for ensuring information and service availability during a

disaster or failure for the (complete) recovery of activities over a period of time. Such


of 93

fallback arrangements may include arrangements with third parties in the form of

reciprocal agreements, or commercial subscription services.

A 4.2.1 ISO/IEC 24762 CONTROLS

The standard list specific requirements for ICT DR Service providers to continuously

improve their ICT DR services.



ICT Disaster Recovery

5.1 General

5.2 Environmental stability

5.3 Asset management

5.4 Proximity of site

5.5 Vendor management

5.6 Outsourcing arrangements

5.7 Information security

5.8 Activation and deactivation of disaster recovery plan

5.9 Training and education

5.10 Testing and ICT systems

5.11 Business continuity for ICT DR services providers

5.12 Documentation and periodic review

ICT Disaster Recovery Facilities

6.1 General

6.2 Location of recovery sites

6.3. Physical access controls

6.4 Physical security controls

6.5 Dedicated areas

6.6 Environmental controls

6.7 Telecommunications

6.8 Power supply

6.9 Cable management

6.10 Fire protection

6.11 Emergency Operations Centre (EOC)

6.12 Restricted facilities

6.13 Non recovery amenities

6.14 Physical facilities and support equipment life cycle

6.15 Testing

Outsourced Service Provider’s Capability

7.1 General

7.2 Review organisation disaster recovery status

7.3 Facilities requirements

7.4 Expertise

7.5 Logical access control

7.6 ICT equipment and operation readiness

7.7 Simultaneous recovery support

7.8 Levels of service

7.9 Types of service

7.10 Proximity of service

7.11 Subscription ratio for shared services


of 93

S

k

i

l

l

7.12 Activation of subscribed services

7.13 Organisation testing

7.14 Changes in capability

7.15 Emergency response plan

7.16 Self-assessment

Selection of Recovery Sites

8.1 General

8.2 Infrastructure

8.3 Skilled manpower and support

8.4 Critical mass of vendors and suppliers

8.5 Local service providers’ track records

8.6 Proactive local support

Continuous Improvement

9.1 General

9.2 ICT DR trends

9.3 Performance measurements

9.4 Scalability

9.5 Risk mitigation


of 93

A 5 MINIMUM IT GENERAL CONTROLS

A 5.1 AIM

Accounting officers / with the support if ICT professionals ensure that their

institutions use and maintain information systems that are appropriate to facilitate

the preparation of accurate financial statements

Good governance of the business therefore must include IT governance, a fact

which is recognised in the King III report

In terms of information system risks Auditor General SA audits focus on the

following areas

1. IT Governance

2. Security Management

3. User / Account Access Controls

4. Programme Change Management

5. Data Centre Management

6. Facilities and Environmental Controls

7. IT Service Continuity

A5.2 IT GOVERNANCE

An IT Governance framework has been adopted. The framework should give due

considerations to IT risks, adequate processes and controls to ensure IT value

and improved service delivery.

An IT strategic plan that supports business requirements and ensures that IT

spending remains in line with the approved organization strategy is in place.

Organization structure, indicating roles and responsibilities to ensure that IT

investments are aligned and delivered in accordance with enterprise strategies

and objectives.

Comprehensive IT risk assessments to identify emerging risks are performed and

risks are recorded in a risk register.

Responsibilities for information security have been delegated to a dedicated

information security officer, independent of the system administrator.

The relationship with suppliers is managed through signed service level

agreements (SLAs) to ensure the quality thereof.

IT service performance is periodically reviewed against targets. Analysis of the

cause of any deviations and initiation of remedial action to address the underlying

causes is performed promptly.

A project management framework that defines the scope and boundaries of

managing IT projects, as well as the method to be adopted and applied to each

project undertaken.


of 93

Internal auditors that evaluate internal controls in the IT environment need to be

technically competent.

A5.3 SECURITY MANAGEMENT

IT Security policies and procedures for the administration of security measures

over the network, operating system and application systems is designed and

implemented. These need to be enforced and updated on a regular basis.

IT security awareness initiatives and campaigns are carried out.

Evidence that IT security is managed at the highest appropriate organizational

level is maintained.

Strong password controls to authenticate system access, are implemented.

Firewalls and routers are configured correctly within the network environment to

ensure optimal protection against unauthorised access.

Patch management processes to prevent exploitation of vulnerabilities are

implemented.

Antivirus software is be implemented across the organisation to protect

information systems and technology from malware.

System configurations need to ensure that security vulnerabilities and incidents

are detected, monitored, reported and resolved on a regular basis.

Activities within the system network including databases are tracked, using audit

trails and reviewed o a regular basis by someone independent of administration

functions and in a senior position.

A5.4 USER / ACCOUNT ACCESS CONTROL

Formally documented and approved user account management standards and

procedures are in place.

Formal access request documentation for registering users, changing of access

rights, password resets and termination of access rights is completed and

approved by management.

The number of users with administrator privileges that can perform all functions

pertaining to user account management is minimised.

Activities of system administrators are monitored by an independent person, in a

senior position.

Periodic reviews of employee access rights and privileges to ensure it is in line

with their job responsibilities are performed.

A5.5 PROGRAM CHANGE MANAGEMENT

Formal documented and approved program change control policies and

procedures are established and implemented.

Programmers do not have access to the production environments. Where

programmers have been granted access, this access is monitored.


of 93

Formal change request documentation is completed for all program changes and

approved by management.

Formal user acceptance testing is done on all changes before migration to the

production environment.

A5.6 DATA CENTRE MANAGEMENT

Changes to database management software are controlled.

Access to system software is restricted to personnel with corresponding job

responsibilities by access control software.

Installation of all system software is logged to establish an audit trail and

reviewed by management.

Hardware equipment changes/maintenance and testing are scheduled to

minimize the impact on operations and users.

A5.7 FACILITIES AND ENVIRONMENTAL CONTROLS

Physical access to sensitive areas (e.g. computer room, operations, printing

rooms, storage rooms, ups/generators, network rooms, tape library, offsite

backup storage facility) is controlled

Environmental controls within data centres/computer rooms (e.g. water and

smoke detectors, fire suppression system, fire extinguishers, air conditioning

systems) are adequately implemented and tested periodically

A5.8 IT SERVICE CONTINUITY

The IT continuity and disaster recovery plans have been incorporated into the

organizational business continuity plan.

The IT continuity plan and DRP has been distributed, updated and tested and is

also stored at an offsite location.

An IT backup and retention strategy has been implemented.

Backup procedures for data and programs exist and are performed according to

above strategy.

Backups are stored in a secure offsite storage facility.

Physical access and environmental controls over offsite the storage facility are

implemented.


of 93

A6 TYPICAL STRUCTURE OF AN ICT ORGANISATION

The diagram below shows a typical IT organisational structure:

Chief Information

Officer

Human Resources

Finance

Operations

Vendor

Management

Architecture

Security

Project Office

Application

Development

Help Desk

Data Centre Operations

Data/Voice Network

IT Strategy; Policies & Standards; Portfolio Management; Security & Compliance

Assigned to business areas; Manage business portfolio and budget; Close to the business

Technology Direction; Project Management; Supplier Management

Implementation; Operations; Maintenance

Based on the above, suggested roles and responsibilities could be derived as follows:

The Chief Information Officer - The CIO is the top person in charge of the IT

Organisation, and typically reports into the Municipal Manager The CIO is responsible for

the overall budget, prioritising IT projects with the municipality, managing the overall IT

portfolio, and enforcing all policies and standards within the IT organisation.

Business Unit Managers – BU Managers represent business roles that report into IT,

but dotted line into various business units within the municipality. The job of the business

unit manager is to be the eyes and ears of IT with the business…gathering requirements,

prioritising projects, building business cases, and kicking off and overseeing projects from

a business perspective.

Project Management Office - The PMO is the organisation inside of IT responsible for

ensuring projects comes in on time, and on budget. Through good process and

enforcement of policies, a strong PMO is critical to the success of any IT organisation.

Vendor Management - Because IT could potentially be a large budget line item for any

municipality, and because the contracts can be very large, it is advisable to put an IT

Vendor Management process in place that works very closely with procurement.

Architecture and Security - Architecture and Security is the technical group inside of IT

that figures out “how” projects will be delivered technically.

Implementation Resources - Implementation Resources are the individuals who actually

put together/support the IT systems. They are made up of helpdesk resources,


of 93

application developers, infrastructure resources (e.g. System Administrators, Database

Administrators, etc.), and individuals who maintain the data and voice networks.


of 93

A7 SUGGESTED TRAINING CURRICULUM

The following training focus areas should be considered:

A7.1 KING III CORPORATE CODE OF GOVERNANCE

ICT governance is not an isolated discipline but it is an integral part of overall

corporate governance.

King III Foundation training will assists staff to understand and articulate the

difference between Corporate Governance and ICT Governance and how the

principles of good governance should apply equally to information and information

technology resources. While it will be of value to be familiar with the Code in its

entirety, it is strongly suggested that at least those areas within the Code that deals

specifically with ICT governance (Chapter 5) should be understood. The chapter

deals with the following areas:

The effective and efficient management of ICT resources to facilitate the

achievement of corporate objectives

The ‘apply or explain’ basis of the Code

ICT governance as an integral part of overall corporate governance.

After the course, every student should have an understanding of:

The 7 principles and 24 practices that companies must apply for better

governance of information technology

How to apply these principles and practices to establish an ICT Governance

Charter, ICT Governance Framework, ICT Policies, Accountability Framework,

Risk Management Plan and an ICT Controls Framework

A7.2 CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY

Control Objectives for Information and related Technology (CobiT®) provides good

practices across a domain and process framework and presents activities in a

manageable and logical structure. CobiT Foundation training will assists staff to

understand and articulate the risks and benefits of ICT, and to find ways to deal with

the following areas:

The principles of ICT Governance

Using CobiT as an ICT Governance Framework

How ICT governance resolves management issues

Understand ICT resources and information criteria

Understand how business goals drive ICT goals and ICT processes.


of 93

Understand how CobiT aligns with other standards and frameworks

After the course, every student should:

Understand ICT governance process theory and the business expectations of

what ICT has to deliver

ICT governance control audit requirements

Understand how to conduct a situational assessment of ICT's maturity and

measure ICT's performance

Understand the relevance of CobiT as an ICT control framework, the high level

principles of CobiT, as well as a practical approach to implementing the

management guidelines

Provide a perspective of the complimentary roles that CobiT, ITIL and ISO 27000

play in establishing a comprehensive ICT governance framework.

A7.3 SERVICE MANAGEMENT

Although the current IT Infrastructure Library (ITIL) is version 3, all the core

processes of version 2 have been retained, albeit in a different category. The ISO

20000 certification standard is also largely based on ITIL V2. ITIL version 2 defined

service management best practices as 10 core processes divided into two major

functional areas: Service Support and Service Delivery. Within each of the 10 core

areas is a series of activities designed to help ICT not only manage and maintain

current demands for service, but also react quickly to change as the nature of ICT-

dependency evolves.

The five “Service Support” processes are Service Desk Management & the processes

of Incident Management, Problem Management, Configuration Management, Change

Management and Release Management.

The five “Service Delivery” processes are, Capacity Management, Availability

Management, Service Level Management, IT Service Continuity and Financial

Management for IT Services.

After the course, every student should have established:

Knowledge of the concepts of each ITIL management process

Global insight into the relationships between the ITIL management processes and

the added value of the ICT services and the purpose of the total organisation

Global insight into the organisation and change aspects related to the

implementation of the ITIL management processes


of 93

Global insight into the power relations, resistance, interest, unclear organisation

strategies and structures during the implementation of the ITIL management

processes

A clear enough understanding of how Service Management integrate with other

best practices such as ISO 27000 and CobiT to lay the foundation for improved

ICT service delivery.

A7.4 SECURITY MANAGEMENT

Security Management Foundation training will assist staff to understand the basic

components of Information Security and how a management framework can assist in

managing and mitigating security risks.

ISO 27000 Foundation training will assists staff to understand and articulate the

following areas:

Information Security alignment with business objectives

Information Security alignment with ICT architecture

Information Security Risk Assessments

Information Security Strategy

Information Security policies, and processes

Information Security Standards implementation matrix

After the course, every student should have established:

Knowledge of the concepts of each ISO 27002 control clause

Global insight into the relationships between the Security Management processes

and how that support the purpose of the total organisation

Global insight into the organisation and change aspects related to the

implementation of the Information Security Framework

Global insight into the relations, resistance, interest, organisation strategies and

structures during the implementation of Information Security Management

processes

A clear enough understanding of how Security Management integrate with other

best practices such as ITIL and CobiT lay the foundation for improved ICT service

delivery.

A7.5 BUSINESS CONTINUITY

BS 25999 provides a basis for understanding, developing and implementing business

continuity within an organisation and gives confidence in business-to-business and


of 93

business-to customer dealings. It also contains a comprehensive set of requirements

based on BCM best practice and covers the whole BCM lifecycle.

BS 25999 Foundation training will assists staff to understand and articulate the

following areas:

The Business Continuity Management policy and strategy

BCM program management

Developing and implementing a BCM response

Exercising, maintenance, audit and self-assessment of the BCM culture

Embedding BCM into the organisation’s culture


Fundamentals of Business Continuity Management

The importance of understanding the organisation

The importance of identifying business critical processes and the impact of non-

availability

A7.8 DISASTER RECOVERY

ISO 24762 provides a basis for understanding, developing and implementing disaster

recovery plans. ISO 24762 Foundation training will assists staff to understand and

articulate the following areas:

Disaster recovery facilities

Outsourced Service Provider capabilities

Disaster recovery sites

Continuous improvement


Fundamentals of Disaster Recovery Management

How Disaster Recovery fits in as a sub set of Business Continuity

The importance of understanding the organisation

The importance of ICT applications and systems that support business critical

processes and the impact of non-availability

ICT Governance Guidelines

of 93

ADDENDUM B – SELF ASSESSMENT

A formal program to review ICT Governance maturity for municipalities should be in place. The foundation of the ICT Governance maturity evaluation

and ratings is the metrics established for each of the categories as outlined below. ICT Governance should be evaluated against these criteria on (at

least) an annual basis.

Note: All sections denoted by ** are questions compiled by the Auditor General, and are used during normal IT internal audits

Legend:

Comprehensive in content and effective in supporting ICT Governance goals and objectives

Containing most of the information necessary to support the desired ICT Governance goals and objectives. Gaps have been

identified and improvements are recommended

Incomplete and/or ineffective ICT Governance information. Significant gaps have been identified and improvements are

recommended.


of 93

Self-Assessment for ICT Governance

Business IT Alignment (BITA)

Define a strategic ICT plan Rating

Has Executive Management ensured that an ICT internal control framework, including an ICT Strategy and policies is adopted and

implemented?

Are the business and ICT strategies integrated, clearly linking enterprise goals and IT goals and recognising opportunities as well as

current capability limitations?

Has the ICT strategic plan defined, in co-operation with the relevant stakeholders, how ICT will contribute to the enterprise’s strategic

objectives (goals) and related costs and risks?

Has a technology direction plan been established which is appropriate to realise the ICT strategy and the business systems

architecture requirements?

Is there an established financial framework for ICT that drives budgeting and cost/benefit analysis, based on investment, service and

asset portfolios?

Is there an established process to prepare and manage a budget reflecting the priorities of ICT-enabled investment programs,

including the ongoing costs of operating and maintaining the current infrastructure?


of 93

RACI Matrix (Responsible, Accountable, Consulted, and Informed)

Responsibility of the Municipal Manager’s Office (Executive Management) Rating

Does the Municipal Manager assume responsibility for the Governance of ICT and place it on the Executive Management agenda?

Did the Municipal Manager appoint an ICT steering committee of similar function to assist with its governance of ICT?

Delegation of authority Rating

Did the Municipal Manager appoint a Chief Information Officer responsible for the management of ICT?

Roles and responsibilities Rating

Has roles and responsibilities for all ICT functions been defined and implemented

Are staff of the ICT function trained in accordance with the defined training and implementation plan and associated materials, as part

of every information systems development, implementation or modification project?

Communication Rating

Are the business and ICT strategies communicated to all concerned?


of 93

Application Management

Identify automated solutions Rating

Is there an identified, prioritised and agreed business, functional and technical requirement covering the full scope of all initiatives

required by the municipality to achieve the expected outcomes of the ICT-enabled investment program?

Acquire and maintain software solutions Rating

Is there an effective process to translate business requirements into a high-level design specifications for software development,

taking into account the municipality’s technological direction and information architecture?

** Is there an IT acquisition policy?

** Is there a documented IT acquisition process / procedures?

Procure IT resources Rating

Has the municipality developed and follow procedures and standards that are consistent with the municipality’s overall procurement

process and acquisition strategy to ensure that the acquisition of ICT-related infrastructure, facilities, hardware, software and services

satisfies business requirements?


of 93

Data Management

Manage data Rating

Is there a process that ensures that source documents expected from the business are received?

Are there procedures for data storage and archival, to ensure that data remain accessible and usable?

Are there procedures to maintain an inventory of onsite media and ensure its usability and integrity?

Are there procedures to prevent access to sensitive data and software from equipment or media when it is disposed of or transferred

to another use?

Are there procedures for backup and restoration of systems, data and documentation in line with business requirements and

continuity plans?

Are there arrangements to identify and apply security requirements applicable to the receipt, processing, physical storage and output

of data and sensitive messages?

System Software and Maintenance

Operating system, Security & Database Software Rating

** Are there maintenance procedures for all system software?


of 93

**Is there a maintenance schedule for all system software?

** Is there a formally documented and approved system software change control procedure?

** Are all system software changes tested in a separate test environment before migration to production?

** Do programmers have access to the test and production environments? If packaged system, does the vendor have access to the

production environment?

** If programmers / vendors have access to the test and production environments, is this access being monitored by an independent

person on a regular basis to ensure that only authorised changes are being made?

** Are the programmers separated from the system operators?

** Are all system software changes formally approved before migration to production?

** Can a previous version of the system software be restored, if necessary?

** Are all program changes approved by user management before migration to the production environment?

** Are all program changes approved by user management before migration to the production environment?

** Are all program changes being migrated to the production environment by an independent person (not the programming staff)?


of 93

Access Control

Physical Access Rating

** Are there policies which cover physical access to IT environments?

** Is access to sensitive areas by authorised visitors (including technical support staff, engineers, and cleaners) supervised?

** Is physical access outside normal working hours controlled?

** Are formal authorisation requests forms completed for access to sensitive areas?

** Does the controller of the access control system periodically review whether employees’ current access on the system is

commensurate with their job responsibilities?

** Are formal authorisation requests forms completed for access to sensitive areas?

Environmental Access Rating

** Are there policies which cover environmental controls, e.g. eating/drinking/ smoking in computer rooms, flammable materials in

computer rooms, etc.

** Is there a formal, documented and tested emergency evacuation plan in place?


of 93

Process Management

Manage changes Rating

Is there a formal change management procedure to handle all requests (including maintenance and patches) for changes to

applications, procedures, processes, system and service parameters, and the underlying platforms?

Is there a process for defining, raising, assessing and authorising emergency changes that do not follow the established change

process?

Define and manage service levels Rating

Is there a defined framework that provides a formalised service level management process between the customer and service

provider?

Are service level agreements for all critical ICT services defined, agreed and based on customer requirements and ICT capabilities?

Is specified service level performance criteria continuously monitored?

Ensure continuous service Rating

Is there a framework for ICT continuity, (disaster recovery) to support enterprise wide business continuity management with a

consistent process?

Is the ICT continuity plan tested on a regular basis to ensure that ICT systems can be effectively recovered?


of 93

** Has adequate training been provided to identified key personnel?

Effective asset management Rating

Does the Municipal Manager’s Office ensure that all personal information is treated by the municipality as an important business

asset and is identified?

Does the Municipal Manager’s Office approve the information security strategy and delegate and empower management to

implement the strategy?

Ensure Operating System, Network Database and security Rating

Is ICT security managed at the highest appropriate organisational level so the management of security actions is in line with business

requirements?

Are processes in place to ensure that security techniques and related management procedures (e.g., firewalls, security appliances,

network segmentation and intrusion detection) are used to organise access and control information flows from and to networks?

** Is a patch management process in place to ensure up-to-date security patches across the entity?

** Is there operating system security (server) baseline policies/procedure?

** Is the ability to make modifications to overall system security parameters limited to appropriate staff and are these functions dealt

with in their job descriptions?

** Is the security administrator notified of employees who have changed roles and responsibilities, transferred, or been terminated?


of 93

(Access privileges of such employees are immediately changed to reflect their new status)

** Are there policy/procedures for (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise access

and control information flows from and to networks in place?

** Are there database security related policies?

** Do programmers have access to the database?

Operate Networks Rating

** Are there policies /procedures related to the operations of the network?

** Are the network lines and devices being monitored for the performance of and faults on the network (e.g. network bandwidth/

capacity exist for the effective functioning and availability of the network)?

** Is there a maintenance schedule for the network devices? (e.g. firewalls, routers, hub, switches, gateways)

Manage service desk and incidents Rating

Is there an established service desk function to register, communicate, dispatch and analyse all calls, reported incidents, service

requests and information demands?

Are reports produced for service desk activity to enable management to measure service performance and service response times

and to identify trends or recurring problems, so service can be continually improved?


of 93

Manage the configuration Rating

Is there an established central repository (database) that contains all relevant information on configuration items?

Is there a process to review and verify on a regular basis, using, where necessary, appropriate tools, the status of configuration items

to confirm the integrity of the current and historical configuration data and to compare against the actual situation?

Risk Management

ICT as an integral part of the municipality’s risk management Rating

Does management regularly demonstrate to the Municipal Manager’s Office that the municipality has adequate business resilience

arrangements in place for disaster recovery

Risk and audit committee assistance to the Municipal Manager’s Office Rating

Does the Risk Committee ensure that ICT risks are adequately addressed?

Assess and manage ICT risk Rating

Are events identified (threats and vulnerabilities) that have a potential impact on the goals or operations of the enterprise, including

business, regulatory, legal, technology, trading partner, human resources and operational aspects?

Is a risk assessment undertaken on a regular basis to assess the likelihood and impact of all identified risks, using qualitative and


of 93

quantitative methods?

** Is there an IT risk and control framework adopted for the entity to respond to the IT risks?

** Have IT Risk/Control Assessments been performed?

** Does an IT Risk Register exist for the monitoring of IT risks identified?

IT Metrics

Monitor and evaluate ICT performance Rating

Between ICT and the business, are there a balanced set of performance objectives, measures, targets and benchmarks defined?

Are there periodic reviews of performance against targets?

Are management reports for senior management’s reviewed for organisational progress toward identified goals, specifically in terms

of the performance of ICT-enabled investment programs, service levels of individual programs and ICT’s contribution to that

performance?

** Is system performance being monitored and reported to management?

** Is there a capacity plan for the applications and infrastructure?


of 93

Ensure regulatory requirements Rating

Is there a process to ensure timely identification of local and international legal, contractual, and regulatory requirements related to

information, information service delivery, (including third-party services), the ICT organisation, processes and infrastructure?

Is there a process to review and optimise ICT policies, standards and procedures to ensure that legal and regulatory requirements

are covered efficiently?

Has the Municipal Manager’s Office ensured that the municipality complies with ICT laws and that ICT related rules, codes and

standards are considered?

A Municipal Guide / Roadmap To Successful ICT … Focus/Municipal... · A Municipal Guide / Roadmap...

Documents

Transcript of A Municipal Guide / Roadmap To Successful ICT … Focus/Municipal... · A Municipal Guide / Roadmap...