A Municipal Guide / Roadmap To Successful ICT … Focus/Municipal... · A Municipal Guide / Roadmap...
Transcript of A Municipal Guide / Roadmap To Successful ICT … Focus/Municipal... · A Municipal Guide / Roadmap...
A Municipal Guide / Roadmap
To Successful ICT Governance
Tuesday, 19 June 2012
Prepared by
With support from:
Original compiled by:
Peet Smith http://www.rmsafrica.co.za
REVISION HISTORY
Version Date Status Who
V1.0 March
2012
Final Draft: Submitted & Approved by SALGA
NEC
Douglas Cohen
V1.1 April
2012
Incorporated National Treasury input. Douglas Cohen
V1.2 June
2012
Updated / aligned with DPSA Corporate ICT
Governance Policy
Douglas Cohen
Municipal ICT Governance Guidelines
Page 3 of 93
GOLSSARY OF TERMS AND DEFINITIONS
Term Definition
AG Auditor-General
Accounting Officer Each municipal council is headed by a municipal
manager who is the head of administration and also the
accounting officer. The municipal manager advises
council and its committees on administrative matters
such as policy issues, financial matters, organisational
requirements, personnel matters.
As accounting officer, the municipal manager is
comparable to a director-general in the public service.
He/she has to personally provide reasons to council for
the way in which the financial affairs of the departments
of council had been conducted.
BCM Business Continuity Management
BITA Business IT Alignment
BS 25999 British standard for business continuity management (BCM)
Business Goals Statements that describe what the business will accomplish,
or the business value a project will achieve - A clear vision
of what you want to achieve; and how
Charter A document that defines the purpose of the initiative, how it
will work, and what the expected outcomes is e.g. a project
charter is a statement of the scope, objectives and
participants in a project. It provides a preliminary delineation
of roles and responsibilities, outlines the project objectives,
identifies the main stakeholders, and defines the authority of
the project manager
CobiT Control Objectives for Information and Related Technology.
An IT governance framework and toolset that allows
managers to bridge the gap between control requirements,
technical issues and business risks
CFO Chief Financial Officer
CIO Chief Information Officer
Control A procedure or policy that provides a reasonable assurance
that the information technology (IT) used by an organisation
operates as intended
Corporate Governance The set of responsibilities and practices exercised by the
Council and executive management with the goals of
providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately
and verifying that the enterprise’s resources are used
Municipal ICT Governance Guidelines
Page 4 of 93
Term Definition
responsibly
Deliverable A term used in project management to describe a tangible or
intangible object produced as a result of the project that is
intended to be delivered to a customer
DRP Disaster Recovery Planning
DPSA Department of Public Service and Administration
EXCO Executive Management
Executive Authority Executive Authority means Executing Authority
In a Constitutional Institution: The Chairperson of the
Constitutional Institution in relation to a Constitutional
Institution with a body of persons, and in relation to a
Constitutional Institution with a single office bearer, the
incumbent of that office;
According to section 11(1) of the Municipal Systems Act
(Act No. 32 of 2000) the executive and legislative
authority of a municipality is exercised by the council of
the municipality.
Executive Management Executive Management could include the Municipal
Manager and the section 57 management. This normally
constitutes the Executive Committee of the municipality.
Each municipal council is headed by a municipal
manager who is the head of administration and also the
accounting officer. The municipal manager advises
council and its committees on administrative matters
such as policy issues, financial matters, organisational
requirements, personnel matters.
As accounting officer, the municipal manager is
comparable to a director-general in the public service.
He/she has to personally provide reasons to council for
the way in which the financial affairs of the departments
of council had been conducted.
Framework A basic conceptual structure with items which supports a
particular approach to a specific objective. E.g. CobiT is an
IT governance framework
GICT Governance of ICT
Governance of ICT The effective and efficient management of IT resources to
facilitate the achievement of company strategic objectives.
(King III: 2009)
Is the responsibility of executives and the board of directors,
Municipal ICT Governance Guidelines
Page 5 of 93
Term Definition
and consists of the leadership, organisational structures and
processes that ensure that the enterprise’s IT sustains and
extends the organisation’s strategy and objectives (ITGI
2005)
Governance Principles The vehicle to translate the desired behavior into practical
guidance for day-to-day management
ICT Information and Communication Technology also referred to
as IT
ISACA®
Information Systems Audit and Control Association
ISMS Information Security Management System
IT Goals Processes that ensure that IT sustains and extends the
organisation’s strategy and objectives
IT Information Technology
ITIL IT Infrastructure Library
ISO/IEC International Standards Organisation (ISO) and the
International Electro Technical Commission (IEC)
ISO/IEC 20000 The first international standard for IT service management. It
was developed in 2005, by ISO/IEC JTC1 SC7 and revised
in 2011
ISO/IEC 24762 International standard - Security techniques - Guidelines for
information and communications technology disaster
recovery services
ISO /IEC 27001/2 Part of the ISO/IEC 27000 family of standards, is an
Information Security Management System (ISMS) standard
published in October 2005
ISO 38500 Corporate governance of information technology standard.
Provides a framework for effective governance of IT to assist
those at the highest level of organisations to understand and
fulfill their legal, regulatory, and ethical obligations in respect
of their organisations’ use of IT
JSE Johannesburg Stock Exchange
JTC1/SC27 Joint Technical Committee 1 / Sub Committee 27 (ISO/IEC
Technical Committee with responsibility for IT standards)
KGI Key Goal Indicator. A KGI is a measure of "what" has to be
accomplished
King III The King Code of Corporate Governance for South Africa
2009
KPI Key Performance Indicator. While KGI’s focus on “what”, the
KPI’s are concerned with “how”
Municipal ICT Governance Guidelines
Page 6 of 93
Term Definition
LG Seta Local Government Sector Training Authority
LGTS Local Government Turnaround Strategy
Metrics A measure of an organisation's activities and performance
MFMA Municipal Finance Management Act
NT National Treasury
OGC Office of Government Commerce (UK Government
Department, custodian of ITIL)
Policy A principle or rule to guide decisions and achieve rational
outcome(s)
PAIA Promotion of Access to Information Act
Process Sequence of interdependent and linked procedures which,
at every stage, consume one or more resources
Procedure A fixed, step-by-step sequence of activities or course of
action (with definite start and end points) that must be
followed in the same order
Responsible
Refers to the person who must ensure that activities are
completed successfully
Risk The potential that a chosen action or activity (including the
choice of inaction) will lead to a loss (an undesirable
outcome).
SABS South African Bureau of Standards
SANS System Administration, Network and Security Institute.
SANS is by far the largest source for information security
training and security certification in the world
SALGA South African Local Government Association
SCOA Standard Charter of Accounts
Strategy The direction and scope of an organisation over the long-
term: which achieves advantage for the organisation through
its configuration of resources
Municipal ICT Governance Guidelines
Page 7 of 93
TABLE OF CONTENTS
REVISION HISTORY .......................................................................................................... 2
GOLSSARY OF TERMS AND DEFINITIONS ........................................................... 3
1. INTRODUCTION & GUIDELINES OVERVIEW .......................................... 10 1.1. SALGA’S ICT AGENDA ................................................................................................ 10 1.2. SALGA’S OBJECTIVES ................................................................................................. 10 1.3. DIFFERENTIATION BETWEEN LOCAL GOVERNMENT ENTITIES ............................. 11 1.1. GUIDELINE OVERVIEW ................................................................................................... 13
2. OBJECTIVE OF THE GUIDELINE ................................................................. 14 This document provides suggestions on how to improve the status of ICT
Governance within municipalities and is to be used as a guideline to understand and get familiar with the concept of IT Governance. .................. 14
2.1. WHY ICT GOVERNANCE? ............................................................................................. 14 2.2. THE ICT FUNCTION WITHIN MUNICIPAL STRUCTURES .......................................... 14 2.3. ADVANTAGES OF ADOPTING AN ICT GOVERNANCE FRAMEWORK ..................... 15 2.4. CHALLENGES OF ADOPTING AN ICT GOVERNANCE FRAMEWORK ..................... 15
3. RELATIONSHIP BETWEEN CORPORATE GOVERANCE & ICT GOVERNANCE ..................................................................................................... 17
The purpose of corporate governance is to create value for the stakeholders of an institution. ........ 17 3.1. “GOOD” CORPORATE GOVERNANCE ........................................................................ 17 3.2. CORPORATE GOVERNANCE IN RELATION TO ICT GOVERNANCE ........................ 18 3.3. THE IMPORTANCE OF ICT GOVERNANCE IN THE LOCAL GOVERNMENT SECTOR
............................................................................................................................................ 19
4. CORPORATE GOVERNANCE OF ICT: MUNICIPAL STRUCTURES & LAYERS .............................................................................................................. 20
Municipal councils exercise both legislative and executive functions. This is intended to facilitate hands-on governance and synergy between elected representatives, the executive and the administration. The proximity is meant to facilitate a more vibrant and responsive municipality that would ultimately result in efficient service delivery. ICT Governance therefore is the responsibility of both the political and executive management. ................. 20
4.1. MUNICIPAL STRUCTURES ............................................................................................. 20 4.2. THREE LAYERS OF CORPORATE GOVERNANCE OF ICT ....................................... 20 4.3. SUMMARY OF CORPORATE GOVERNANCE OF ICT PRINCIPLES .......................... 23
5. ROADMAP TOWARDS MUNICIPAL ICT GOVERANCE ....................... 24 5.1. INITIAL CONSIDERATIONS ............................................................................................. 24 5.2. DEFINING OBJECTIVES & MISSION ............................................................................. 25 5.3. CRITICAL SUCCESS FACTORS FOR A BUSINESS / IT RELATIONSHIP .................. 26 5.4. DEFINING APPROPRIATE ORGANISATIONAL STRUCTURES..................................... 27 5.4.1. MUNICIPAL ICT STEERING COMMITTEE ..................................................................... 28 5.4.2. THE MUNICIPAL CIO / IT MANAGER OR DIRECTOR ................................................. 29 5.4.3. RECOMMENDED PLACEMENT OF THE ICT FUNCTION IN MUNICIPAL
STRUCTURES ................................................................................................................... 30 5.5. IT GOVERNANCE IMPLEMENTATION ROADMAP ....................................................... 32 5.2.1 IDENTIFY NEEDS .............................................................................................................. 32 5.2.2 ENVISION SOLUTION ...................................................................................................... 32 5.2.3 PLAN SOLUTION .............................................................................................................. 33 5.2.4 IMPLEMENT SOLUTION ................................................................................................... 33 5.2.5 OPERATIONALISE SOLUTION ....................................................................................... 33
Municipal ICT Governance Guidelines
Page 8 of 93
5.6. RACI CHART ................................................................................................................... 33
6. RECOMMENDED SHORT AND MEDIUM TERM APPROACHES ...... 35 6.1. SHORT TERM ................................................................................................................... 35 9.2.1 SECURITY MANAGEMENT .............................................................................................. 35 9.2.2 USER ACCESS CONTROL .............................................................................................. 36 9.2.3 PROGRAM CHANGE MANAGEMENT ............................................................................ 36 9.2.4 DATA CENTRE MANAGEMENT ..................................................................................... 36 9.2.5 FACILITIES AND ENVIRONMENTAL CONTROLS ......................................................... 37 9.2.6 ICT SERVICE CONTINUITY ............................................................................................ 37 9.2.7 IT INFRASTRUCTURE ...................................................................................................... 37 6.2. MEDIUM TO LONG TERM ............................................................................................... 38
7. SKILLS REQUIREMENTS FOR GOOD ICT GOVERNANCE ............... 39 7.1. ADDRESSING TRAINING NEEDS ................................................................................... 41
8. MEASURING, MONITORING AND BENCHMARKING ........................... 43 8.1. ICT GOVERNANCE MATURITY LEVELS ...................................................................... 43 8.2. MEASURING AND MONITORING ACTIVITIES ............................................................... 43 8.3. ICT GOVERNANCE MEASUREMENTS ......................................................................... 44
9. SUPPORT FOR MUNICIPAL ICT GOVERNANCE ................................... 45 9.1. THE ROLE OF SALGA................................................................................................... 45 9.2. NATIONAL TREASURY .................................................................................................... 45 9.2.1. STANDARD CHART OF ACCOUNTS (SCOA) ............................................................ 46 9.3. OTHER STAKEHOLDERS ................................................................................................ 46 9.3.1. COOPERATIVE GOVERNANCE AND TRADITIONAL AFFAIRS (COGTA) ............... 46 9.3.2. DEPARTMENT OF PUBLIC SERVICE AND ADMINISTRATION (DPSA) ................... 47 9.3.3. THE AUDITOR GENERAL ............................................................................................... 47 9.3.4. LOCAL GOVERNMENT SECTOR TRAINING AUTHORITY (LGSETA) ..................... 47
10. METHODOLOGY USED TO COMPILE THE GUIDELINE ..................... 48 10.1. CONCEPTUAL APPROACH ............................................................................................ 48 10.2. ICT GOVERNANCE FRAMEWORK COMPONENTS ..................................................... 48 10.3. THE DRAFT DPSA ICT GOVERNANCE FRAMEWORK ............................................. 49 10.4. INTEGRATION OF BEST PRACTICE .............................................................................. 49
ADDENDUM A – STANDARDS, CODES AND BEST PRACTICE .................. 51 A1 GOVERNANCE .................................................................................................................. 51 A1.1 KING III CODE OF GOVERNANCE ................................................................................. 51 A.1.2 SANS 38500: 2008 ICT GOVERNANCE STANDARD .............................................. 54 A 1.3 COBIT GOVERNANCE FRAMEWORK ........................................................................... 56 A.2 SERVICE MANAGEMENT ................................................................................................ 58 A.2.1 ITIL V2/3 .......................................................................................................................... 58 A. 2.2 ISO/IEC 20000 ............................................................................................................... 61 A 3 SECURITY MANAGEMENT .............................................................................................. 63 A 3.1 ISO/IEC 27001 ............................................................................................................... 63 A 3.2 ISO/IEC 27001 CONTROLS ......................................................................................... 64 A.4 BUSINESS CONTINUITY / DISASTER RECOVERY ...................................................... 66 A 4.1 BS 25999 ......................................................................................................................... 66 A 4.2 ISO/IEC 24762 ............................................................................................................... 69 A 4.2.1 ISO/IEC 24762 CONTROLS ......................................................................................... 70 A 5 MINIMUM IT GENERAL CONTROLS .............................................................................. 72 A 5.1 AIM ..................................................................................................................................... 72 A5.2 IT GOVERNANCE ............................................................................................................. 72 A5.3 SECURITY MANAGEMENT .............................................................................................. 73 A5.4 USER / ACCOUNT ACCESS CONTROL ........................................................................ 73
Municipal ICT Governance Guidelines
Page 9 of 93
A5.5 PROGRAM CHANGE MANAGEMENT ............................................................................ 73 A5.6 DATA CENTRE MANAGEMENT ..................................................................................... 74 A5.7 FACILITIES AND ENVIRONMENTAL CONTROLS ......................................................... 74 A5.8 IT SERVICE CONTINUITY ............................................................................................... 74 A6 TYPICAL STRUCTURE OF AN ICT ORGANISATION ................................................... 75 A7 SUGGESTED TRAINING CURRICULUM ........................................................................ 77 A7.1 KING III CORPORATE CODE OF GOVERNANCE ........................................................ 77 A7.2 CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY .......... 77 A7.3 SERVICE MANAGEMENT ................................................................................................ 78 A7.4 SECURITY MANAGEMENT .............................................................................................. 79 A7.5 BUSINESS CONTINUITY .................................................................................................. 79 A7.8 DISASTER RECOVERY .................................................................................................... 80
ADDENDUM B – SELF ASSESSMENT .................................................................... 81
Municipal ICT Governance Guidelines
Page 10 of 93
1. INTRODUCTION & GUIDELINES OVERVIEW
The South African Local Government Association (SALGA) represents local government on
numerous intergovernmental forums. SALGA is funded through a combination of sources,
including a national government grant, membership fees from provincial and local government
associations that are voluntary members, and donations from the donor community for
specific projects.
1.1. SALGA’S ICT AGENDA
At the 2010 SALGA National Members Assembly the following recommendations were
proposed and adopted:
Recognition that ICT’s can be better leveraged to effective administration, service
delivery and socio-economic development and are therefore integral to the
functioning of any well run municipality;
Raising the political and actual profile of ICT within local authorities (and down to the
community level); and
To mandate and capacitate SALGA to be an effective coordinator and champion in
driving for more effective use of ICT’s for and in local government
SALGA’s agenda to Local Government, in terms of ICT’s, lies within the Directorate of
Economic Development & Planning. In terms of the crucial role ICT play, the focus of the
directorate falls within four broad focus areas:
Internal ICT systems, processes and infrastructure;
Broadband connectivity and access;
e-Government and provision of services; and
Awareness of ICT’s and the capacity of communities to engage/participate
1.2. SALGA’S OBJECTIVES
SALGA aims to:
Transform local government to enable it to fulfill its developmental role;
Enhance the role of provincial local government associations as provincial
representatives and consultative bodies on local government;
Raise the profile of local government;
Ensure full participation of women in local government;
Act as the national employers’ organisation for municipal and provincial member
employers; and
Municipal ICT Governance Guidelines
Page 11 of 93
Provide legal assistance to its members, using its discretion in connection with
matters that affect employee relations.
To support SALGA in applying these principles, the Association has decided to establish
a Corporate Governance ICT Guideline which comprises the definition and importance of
Governance within the public sector, alignment to legislation and standards for
municipalities, definition and clarity on decision making mechanisms, and alignment to the
public service ICT Governance Framework.
The objective is also that these components should be supported by the identification of
any factors which may hinder the adoption of this Guideline.
1
1.3. DIFFERENTIATION BETWEEN LOCAL GOVERNMENT ENTITIES
Cognisance must be taken that there are low, medium and higher capacity municipalities,
as well as those in urban and rural settings across the divisions of local, district and metro
municipalities.
This is reflected in the phasing-in of the Municipal Finance Management Act (MFMA),
whereby the National Treasury has categorised all municipalities according to their
financial management capacity as high, medium or low capacity. In this regard, the
Division of Revenue Act 2004 provides information on transfers to local government and
budget per capita per district and for each of the metropolitan municipalities. A basic
calculation using this information provides a rough estimate of the resource availability in
each municipality, or the ability of the municipality to raise revenue. A further elementary
calculation places each municipality in one of three categories of fiscal capacity: poor,
adequate or resource rich. If the above two categories are used together they produce
five distinct categories of municipalities. These are:
Rich in resources and high-capacity;
Adequate resources and medium-capacity;
Poor resources and medium-capacity;
1 http://www.pmg.org.za/report/20110413-department-objects-local-government-municipal-systems-
amendment-bill-
The Auditor-General identified the South African Local Government Association (SALGA), National Treasury, the National Council of Provinces and National Assembly as key role players in working towards clean audits. In his assessment of the NA and NCOP’s monitoring effectiveness, he advised that there had to be visible action plans and recommendations showing intervention in the following areas of focus: Supply Chain Management, Predetermined Objectives, Financial Management, Turnaround Plans, IT Controls, Human Resource Management, Use of Consultants, Municipalities under Administration and Governance structures.
Municipal ICT Governance Guidelines
Page 12 of 93
Adequate resources and low-capacity; and
Poor resources and low-capacity.
Unfortunately the last category represent about 30% of all municipalities and it therefore
also goes without saying that these municipalities need more rigorous organisational
reforms and restructuring initiatives than other categories listed.
There are also other classifications – for example:
As directed by the Constitution, the Local Government: Municipal Structures Act, 1998
(Act 117 of 1998) [PDF] contains criteria for determining when an area must have a
category-A municipality (metropolitan municipalities) and when municipalities fall into
categories B (local municipalities) or C (district municipalities).
The Act also determines that category-A municipalities can only be established in
metropolitan areas. Metropolitan councils have single metropolitan budgets, common
property ratings and service-tariff systems, and single employer bodies.
Briefly the three categories of municipalities can be described as follows:
Category A municipalities, which have exclusive municipal executive and legislative
authority in their area. In other words, there is only one municipal council in an area
with a category "A" municipality. Category "A" municipalities are established in
metropolitan areas.
Category B municipalities, which share municipal executive and legislative authority
in their area with a category C municipality within whose area they fall. A local
municipality is an example of category B municipality.
Category C municipalities, which have municipal executive and legislative authority in
an area that includes more than one municipality, for example, a district municipality.
On the 30th June 2011 National Treasury released its State of local government finances and financial management Report into the public domain, to enhance transparency in this topical and dynamic area, with a HSRC report, highlighting widespread financial distress in local government. Despite improvements in the area of local government finance (reflected in marginally improved audit outcomes), the National Treasury report also highlighted a number of chronic concerns, including under spending on capital budgets and high levels of consumer debt. The report’s public release is extremely important in supporting informed debate as to the state of local government finances, with its naming and shaming “element” also serving as an important incentive for municipalities to improve reporting and public accountability.
Municipal ICT Governance Guidelines
Page 13 of 93
1.1. GUIDELINE OVERVIEW
Municipal ICT Governance Guidelines
Page 14 of 93
2. OBJECTIVE OF THE GUIDELINE
This document provides suggestions on how to improve the status of ICT Governance within
municipalities and is to be used as a guideline to understand and get familiar with the concept
of IT Governance.
2.1. WHY ICT GOVERNANCE?
By adopting this Corporate Governance ICT Guideline, the following objectives are
anticipated:
Raising the profile of ICT within municipalities
Raising the profile of ICT as a strategic enabler for effective administration and
service delivery;
Bringing international good practices into the municipal arena
Further strengthening corporate governance of ICT as well as ensuring the CIO (head
of ICT) be an integral part of the executive management of a municipality;
Institutionalising IT governance as an integral part of municipal corporate
governance;
Creating a process whereby IT governance standards across and within the local
government sector can be introduced;
Improving the IT governance literacy and lingo within municipalities
2.2. THE ICT FUNCTION WITHIN MUNICIPAL STRUCTURES
Developing countries such as South Africa have a tremendous potential for rapid and sustainable
economic and social development by leveraging the potential of ICT and applying it appropriately
within the local government sector. As such, the Local Government Turnaround Strategy (LGTAS)
vision states that:
Each municipality has the necessary ICT infrastructure and connectivity; and that
ICT systems must be put in place across all municipalities to accelerate service
delivery, improve efficiency and accountability
However, technology on its own cannot achieve anything and it must be supported by capable
people and tested processes will provide services that the public can have confidence in.
Disparities both from within the municipal sector as well as in the larger South African ICT
landscape have impacted in the manner municipalities make successful use of ICT’s. The result is
that when it comes to ICT’s municipalities:
Operate in a very isolated non-uniform manner;
Municipal ICT Governance Guidelines
Page 15 of 93
Are ill-prepared to face the required ICT resource, skill and budget constraints; and
Have limited access to or support from other spheres of government and are often left
to the mercy of the market.
The huge ICT skills shortage in South Africa also has a negative impact on the Public Sector,
specifically Local Governments. Unfortunately the reality is that staff is made up of under-qualified
professionals with watered-down skills that are not geared for real-life ICT crises and challenges.
This negatively affects the optimal running of ICT departments and delivery of government ICT
projects.
2.3. ADVANTAGES OF ADOPTING AN ICT GOVERNANCE FRAMEWORK
ICT has become an integral part of doing business today, as it is fundamental to the
support, sustainability and growth of municipalities. ICT cuts across all aspects,
components and processes in business and is therefore not only an operational enabler
for a municipality, but an important strategic asset which can be leveraged to create
opportunities and to gain competitive advantage.
As well as being a strategic asset to the municipality, ICT also presents municipalities
with significant risks. The strategic asset of ICT and its related risks and constraints
should be well governed and controlled to ensure that ICT supports the strategic
objectives of the organisation.
By adopting an ICT Governance Framework, Mayors and Municipal Managers are in
compliance with King III Code of Governance which stipulates that prudent and
reasonable steps must be taken with respect to ICT governance.
Adopting a strategic approach to ICT Governance extends the horizon of thinking beyond
the boundary of “are we compliant, yes or no?” towards performance management,
guiding optimal allocation of a municipality’s finite resources and providing the means to
capture value back from the investment.
2.4. CHALLENGES OF ADOPTING AN ICT GOVERNANCE FRAMEWORK
One of the major challenge in implementing an ICT Governance Framework stems from
the difficult task of taking a strategic viewpoint to assess and improve governance. The
decision to go ahead has to come from the highest office. If the major benefits of adopting
In the 2009/10 local government audit report, the Auditor General, revealed that municipalities were struggling to manage and integrate their ICT systems. Of the municipalities audited, 96% had deficiencies in their governance processes, more specifically related to Service Management processes such as ICT Continuity (disaster recovery) and Change Management. Management, Turnaround Plans, IT Controls, Human Resource Management, Use of Consultants, Municipalities under Administration and Governance structures.
Municipal ICT Governance Guidelines
Page 16 of 93
an ICT Governance Framework are not realised at this level, implementation attempts are
most certainly doomed.
Successful adoption requires orientation, education, and training which does not happen
overnight. The availability of suitably skilled staff to perform the many different tasks
associated with a framework implementation comes with its own challenges. Training staff
in the various required disciplines are often expensive and is time consuming.
One size does not fit all. Although there is an abundance of guidance available, these still
has to be tailored to municipal specific requirements. The ability to improve governance
is intrinsically tied to the ability to effectively measure it, the tacit knowledge of employees
and successfully navigating the complex jungle of best practice, regulations, legislation,
standards and the strategic intent of management.
For ICT governance to be successful, it should be a workable solution able to deal with
the challenges and pitfalls presented by ICT. It should not only prevent problems but also
enable competitive advantage. ICT risks are closely related to business risks, because
ICT is the enabler for most business strategies. The management and control of ICT
should therefore, be a shared responsibility between the business and the ICT functions,
with the full support and direction of executive management. ICT governance provides the
oversight and monitoring of these activities within a wider enterprise governance scheme.
Municipal ICT Governance Guidelines
Page 17 of 93
3. RELATIONSHIP BETWEEN CORPORATE GOVERANCE & ICT GOVERNANCE
The purpose of corporate governance is to create value for the stakeholders of an institution.
3.1. “GOOD” CORPORATE GOVERNANCE
A governance system refers to all the means and mechanisms that enable the Accounting
Officer and Executive Management of an Institution to have a structured and organised
say in:
Evaluate internal and external context, strategic direction and risk to conceptualise
the Institution’s strategic goals and how it will be measured;
Direct the Institution in the execution of the strategic goals to ensure that value is
realised and risk is managed; and
To monitor the execution of the strategic goals within an Institution against the
measures identified for attaining the strategic goals.
Corporate governance is also concerned with individual accountability and responsibilities
within an Institution. It describes how the institution is directed and controlled and is in
particular concerned with:
Organisation - the organisational structures, and coordinating mechanisms (such as
steering forums) established within the institution and in partnership with external
bodies;
Management – the individual roles and responsibilities established to manage
business change and operational services; and
Policies - the frameworks established for making decisions and the context and
constraints within which decisions are taken.
The strategic direction, together with the external and internal context, influences the
strategic goals. Corporate Governance and the Corporate Governance of ICT are
executed on Executive Management level through the function of evaluation, direction
and monitoring. The management of business execution is done through the
organisational structure and utilisation of the relevant resources.
The executive leadership and management of an Institution are accountable and
responsible to implement a governance system.
According to CobiT (Control Objectives for IT and Related Technology) Corporate Governance is the set of responsibilities and practices exercised by the Council and executive management with the goals of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.
Municipal ICT Governance Guidelines
Page 18 of 93
3.2. CORPORATE GOVERNANCE IN RELATION TO ICT GOVERNANCE
While governance developments have primarily been driven by the need for transparency
of enterprise risks and the protection of shareholder value, the pervasive use of
technology has created a critical dependency on ICT that calls for a specific focus on ICT
governance. The corporate governance of ICT is a subset of corporate governance and is
an integral part of the governance system:
The Executive Authority provides the political leadership;
The Accounting Officer provides the strategic leadership; and
Executive Management is responsible to ensure that governance of ICT is
implemented and managed.
The corporate governance of ICT involves evaluating and directing the plans for the use
of ICT to support the Institution and monitoring it. It includes the strategy and policies for
using ICT within an Institution. The executive authority and executive management is
accountable and responsible to ensure that governance of ICT is implemented in their
institution in line with this framework.
ICT Governance:
Provides the structure that links ICT processes, ICT resources and information to
enterprise strategies and objectives;
Enables the integration and institutionalization of best practices of planning and
organizing, acquiring and implementing, delivering and supporting, and monitoring
and evaluating ICT performance to ensure that the enterprise’s information and
related technology support its business objectives;
Allows the enterprise to take full advantage of its information; and
Identifies control weaknesses and assures the efficient and effective implementation
of measurable improvements.
According to King III Code of Governance, good governance is essentially about effective leadership. Responsible leaders direct Council strategies and operations with a view to achieving sustainable economic, social and environmental performance. To ensure that this happens, the King III Code requires the Council to ensure that there is an effective risk based internal audit; and, that internal audit perform an objective assessment of the effectiveness of the governance processes, risk management and the internal control framework. Internal controls should be established not only over financial matters, but also operational, compliance and sustainability issues. Municipalities must therefore maintain an effective governance, risk management and internal control framework.
Municipal ICT Governance Guidelines
Page 19 of 93
3.3. THE IMPORTANCE OF ICT GOVERNANCE IN THE LOCAL GOVERNMENT SECTOR
The effective management of information, information systems and communications is of
critical importance to the success of the Public Sector, especially Local Government. This
criticality arises from:
The pervasiveness of and dependence on information and the services and
infrastructure that deliver the information
The increasing scale and cost of current and future technology-related investments
The potential for technologies to enable the transformation of enterprises and
business practices
There is an increasing demand from Local Government and executive management for
generally accepted guidelines for decision making and benefits realisation related to ICT-
enabled business investments. The management practices that traditionally have been
applied are no longer sufficient. There is a clear incentive for management to ensure that
effective governance and management processes are in place to create value through
optimising benefits at an affordable cost with an acceptable level of risk.
As the successful use of ICT becomes more and more critical to municipalities’ success,
the cost of doing nothing will far outweigh the cost of implementing ICT governance,
which can reduce the losses caused by, for example, adverse or qualified audit opinions,
failed projects, security incidents and operational outages, and increase the financial and
intangible benefits created by ICT-enabled operational efficiency and competitive
advantage.
Governance of ICT “The effective and efficient management of IT resources to facilitate the achievement of the company strategic objectives” (King III: 2009:52)
Corporate Governance of ICT "The system by which the current and future use of IT is directed and controlled. It involves evaluating and directing the plans for the use of IT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organisation." (ISO 38500: 2008:9)
ICT governance can be seen as a structure of relationships and processes to direct and control the enterprise use of ICT to achieve the enterprise’s goals by adding value while balancing risk vs. return over ICT and its processes.
Municipal ICT Governance Guidelines
Page 20 of 93
4. CORPORATE GOVERNANCE OF ICT: MUNICIPAL STRUCTURES & LAYERS
Municipal councils exercise both legislative and executive functions. This is intended to
facilitate hands-on governance and synergy between elected representatives, the executive
and the administration. The proximity is meant to facilitate a more vibrant and responsive
municipality that would ultimately result in efficient service delivery. ICT Governance therefore
is the responsibility of both the political and executive management.
4.1. MUNICIPAL STRUCTURES
Local government legislation establishes various organs within the municipality and
broadly defines the functions of these organs. It also creates various instruments for
accountability and oversight. Importantly, municipalities themselves must define the
precise roles of their organs in delegations and terms of reference.
These role definitions, terms of reference and instruments of accountability are intended
to produce clear and sound internal municipal governance arrangements. This, in turn, is
meant to define and shape the relationships within the municipal council and between the
council and the administration.
4.2. THREE LAYERS OF CORPORATE GOVERNANCE OF ICT
Given the different types of municipalities (A, B and C), it is logical that leadership
structures between these also differ. Some have executive mayors, some mayoral, and
others collective or plenary executive. For this reason it would be necessary to have
different options for different types of municipalities. However, in all scenarios, the
corporate governance of ICT is a subset of corporate governance and is an integral part
of the governance system:
The Executive Authority provides the political leadership;
The Accounting Officer provides the strategic leadership; and
Executive Management is responsible to ensure that governance of ICT is
implemented and managed.
Municipal ICT Governance Guidelines
Page 21 of 93
Level General Description
Political
Leadership
The Executive Authority must:
Provide political leadership and strategic direction
Determine policy and provide oversight;
Ensure that ICT service delivery enables the attainment of the
strategic plan;
Take interest in the Governance of ICT to the extent necessary to
obtain comfort that a properly established and functioning
governance of ICT is in place to enable the Institution to leverage
ICT as a business enabler.
Assist the Accounting Officer to deal with inter-governmental,
political and other ICT – related municipal business issues beyond
their direct control or influence;
Ensure that the municipality’s organizational structure makes
provision for the corporate governance of ICT.
Strategic
Leadership
The Accounting Officer must:
Provide strategic leadership and management;
Ensure alignment of the ICT strategic plan with the municipal
strategic plan / IDP;
Ensure that the corporate Governance of ICT is placed on the
municipal strategic agenda;
Ensure that the municipality’s organizational structure makes
provision for the corporate governance of ICT.
Ensure the realization of the municipal-wide value through ICT
service delivery and management of municipal and ICT related
risks;
The delegation of authority, personal responsibility and –
accountability to the Executive Management with regards to the
Corporate Governance of ICT;
The provision of appropriate ICT capability and capacity and the
appointment of a suitably qualified and experienced CIO / IT
Manager. The CIO / IT Manager should have access to and
regularly interact on strategic ICT matters with the Accounting
Officer and Executive Management;
Monitor and evaluate the effectiveness of the Corporate
Governance of ICT.
Municipal ICT Governance Guidelines
Page 22 of 93
Level General Description
Governance of
ICT
The Executive / Senior Management must:
Ensure that ICT goals are aligned with the municipal strategic
goals and support strategic business processes;
ICT strategy is integrated with strategic business processes and
that related risks are managed;
Significant ICT investments and expenditure are informed by the
municipal enterprise architecture, motivated (Business Cases),
monitored and evaluated; and
Advice is provided to the Accounting Officer on the
implementation and management of the Corporate Governance of
ICT.
Municipal ICT Governance Guidelines
Page 23 of 93
4.3. SUMMARY OF CORPORATE GOVERNANCE OF ICT PRINCIPLES
•The Corporate Governance of ICT must enable the municipality’s political mandate
•The Executive Authority must ensure that the Corporate Governance of ICT achieves the political mandate of the municipality. Principle 1: Political
Mandate
•The Corporate Governance of ICT must enable the municipality’s strategic mandate
•The Accounting Officer must ensure that the Corporate Governance of ICT assists in achieving the municipality’s strategic plans. Principle 2: Strategic
Mandate
•The Accounting Officer is responsible for the Corporate Governance of ICT.
•The Accounting Officer must create an enabling environment in respect of the Corporate Governance of ICT within the applicable legislative and regulatory landscape and information security context.
Principle 3: Corporate
Governance of ICT
•ICT service delivery must be aligned with the strategic goals of the municipality.
•The Executive Management must ensure that ICT service delivery is aligned with the municipality’s strategic goals and that the municipality accounts for current and future capabilities of ICT. It must ensure that ICT is fit for purpose at the current service levels and quality for both current and future municipal needs.
Principle 4: ICT Strategic Alignment
•The Executive Management must monitor and evaluate significant ICT expenditure.
•Executive Management must monitor and evaluate major ICT expenditure, ensure that the ICT expenditure is made for valid municipal business enabling reasons and monitor and manage the benefits, opportunities, costs and risks resulting from this expenditure, while ensuring that information assets are adequately managed.
Principle 5: Significant ICT Expenditure
•Executive Management must ensure that ICT risks are managed and that then ICT function is audited.
•Executive Management must ensure that ICT risks are managed within the municipal risk management practice. It must also ensure that the ICT function is audited as part of the municipal audit plan.
Principle 6: Risk Management and
Assurance
•Executive Management must ensure that ICT service delivery is sensitive to organizational behavior / culture.
•Executive Management must ensure that the use of ICT demonstrates the understanding of and respect for the organisational behaviour / culture.
Principle 7: Organisational
Behavior
Municipal ICT Governance Guidelines
Page 24 of 93
5. ROADMAP TOWARDS MUNICIPAL ICT GOVERANCE
5.1. INITIAL CONSIDERATIONS
The roadmap to implement control and governance over ICT is a generic approach for
implementing ICT governance. It ensures that the focus is on municipal needs when
improving control and governance of ICT processes. The roadmap is applicable
regardless of the size of the initiative; it encourages management commitment and
involvement and follows good project management practices. The road map is a
continuous improvement approach that is followed iteratively, building a sustainable
‘business as usual’ process over time.
Building sustainability entails:
Defining appropriate organisational structures
Integrating ICT governance with enterprise governance
Ensuring accountability for ICT throughout the enterprise
Drafting and clearly communicating policies, standards and processes for ICT
governance and control
Effecting cultural change (commitment at all levels in the enterprise—from the
executive office to the ‘shop floor’)
Driving a process and culture of continuous improvement
Creating optimum monitoring and reporting structures
A municipality implementing ICT governance will need to do so in phases based on
business priorities and ICT risks. The road map achieves this by prioritising the ICT goals
and processes (including controls) based on the consideration of business goals and
risks.
There are some obvious, but pragmatic, rules that management should follow:
Treat the implementation initiative as a program activity with a series of phases rather
than a ‘one-off’ step
Remember that implementation involves cultural change as well as new processes.
Therefore, a key success factor is the effective management of organisational
change.
Make sure there is a clear understanding of the objectives
Manage expectations. In most enterprises, achieving successful oversight of ICT
takes time and is a continuous improvement process
Municipal ICT Governance Guidelines
Page 25 of 93
5.2. DEFINING OBJECTIVES & MISSION
SALGA hosted its flagship LGICT event ‘ConnectIT’ in Johannesburg held between the
16th and 17th of August 2011. The conference brought together key players within local
government and ICT professionals to brainstorm ideas on the way ICT could be better
harnessed to benefit the municipalities and overcome common challenges.
One of the key themes which featured on the ‘ConnectIT’ agenda at the conference
included how the profile of ICT could be raised within municipalities, including introducing
IT governance into the business of local government. See extracts from the presentation
by Mr. Jaap Van Staden (Business Analyst IT Systems, Overstrand Municipality).
The full presentation is available online at http://lgict.org.za/connectit
To provide ICT infrastructure and ICT
business systems solutions what will assist
the _______________ municipality to
delivery sustainable services that is
operationally efficient and cost effective to
all its stakeholders and communities.
Municipal ICT Governance Guidelines
Page 26 of 93
Cost effective solutions
Quality Service Delivery
Ongoing performance monitoring
Aligned to business processes
5.3. CRITICAL SUCCESS FACTORS FOR A BUSINESS / IT RELATIONSHIP
Understand your client’s business requirements
Good business acumen - Understand areas where ICT can add business value
ICT Strategy sessions: - Building a shared vision
One-on-one sessions with management & peers– Talk in business terms
Manage your client’s expectations
Good Governance – Monthly ICT Steering Committee
ICT Architecture Forums/Workgroups: Co-management – Collaborative approach
towards building ICT solutions for business
Best practice project management – on time/ within spec/ within budget
Cost-effective solutions and at market related prices
Never promise more than you can deliver
Deliver a consistent and quality service
ICT support - ICT know-how & experience
Contingency planning – ICT and Business: Core competencies
Contract only with reputable service providers with access to competent skills &
knowledge resources: SP relationships = Long term investments
Manage the relationships between your clients and with all other stakeholders
Contracts Management – Co-management: financial & technical transparency –
Value for money
SDA’s - Performance Management & Monitoring with penalties for non-performance
Change Management - Planned and tested - Mitigation of operational & financial
risks
Municipal ICT Governance Guidelines
Page 27 of 93
Problem Management and corrective measures – Prevent re-occurrences – trends
analysis
Monitor and track new service requests and projects
5.4. DEFINING APPROPRIATE ORGANISATIONAL STRUCTURES
A Municipal Manager is part of the Executive Management of a municipality is both the
Accounting Officer and the Information Officer of the municipality. He/she may delegate
certain duties/tasks to the Chief Financial Officer, who would be accountable to him/her.
The Municipal Manager is therefore accountable:
For all transactions entered into by his designates.
For sound record management (information management).
In this regard it is important to ensure that there is no confusion between the Municipal
Manager, as the Information Officer, and the Chief Information Officer (CIO) as defined by
King III.
The job description of a CIO has been revamped with the release of the King III Code of
Governance for South Africa. IT governance is now a separate chapter of the corporate
governance code, separate from risk management, compliance and audit.
The risk of placing ICT governance with internal audit is that the intention of KING III will not be reached and ICT will continue to have a low profile.
From an administrative perspective, every municipality must have an internal audit function as per section 165 of Municipal Finance Management Act (MFMA) and other related Legislations. Internal Audit serves as “an independent objective assurance and consulting activity designed to add value and improve organisation's operations. It helps organisations by bringing a systematic discipline approach to evaluate and improve the effectiveness of risk management, controls and governance processes”.
The Promotion of Access to Information Act, 2000 (Act No 2 of 2000) gives effect to the constitutional right of a person to any information held by the state or any other person, and such information is required for the exercise or protection of any rights. What does this mean for the municipality? Legally, an information officer has to be appointed. In terms of the Act, the Municipal Manager, is the information officer of the municipality. He / She is required to produce a manual in three official languages on the functions of the municipality as well as an index of all the records held by the municipality as well as various other details.
Municipal ICT Governance Guidelines
Page 28 of 93
Following the intentions of King III, it is suggested that:
I. The municipal ICT function, reside under office of the Municipal Manager, in
parallel to Internal Audit;
II. The implementation of the governance of ICT is delegated from the office of the
Municipal Manager to a Municipal ICT Steering Committee made of the relevant
executive / senior management (section 57 managers) as well as the municipal
ICT management (CIO / IT Manager or Director);
5.4.1. MUNICIPAL ICT STEERING COMMITTEE
The Municipal ICT Steering Committee is to ensure that everyone in the municipality
understands the link between business and ICT goals and accepts their
responsibilities with respect to the supply and demand for ICT. The Municipal ICT
Steering Committee will ensure that:
I. The necessary ethical culture, structures (including outsourcing), policies,
procedures, processes, mechanisms and controls regarding all aspects of
ICT use (business and ICT) are clearly defined, implemented and enforced;
II. ICT performance are assured through independent audit (Auditor General);
and
III. An information security strategy is approved;
IV. Intellectual property in information systems is appropriately protected; and
V. ICT assets, privacy, security and personal information of employees are
effectively managed.
Municipal ICT Governance Guidelines
Page 29 of 93
5.4.2. THE MUNICIPAL CIO / IT MANAGER OR DIRECTOR
The implementation and operation of IT governance is the responsibility of the
municipal CIO / IT Manager who is expected to report to the IT Steering Committee
and the Council about the effective and efficient management of IT resources to
facilitate the achievement of corporate objectives.
King III also requires the CIO to define, maintain and validate the IT value proposition,
align IT activities with environmental sustainability objectives, implement an IT control
framework and ensure all parties in the chain from supply to disposal of IT services
and goods apply good governance principles.
The formation of Architecture Forums / Workgroups would be a key theme of an ICT Steering Committee (extracted from Overstrand Governance Presentation) Principles of Co-Management:
i. Establish & maintain an enterprise architecture for ICT and Systems in
the municipality
ii. Assess and review (new) systems requirements against agreed
enterprise
iii. Architectures (Business and ICT)
iv. Assist with the deployment of new architectures, technologies &
systems through a total SDLC
v. Assist with systems performance audits and benchmarking as may be
required
vi. Assist to establish core competencies required in the Overstrand ICT
and systems environment.
Architecture Forum Members:
ICT Business Analyst & ICT Manager, co-opted staff from Directorates
Representatives from service providers as may be required from time
to time
Municipal ICT Governance Guidelines
Page 30 of 93
5.4.3. RECOMMENDED PLACEMENT OF THE ICT FUNCTION IN MUNICIPAL STRUCTURES
The diagram/s below shows a suggested placement for ICT within a typical
municipality.
Note that ICT is shown to have a direct link to the Municipal Manager’s office.
Municipal ICT Governance Guidelines
Page 31 of 93
Municipal ICT Governance Guidelines
Page 32 of 93
5.5. IT GOVERNANCE IMPLEMENTATION ROADMAP
Using CobiT as a reference, the following steps could be used as a guideline for
implementing an ICT Governance Framework.
5.2.1 IDENTIFY NEEDS
Raise awareness and obtain management commitment - it is important to ensure
that the background and drivers behind the initiative are understood clearly and
that there is good support from top management
Define Scope - it is important for the implementation team to be knowledgeable
about the business environment and to have an insight into influencing factors
such as competition, business goals, service providers, and legal and regulatory
issues.
Define risks - It is important to know the enterprise’s risk profile, acceptance
position and risk awareness so that an appropriate risk management attitude is
taken
Define resources and deliverables – It is possible that some municipalities have
some existing preferred IT models, standards and best practices that they are
already using, so it is important to make sure that these are understood to
consider how they can be used
Plan program - Based on the agreed-upon program and resource requirements,
the resources need to be acquired and allocated to the program. Funding may be
required to support the cost of these resources, and it may be necessary to
acquire external consultants or experts
5.2.2 ENVISION SOLUTION
Assess actual performance - It is necessary to establish how well existing
processes are managed and executed, based on process descriptions, policies,
standards, procedures, technical specifications, etc., to determine whether they
are likely to support the business and IT requirements.
Define target for improvement - Based on the assessed current-state process
maturity levels, an appropriate maturity level should be determined for each
process
Analyse gaps and identify improvements - After the current capability of the
processes has been determined and the target capability planned, the gaps
description between as-is and to-be should be evaluated and opportunities for
improvement identified
Municipal ICT Governance Guidelines
Page 33 of 93
5.2.3 PLAN SOLUTION
Define projects - When all the potential initiatives for IT governance improvement
have been identified, these initiatives should description be prioritised into formal
and justifiable projects
Develop improvement plan - Based on the project definitions, the resource plan
and the IT budget, the prioritised improvements are now turned into a set of
documented projects that support the overall improvement program
5.2.4 IMPLEMENT SOLUTION
Implement the improvement - The approved improvement projects, including
required change activities, are now ready for implementation, so the solutions as
defined by the program can now be acquired or developed and implemented into
the enterprise.
Monitor implementation performance - It is essential that the improvements can
be monitored via ICT goals and ICT process description goals.
Review program effectiveness - determine whether the ICT governance program
delivered against expectations.
5.2.5 OPERATIONALISE SOLUTION
Build sustainability - Build on the successes and lessons learned from the
governance implementation project(s) to build and reinforce commitment
amongst all ICT stakeholders for continuously improved governance of ICT.
Identify new governance requirements - Using the feedback and lessons learned,
monitoring of the improvements on performance and current understanding of
business and ICT goals, the enterprise should consider new governance
requirements
5.6. RACI CHART
The RACI Chart (Responsible, Accountable, Consulted, and Informed) clarifies the
assignment of responsibilities and decision-making rights across a number of roles. The
RACI model is built around a simple 2-dimensional matrix which shows the 'involvement'
of Functional Roles in a set of Activities. 'Involvement' can be of different kinds:
Responsibility, Accountability, Consultancy or Informational. The model is used during
analysis and documentation efforts in all types of Service Management, Quality
Management, Process- or Project Management. A resulting RACI chart is a simple and
powerful vehicle for communication. Defining and documenting responsibility is one of the
fundamental principles in all types of Governance (Corporate or ICT-Governance).
Municipal ICT Governance Guidelines
Page 34 of 93
The following chart gives an example of the RACI principles. Based on the capacity of the
municipality, its resources and ICT requirements, the chart can be completed accordingly.
Example of the RACI Chart
Roles and Responsibility Categories
Functional Level Designation
Strategic Mayoral Office, Council & Municipal
Manages Office
Tactical Municipal Manager
Internal Audit
PMO
Operational Business process owner
Head of administration
Service desk
Municipal ICT Governance Guidelines
Page 35 of 93
6. RECOMMENDED SHORT AND MEDIUM TERM APPROACHES
Recommendations provided below are based on the premise that roles and responsibilities
should be allocated to each activity. It is also crucial to the success of the deliverable that
timelines (anticipated start and end dates), be allocated for each activity. Guidelines for
measuring and monitoring success of actual deliverables (see chapter 7 of this document)
should be used.
Cognisance must also be taken of the fact that “one size does not fit all”. Due to the fact that
municipalities may differ greatly from each other in terms of size and capacity, (see section
2.2 .for a description of different categories of municipalities), it is understandable that
category A municipalities may have more resources in the form of for manpower, budget etc.
than category B and C municipalities. While the following list of recommendations should be
considered by all categories of municipalities, category A and B municipalities should take
specific notice of those recommendations denoted with “**”.
6.1. SHORT TERM
Control objectives and metrics should be assessed at operational level on an ongoing
basis. These include the following:
9.2.1 SECURITY MANAGEMENT
** Dedicate responsibilities for information security to a dedicated information
security officer, independent of the system administrator
** Design and implement ICT Security policies and procedures for the
administration of security measures over the network, operating system and
application systems. These need to be enforced and updated on a regular basis.
Carry out an ICT security awareness initiatives and campaigns
Manage and maintain ICT security at the highest appropriate organisational level
Implement strong password controls to authenticate system access
Correctly configure firewalls and routers within the network environment to ensure
optimal protection against unauthorised access
Implement patch management processes to prevent exploitation of vulnerabilities
Implement antivirus software across the organisation to protect information
systems and technology from malware
Ensure that system configurations detect security vulnerabilities and that
incidents are monitored, reported and resolved on a regular basis
Municipal ICT Governance Guidelines
Page 36 of 93
Ensure that activities within the system network, including databases are tracked
by using audit trails by someone independent of administration functions
Firewall, Anti-Virus and Spyware solutions to make sure that your email, intranet
and internet are protected from attack including:
o Monitored and Managed Firewall Services
o Managed Network-based Intrusion Detection Services
o Managed Integrated Security Appliance Services
o Internet Vulnerability Assessment Services
o Managed Virus Protection Services
9.2.2 USER ACCESS CONTROL
Formally documented and approve user account management standards and
procedures
Complete and get management approval for access request documentation for
registering users, changing of access rights, password resets and termination of
access rights
Minimise the number of users with administrator privileges that can perform all
functions pertaining to user account management
Independently monitor activities of system administrators
Periodically review employee access rights and privileges to ensure it is in line
with their job responsibilities
9.2.3 PROGRAM CHANGE MANAGEMENT
** Establish and implement documented and approved program change control
policies and procedures
** Ensure that programmers do not have access to the production environments.
Where programmers have been granted access, ensure that this access is
monitored.
Complete and get management approval for change request documentation for
all program changes
Conduct user acceptance testing on all changes before migration to the
production environment
9.2.4 DATA CENTRE MANAGEMENT
Control changes to database management software
Municipal ICT Governance Guidelines
Page 37 of 93
Restrict access to system software with access control software to personnel with
corresponding job responsibilities
** Log and review installation of all system software to establish an audit trail
** Schedule hardware equipment changes/maintenance and testing to minimise
the impact on operations and users.
9.2.5 FACILITIES AND ENVIRONMENTAL CONTROLS
Control physical access to sensitive areas (e.g. computer room, operations,
printing rooms, storage rooms, ups/generators, network rooms, tape library,
offsite backup storage facility)
** Periodically test environmental controls within data centres / computer rooms
(e.g. water and smoke detectors, fire suppression system, fire extinguishers, air
conditioning systems)
9.2.6 ICT SERVICE CONTINUITY
Incorporate the ICT continuity and disaster recovery plans into the organisational
business continuity plan.
Distribute, update and test the ICT continuity plan and DRP and store at an
offsite location.
Implement an ICT backup and retention strategy
Perform backup procedures for data and programs according to above strategy.
Store backups in a secure offsite storage facility
Implement physical access and environmental controls over offsite the storage
facility
9.2.7 IT INFRASTRUCTURE
This includes management of hardware such as Servers, Desktops, Notebooks
and other IT equipment.
Assess the warranty status of all machines
Develop an upgrade plan as hardware comes out of vendor support or to the end
of serviceable life
Document your current server hardware and create a report that shows where all
of your essential network services are currently located
Develop a data map so that you can see where data is currently stored
Municipal ICT Governance Guidelines
Page 38 of 93
Server based Remote Management of Desktops Managing remotely manages
virus detection and protection, operating system and application updates and
patches and nightly backups of employees’ hard disk images
6.2. MEDIUM TO LONG TERM
Based on ICT Governance measures, the following initiatives should be considered:
Develop an ICT strategic Plan that supports business requirement
** Prepare an organisation structure, indicating roles and responsibilities to ensure
that ICT investments are aligned and delivered in accordance with enterprise
strategies and objectives
** Establish an IT steering committee, chaired by the MM and secretariat by the CIO
with CFO and Corporate Services permanent members and other senior managers
are on invitation. This will ensure that decisions taken in respect of IT are on a
coordinative manner.
** What cannot be measured cannot be monitored. Define KGI’s for ICT Governance
at executive level (Municipal Manager’s Office)
** Assess KPI’s for ICT Governance on municipal ICT organisation level for
compliancy
Review ICT service performance periodically against targets
Conduct regular ICT risk assessments to identify emerging risks
** Manage the relationship with suppliers through signed service level agreements
(SLAs) to ensure the quality thereof
** Adopt a project management framework that defines the scope and boundaries of
managing ICT projects
Consider training initiatives such as those discussed in chapter 6 of this document
Conduct improvement projects and initiatives to ensure compliancy
The proposed elevated placement of the CIO reporting directly to the MM office on
the organogram as head of ICT and as custodian of the information of the
municipality are supported, however, the responsibility need to be captured or
regulated in legislation. Furthermore the new SCOA will also have to be aligned
accordingly. SALGA needs to engage CoGTA’s view regarding this.
Municipal ICT Governance Guidelines
Page 39 of 93
7. SKILLS REQUIREMENTS FOR GOOD ICT GOVERNANCE
While the shortage of ICT skills will not be solved overnight, it makes common sense to identify
critical ICT skills to be able to manage potential crisis areas. The following list gives an indication of
the type and level of expertise of ICT skills that is required to move towards and manage a
functional ICT Governance Framework.
Skill General Description
Information
Management
The overall management of information, as a fundamental
business resource, to ensure that the information needs of the
business is met.
Business risk
management
The planning and implementation of organisation-wide
processes and procedures for the management of operational
risk.
Information security The management of, and provision of expert advice on, the
selection, design, justification, implementation and operation of
information security controls and management strategies to
maintain the confidentiality, integrity, availability, accountability
and relevant compliance of information systems.
Security administration The authorisation and monitoring of access to IT facilities or
infrastructure in accordance with established organisational
policy. Includes the investigation of unauthorised access,
compliance with data protection and performance of other
administrative duties relating to security management.
Information assurance The protection of systems and information in storage,
processing, or transit from unauthorised access or
modification. Denial of service to unauthorised users; or the
provision of service to authorised users.
Systems architecture The specification of systems architectures, identifying the
components needed to meet the present and future
requirements, both functional and non-functional (such as
security) of the business as a whole, and the interrelationships
between these components.
Continuity The provision of service continuity planning and support. This
includes the identification of information systems that support
Municipal ICT Governance Guidelines
Page 40 of 93
Skill General Description
management critical business processes, the assessment of risks to those
systems’ availability, integrity and confidentiality and the
coordination of planning, designing, testing and maintenance
procedures and contingency plans to address exposures and
maintain agreed levels of continuity.
Network design The production of network designs and design policies,
strategies, architectures and documentation, covering voice,
data, text, e-mail, facsimile and image, to support business
requirements and strategy.
Network operations The day to day operation and maintenance of networked
systems to ensure that the communication needs of the
business is met
Programming/software
development
The design, creation, testing and documenting of new and
amended programs from supplied specifications in accordance
with agreed standards.
Web site specialism The design, creation, testing, implementation and support of
new and amended collections of pages of information on the
world wide web or an intranet or extranet.
Project management The management of projects, typically (but not exclusively)
involving the development and implementation of business
processes to meet identified business needs, acquiring and
utilising the necessary resources and skills, within agreed
parameters of cost, timescales and quality.
Configuration
management
The systematic management of information relating to the
documentation, software, hardware and firmware assets of an
organisation. This will involve identification and appropriate
specification of all configuration items (CIs). Required
information will relate to storage, access, problem reporting
and change control of CIs.
Change management The management of all changes to the components of a live
infrastructure, from requests for change (RFC) through to
implementation and review, to support the continued
Municipal ICT Governance Guidelines
Page 41 of 93
Skill General Description
availability, effectiveness and safety of the infrastructure.
Capacity management The management of the capability and functionality of
hardware, software and network components to meet current
and predicted needs in a cost-effective manner.
Availability
management
The overall control and management of services and their
availability to ensure that all services meet all of their agreed
availability targets.
Financial management
for ICT
The overall financial management, control and stewardship of
the ICT assets and resources used in the provision of ICT
services, ensuring that all governance, legal and regulatory
requirements are complied with.
Management and
operations
The management and operation of the ICT infrastructure
(typically hardware, software and communications) and the
resources required to plan for, develop, deliver and support
properly engineered ICT services and products to meet the
needs of a business.
7.1. ADDRESSING TRAINING NEEDS
A formal training certification process across the board for knowledge that may not be
used at the same level by all areas of the business is not the recommended. Instead,
training programs on specific business focus areas within specific functional levels within
the various organisational branches of municipalities should be encouraged.
Municipalities all contribute to the National Skills Fund, managed by the Local
Government Sector Training Authority (LG SETA). LGSETA is expected to support
municipalities to:
Initiate learner ships;
Approve workplace skills plans that potential employers produce;
Provide funds for employers, trainers and workers; and
Observe and scrutinize education and training in their particular sector.
The following diagram illustrates areas of ICT governance where municipalities must
engage with LGSETA for appropriate training programs. It is categorised into three areas,
namely Strategic, Tactical and Operational as follows:
Municipal ICT Governance Guidelines
Page 42 of 93
Deliverables can be achieved through a combination of on-the-job training and mentoring
as well as certified short courses and vendor certifications.
Municipal ICT Governance Guidelines
Page 43 of 93
8. MEASURING, MONITORING AND BENCHMARKING
8.1. ICT GOVERNANCE MATURITY LEVELS
The King III Code defines a wide range of requirements that need to be fulfilled by all
organisations (also Local Government) in South Africa, including an awareness of levels
of maturity in the governance of ICT. Levels of maturity are recognised using the criteria
of assigned responsibility to fulfill the King III principles and practices, the activities
executed in support of the principles and practices, the supporting documents in place
and the nature of performance measurements being monitored.
8.2. MEASURING AND MONITORING ACTIVITIES
It’s not about doing things right, it is about doing the RIGHT things right. How does this
relate to Governance?
Typically decisions have to be made on a continual basis on how to allocate and
reallocate resources and how to prioritise ICT activities and plans. Information on the
importance of all current projects and ICT processes and how they are performing as an
integral part of the overall ICT strategy is required on an on-going basis. Are they on track
to reach business benefits? Does it require improvement, what are the business risks,
how well are risks managed?
Amongst the many definitions for ICT governance, it can also be defined as:
“A framework that consists of the leadership, organisational structures and processes that
ensure that the organisation’s ICT sustains and extends the organisation’s strategies and
objectives.”
This translates into several responsibilities and activities areas:
Business-IT strategic alignment, so that current ICT operations support the business
and future ICT organisation enable the business;
ICT value delivery, identify and perform those ICT activities that actually deliver value
to the business;
Risk management, that must become an integral part of all ICT processes so that
risks are identified and be dealt with;
Performance measurement, to monitor if goals are reached and provide directions for
improvement where deviations are observed.
It comes down to the well-known ‘plan-do-check-act’ cycle
The next figure provides the logic of proper governance principles, supported through a
chosen technology for information analyses and governance compliancy.
Municipal ICT Governance Guidelines
Page 44 of 93
8.3. ICT GOVERNANCE MEASUREMENTS
The measurement of ICT Governance in Local Government needs to be taken over a
medium to long term. It consists of a number of steps as follows:
Definition phase - ICT Governance goals or Key Goal Indicators (KGI’s) need to be
established at the top organisational level (Municipal Manager’s Office). These goals
are then cascade down in the municipal ICT organisation. A KGI is a measure of
"what" has to be accomplished.
Translation phase - A cascading (breakdown) of the KGI into measurable (weighing
factor) Key Performance Indicators (KPI’s) and sources/processes cross the
municipal divisions. A KPI define and measure progress toward organisational goals.
While KGI’s focus on “what”, the KPI’s are concerned with “how”
Measurement phase - Audits/assessments (self-assessments) are conducted across
the ICT environment on relevance of Governance activities/plans/processes /RACI
within the business value chain. The level of accomplished ICT Governance process
roll-out per business requirement is measured
Management phase - From the audit/assessment results, the cascaded KPI/KGI are
analysed for shortfalls and potential business risks coming from these (where not
predefined) to enable corrective actions.
Opportunity phase - Performance measures are then compared against the goals and
the goals are checked for validity. Goal may be redefined because of business
dynamics. Adjustments are budgeted for and implemented and where necessary
KGI/KPIs are adjusted and the cycle starts over, periodically.
Municipal ICT Governance Guidelines
Page 45 of 93
9. SUPPORT FOR MUNICIPAL ICT GOVERNANCE
9.1. THE ROLE OF SALGA
By establishing this Corporate Governance ICT Guideline, SALGA realize that a support
function will be a requirement to enable successful adoption and implementation. Apart
from the usual support structures that are already in place, SALGA will provide the
following support structures:
Skills development and awareness sessions: - In line with the suggested skills
requirements as discussed in chapter 6 of this guideline, SALGA will provide
educational workshops and awareness sessions on the various categories. These
workshops and sessions will be made available on a regular basis and more detail
will be made available in the near future
ICT Governance Awards: - In order to encourage the early adoption of ICT
Governance within the various municipalities, SALGA is planning to award those
municipalities which have shown a keen interest and enthusiasm to embrace the
governance of ICT as a means to improve overall service delivery
ICT Governance Assessments: - A certain amount of ICT governance assessments
are planned over the medium to long term to assist municipalities to measure ICT
governance maturity levels. More detail will be made available in the near future
Conferences and Information Sharing: - A number of conferences on ICT
Governance and related topics are planned for the short to medium term. Apart from
sharing valuable information on ICT governance and related topics, these
conferences will also be invaluable with regards to networking and sharing
information and ideas with colleagues and peers
9.2. NATIONAL TREASURY
National Treasury is dependent on financial information received from municipalities to
inform national policy. Municipalities on the other hand, are more dependent on financial
system vendors to maintain their financial systems and to retrieve financial information
and associated reports. National Treasury realized the problems of poor quality reporting
and made an undertaking to put in motion a process to resolve the problems. Since 2009
there have been several discussions at strategic level regarding a possible systems
solution for local government. National Treasury is currently leading a project that seeks
to close the information gap and at the same time improve the credibility of reports
submitted which will ultimately influence policy debates and policy direction.
National Treasury commissioned the above project in 2010 at first in order:
Municipal ICT Governance Guidelines
Page 46 of 93
To assess the cost and capabilities of current financial systems utilised at
municipalities
To document business processes flows within the finance environment
To establish the minimum requirements of municipal financial management systems
and compile such guidelines to be regulated as part of the Standard Chart of Account
(SCOA) project.
Other issues such as IT Governance and IT infrastructure, on which financial and
related systems are dependent, became increasingly evident as the project unfolded.
Subsequently, a working committee of the Technical Committee for Finance (TCF) was
established towards the end of last year where National Treasury met with stakeholders
amongst others Provincial Treasuries, SALGA, CoGTA, IMFO to discuss these issues.
The Technical Committee on Finance (TCF) is comprised of officials from the National
Treasury and provincial treasuries and supports the Budget Council.
9.2.1. STANDARD CHART OF ACCOUNTS (SCOA)
The National Treasury embarked on a budget reform program in 1999 aiming at
improving accountability and modernising the accounts of government; primarily by
bringing budget and expenditure reporting in line with international best practice. The
ultimate aim of this reform remains unchanged – it is to provide better quality
information to legislatures to assist in the policy making process and to reinforce
Parliament’s oversight role.
The first part of the reform was the introduction of a new, standardised chart of
accounts and new economic reporting format for national and provincial government
departments in 2004. In this SCOA a standard list of expenditure items aligned with
international accounting and economic reporting standards replaced the original
“standard item” configuration in the financial systems.
The SCOA in essence comprises the coding of items used for classification,
budgeting, recording and reporting of revenues and expenditures within the
accounting system, in order to facilitate the recording of all transactions affecting
assets and liabilities.
9.3. OTHER STAKEHOLDERS
9.3.1. COOPERATIVE GOVERNANCE AND TRADITIONAL AFFAIRS (COGTA)
CoGTA should monitor and influence improvements to address system deficiencies
and duplication at municipalities.
Municipal ICT Governance Guidelines
Page 47 of 93
9.3.2. DEPARTMENT OF PUBLIC SERVICE AND ADMINISTRATION (DPSA)
DPSA, in consultation with the GITO council, should extend the IT governance
framework developed for national and provincial departments to incorporate local
government. Consideration should be given to extending SITA’s mandate to provide
technical support to local government.
9.3.3. THE AUDITOR GENERAL
The Auditor-General provides National Treasury with the Provincial and Local Audit
Notes which will assist in analyzing the outcomes and to consider the
recommendations made. From the above it is clear that the performance of the
financial systems is depended on the way the IT governance structures are managed
by the municipality and need to be addressed as part of these reforms.
9.3.4. LOCAL GOVERNMENT SECTOR TRAINING AUTHORITY (LGSETA)
Municipalities all contribute to the National Skills Fund, managed by the Local
Government Sector Training Authority (LG SETA). LGSETA is expected to support
municipalities to:
o Initiate learner ships;
o Approve workplace skills plans that potential employers produce;
o Provide funds for employers, trainers and workers; and
o Observe and scrutinize education and training in their particular sector.
Municipal ICT Governance Guidelines
Page 48 of 93
10. METHODOLOGY USED TO COMPILE THE GUIDELINE
10.1. CONCEPTUAL APPROACH
An ICT Governance Framework is a system by which the current and future use of ICT is
directed and controlled. This management system includes policies, plans, organisational
structures, processes and governance mechanisms to enable the effective management
of ICT resources.
An ICT governance framework comprises 3 tiers:
At the Executive Authority level: Mayors, Municipal Managers Evaluate, Direct and
Monitor the performance of ICT against plans, internal policies, external obligations
and strategic objectives.
At the Executive Management Level: Municipal Managers / Executives Plan,
Supervise, Check and Act to effectively and efficiently leverage ICT resources.
Establish an IT steering committee, chaired by the Municipal Managers and
secretariat by the CIO with CFO and Corporate Services permanent members and
other senior managers are on invitation. This will ensure that decisions taken in
respect of IT are on a coordinative manner.
At the Process Level: activities are performed controlled and checked in alignment
with business objectives.
10.2. ICT GOVERNANCE FRAMEWORK COMPONENTS
A Governance Framework is a management system which enables the effective
management of ICT resources. More specifically a Governance Framework should (at
least) include the following components:
An ICT Governance Charter - The Charter outlines the decision making rights and
accountability for ICT governance that will enable the desirable culture in the use of ICT
within the municipality. This is achieved by requiring ICT management to provide timely
information to comply with direction and to conform to the principles of good governance.
A RACI Chart (Responsible, Accountable, Consulted, Informed) - The RACI chart clarifies
the assignment of responsibilities and decision-making rights across a number of roles.
Role descriptions are mapped to the key tasks that underpin the ICT services provided
using Best Practice such as CobiT and ITIL process models as a reference.
Measurement and Monitoring – Performance maturity levels are established using the
criteria of assigned responsibility to execute tasks in support of the principles and
practices.
ICT Controls - Control activities are the policies, procedures, general, application, user
and company level responses that help ensure risk responses are properly executed.
Municipal ICT Governance Guidelines
Page 49 of 93
Internal Audit - Internal audit perform the following functions:
Evaluate the municipality’s governance processes;
Perform an objective assessment of the effectiveness of risk management and
internal controls;
Analyse and evaluating business processes and associated controls; and
Provide a source of information regarding instances of fraud, corruption, unethical
behaviour and irregularities.
10.3. THE DRAFT DPSA ICT GOVERNANCE FRAMEWORK
The Draft Public Service Governance of Information and Communication Technology
Framework were published in November 2011 by the Department of Public Service and
Administration. The purpose of the Framework is to institutionalise the Corporate
Governance of ICT and the Governance ICT as an integral part of governance within
Institutions. The scope of the Framework applies to all national and provincial institutions
as defined by the Public Service Act of 1994 as amended (Schedules 1 to 3).
The Municipal Guide / Roadmap to Successful ICT Governance (this document), should
be seen as complimentary to the DPSA Framework as it builds on to the concepts,
standards, codes and best practice that is listed in the DPSA Framework. While the
DPSA Framework is strategically positioned, the Guideline, although also strategic in
nature, are more tactically and operationally focused. The Guideline should be used as a
reference when implementing the Framework. It should be considered as moving from
“strategic intent” (the DPSA Framework) to “operational excellence”.
10.4. INTEGRATION OF BEST PRACTICE
A solid ICT Governance Framework, supported by effective processes is a must for any
municipality that wants to ensure good governance covering all its business support
mechanisms. These best practices have a complexity attached to it that requires a smart
approach to be successful in realising a final deliverable. By combining these best
practices in a logical sense, mapping them against each other, it becomes
complementary as one logical model, in line with the requirements of local government
environments. The main standards and best practices that should be referenced in an ICT
Governance Framework are listed below:
ICT Governance
o COBIT®; Control Objectives for Information and related Technologies
o ISO 38500; Corporate Governance Standard
o King III Code of Governance (specifically chapter 5)
Service Management
Municipal ICT Governance Guidelines
Page 50 of 93
o ITIL; IT Infrastructure Library, version 2 & 3
o ISO 20000; IT Service Management Standard
Information Security Management
o ISO 27001/2 Information Security Standard
Business Continuity and Disaster Recovery Management
o BS 25999; Business Continuity Management
o ISO 24762; Disaster Recovery Management
From an ICT Governance perspective, CobiT, ISO 38500 and King III provides clear
guidelines and control objectives for measurable governance, metrics and practices.
From a security and continuity of business perspective ISO 27001/2, ISO 24762 and BS
25999 provide clear guidelines and controls for confidentiality, integrity and availability of
services and the required risk mitigation.
EFFECTIVE BEST PRACTICE INTEGRATION
By adding ITIL to the equation the answer of how to do what, is then addressed
adequately. Roles, responsibilities and information process flows can now be established
according to the priority for governing ICT and within the enabling processes and
activities. These combined practices enable ICT governance that is based on business
requirements through appropriate delivery & support structures, mitigated risks and
measured improvements.
Municipal ICT Governance Guidelines
Page 51 of 93
ADDENDUM A – STANDARDS, CODES AND BEST PRACTICE
A1 GOVERNANCE
A1.1 KING III CODE OF GOVERNANCE
The King Code on Governance for South Africa ("King III") was launched on 1
September 2009. It came into effect and replaced the then existing King II Code on
Corporate Governance ("King II") on 1 March 2010.
King III sets out a number of key governance principles which should be read
together with best practice recommendations on how to carry out each principle. A
number of Practice Notes have also been issued by the Institute of Directors to assist
entities in implementing King III.
King III's principles and recommendations must be seen against the legislative
requirements contained in the 2008 Act and the Public Finance Management Act of
1999. This is reflected in the terminology used in King III with "must" indicating a legal
requirement and "should" indicating where application of King III will result in good
governance.
Significantly, King III also applies to all entities incorporated in and resident in SA
irrespective of their manner or form of incorporation or establishment. The application
of King III is also mandatory for JSE listed companies.
In a change of approach, King III moves from a "comply or explain" approach to an
"apply or explain" approach. The "apply and explain" approach requires a greater
consideration of how a principle or a recommended practice in King III could be
applied. A board may conclude that applying a recommended practice is not
necessarily in the best interests of the company and apply a different practice
provided that it explains the practice adopted and its reasons for doing so.
At a high level, the King III Code of Governance addresses the following governance
components:
Ethical leadership and corporate citizenship
Boards and directors
Audit committees
The governance of risk
The governance of information technology
Compliance with laws, rules, codes and standards
Internal audit
Governing stakeholder relationships
Municipal ICT Governance Guidelines
Page 52 of 93
Integrated reporting and disclosure
In addition, the King Committee also commissioned a number of Practice Notes to
assist with the insight into and practical application of King III. Practice Notes are
aimed at providing high-level guidance to those individuals charged with governance
to enable them to execute those duties and are not intended to serve as detailed
implementation guides
The table below summarises chapter 5 of the code. Chapter 5 focus specifically on
ICT:
Principles Recommended Practice
King III section
Principle Sub
section Practice
5.1
The board should be responsible for information technology (IT)
governance
5.1.1 The board should assume the responsibility for the governance of IT and place it on the board agenda
5.1.2 The board should ensure that an IT charter and policies are established and implemented.
5.1.3 The board should ensure promotion of an ethical IT governance culture and awareness and of a common IT language.
5.1.4 The board should ensure that an IT internal control framework is adopted and implemented
5.1.5 The board should receive independent assurance on the effectiveness of the IT internal controls
5.2
IT should be aligned with the
performance and sustainability
objectives of the company
5.2.1 The board should ensure that the IT strategy is integrated with the company’s strategic and business processes
5.2.2
The board should ensure that there is a process in place to identity and exploit opportunities to improve the performance and sustainability of the company through the use of IT
5.3
The board should delegate to
management the responsibility for
the implementation
of an IT governance framework
5.3.1
Management should be responsible for the implementation of the structures, processes and mechanisms for the IT governance framework
5.3.2 The board may appoint an IT steering committee of similar function to assist with its governance of IT
5.3.3 The CEO should appoint a Chief Information Officer responsible for the management of IT
5.3.4
The CIO should be a suitably qualified and experienced person who should have access and interact regularly on strategic IT matters with the board and/or appropriate board committee and executive management
5.4 The board should
monitor and evaluate
5.4.1 The board should oversee the value delivery of IT and monitor the return on investment from significant IT projects
Municipal ICT Governance Guidelines
Page 53 of 93
Principles Recommended Practice
King III section
Principle Sub
section Practice
significant IT investments and
expenditure 5.4.2
The board should ensure that intellectual property contained in information systems are protected
5.4.3 The board should obtain independent assurance on the IT governance and controls supporting outsourced IT services
5.5
IT should form an integral part of the company’s
risk management
5.5.1
Management should regularly demonstrate to the board that the company has adequate business resilience arrangements in place for disaster recovery
5.5.2 The board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered
5.6
The board should ensure that information assets are managed effectively
5.6.1
The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy
5.6.2 The board should ensure that all personal information is treated by the company as an important business asset and is identified
5.6.3 The board should ensure that an Information Security Management System is developed and implemented
5.6.4 The board should approve the information security strategy and delegate and empower management to implement the strategy
5.7
A risk committee and audit committee
should assist the board in carrying
out its IT responsibilities
5.7.1 The risk committee should ensure that IT risks are adequately addressed
5.7.2 The risk committee should obtain appropriate assurance that controls are in place and effective in addressing IT risks
5.7.3 The audit committee should consider IT as it relates to financial reporting and the going concern of the company
5.7.4 The audit committee should consider the use of technology to improve audit coverage and efficiency
Municipal ICT Governance Guidelines
Page 54 of 93
A.1.2 SANS 38500: 2008 ICT GOVERNANCE STANDARD
The ISO\IEC 38500 standard on the Corporate Governance of ICT was published by
International Standards Organisation (ISO) and the International Electro Technical
Commission (IEC) in June 2008. The standard originated from an Australian standard
AS 8015.
This standard provides a framework for effective governance of ICT, to assist those at
the highest level of organisations to understand and fulfill their legal, regulatory, and
ethical obligations in respect of their organisations’ use of ICT. This standard was
adopted and published by South African Standards Bureau in July 2009 and is
available from the SABS.
The standard was published by the SABS for the South African environment in July
2009 and included the following as part of its national forward:
“SANS 38500:2008 provides guidance on the effective and efficient use of corporate
governance of information technology (IT) operations within organisations.
Organisations that subscribe to SANS 38500:2008 as an international guideline to
construct its corporate governance of ICT environment, should note that efficient and
effective corporate governance of ICT is derived from the interpretation,
implementation and execution of the guidelines of SANS 38500:2008 in an
organisational environment.
Adherence to SANS 38500:2008 guidelines assures stakeholders the confidence in
the effective corporate governance of IT in the organisation. This assurance is not
absolute and depends on how the guidelines of SANS 38500:2008 are interpreted,
implemented and executed in order to govern the corporate use of IT effective and
efficiently.
SANS 38500:2008 should be implemented in conjunction with South African
legislation and regulations. SANS 38500:2008 compliments and dovetails with de
facto corporate governance codes of practices such as the KING II and KING III
reports on corporate governance for South Africa.
Definitions within SANS 38500:2008 were developed in order to cater for a global
audience. Local definitions of terms can therefore, where relevant, be adopted in
order to align the standard with the South African environment.
SANS 38500:2800 is a principle based standard, so when the governing body adopt
these principles it should provide the fundamental reference that influences their
behaviour when governing the use of ICT. The standard offers the following six
principles:
Municipal ICT Governance Guidelines
Page 55 of 93
SANS 38500:2008 – Principles
Description
Principle 1: Responsibility
This responsibility principle states that individuals or groups will be granted the required authority to accept and dispose of their responsibilities in the use of IT. Although not explicitly stated, the governing body may delegated certain responsibilities, but remain accountable for the outcome
Principle 2: Strategy
This strategy principle states that the business strategy considers the capabilities of IT (both current and future) and that IT strategic plans enables the on-going realisation of the business’ strategic intent
Principle 3: Acquisition
This acquisition principle states that IT is procured through sound and transparent investment decisions; that these decisions will consider the appropriate balance between risk and reward; and that investment benefits/outcomes are tracked to realisation
Principle 4: Performance
This performance principle states that the organisation should deliver fit for purpose, quality IT services, at the required service levels that will contribute to the organisation delivering on its strategic intent
Principle 5: Conformance
This conformance principle states that the organisation in the use of IT, continually complies with all applicable legislation and regulation by embedding it in their policies and practices
Principle 6: Human behaviour
This human behaviour principle states that the organisation should respect the needs of people in the use IT by embedding it in their policies and practices
Municipal ICT Governance Guidelines
Page 56 of 93
A 1.3 COBIT GOVERNANCE FRAMEWORK
Control Objectives for Information and related Technology (CobiT®) provides good
practices across a domain and process framework and presents activities in a
manageable and logical structure. CobiT’s good practices represent the consensus of
experts. They are strongly focused more on control, less on execution.
For ICT to be successful in delivering against business requirements, management
should put an internal control system or framework in place. The CobiT control
framework contributes to these needs by:
Making a link to the business requirements
Organising ICT activities into a generally accepted process model
Identifying the major ICT resources to be leveraged
Defining the management control objectives to be considered
The business orientation of CobiT consists of linking business goals to ICT goals,
providing metrics and maturity models to measure their achievement, and identifying
the associated responsibilities of business and ICT process owners
The process focus of CobiT is illustrated by a process model that subdivides ICT into
four domains and 34 processes in line with the responsibility areas of plan, build, run
and monitor, providing an end-to-end view of ICT. Enterprise architecture concepts
help identifies the resources essential for process success, i.e., applications,
information, infrastructure and people.
CobiT ICT Governance focus areas can be summarised as follows:
Municipal ICT Governance Guidelines
Page 57 of 93
Strategic alignment focuses on ensuring the linkage of business and ICT plans;
defining, maintaining and validating the ICT value proposition; and aligning IT
operations with enterprise operations.
Value delivery is about executing the value proposition throughout the delivery
cycle, ensuring that ICT delivers the promised benefits against the strategy,
concentrating on optimising costs and proving the intrinsic value of ICT.
Resource management is about the optimal investment in, and the proper
management of, critical ICT resources: applications, information, infrastructure
and people. Key issues relate to the optimisation of knowledge and infrastructure.
Risk management requires risk awareness by senior corporate officers, a clear
understanding of the enterprise’s appetite for risk, understanding of compliance
requirements, transparency about the significant risks to the enterprise and
embedding of risk management responsibilities into the organisation.
Performance measurement tracks and monitors strategy implementation, project
completion, resource usage, process performance and service delivery, using, for
example, balanced scorecards that translate strategy into action to achieve goals
measurable beyond conventional accounting.
Municipal ICT Governance Guidelines
Page 58 of 93
A.2 SERVICE MANAGEMENT
A.2.1 ITIL V2/3
ITIL was developed by the Office of Government Commerce (OGC) within the UK
Treasury Department in the late 1980s to improve the efficiency and effectiveness of
government procurement. Today, OGC uses ITIL to create centers of excellence in
program management to serve as examples of best practices across government.
The common terminology and consistent service levels and processes presented by ITIL are
particularly valuable to companies looking to standardise their best practices across
business units and geographical locations. Incorporating ITIL into IT service
management is one way to assure customers that they'll receive a consistent quality
of service and efficiency, whether they're dealing with operations in different
geographical locations.
Although the current version is version3, all the core processes of version 2 have
been retained, albeit in a different category. ITIL version 2 defined service
management best practices as 10 core processes divided into two major functional
areas: Service Support and Service Delivery. Within each of the 10 core areas is a
series of activities designed to help ICT not only manage and maintain current
demands for service, but also react quickly to change as the nature of ICT-
dependency evolves.
Service Support is all about delivering the ICT services customers need to stay up
and running. This includes fixing the root cause of problems to prevent repetition of
incidents and ensure that any modifications don't introduce new problems. ITIL
identifies five key components of service support:
Incident management focuses on restoring service to the customer as quickly as
possible to the agreed-upon service levels
Municipal ICT Governance Guidelines
Page 59 of 93
Problem management explores the root cause of an incident and focuses on
determining a solution or solutions that will eliminate it from the ICT infrastructure
Change management deals with maintaining control over the ICT infrastructure to
prevent changes from creating new incidents
Configuration management links ICT assets to their relationships, both physical
and in respect to key business processes, so that management can make
intelligent decisions about service priorities
Release management addresses how to introduce new hardware and software
into an organization as smoothly as possible without creating new incidents and
problems.
Service Delivery is all about making sure that ICT has everything in its environment to
deliver support on a day-to-day basis to the agreed-upon service levels the customer
demands. This includes sufficient people on the service desk, sufficient capacity,
enough lines, equipment, software, and so on. ITIL identifies five key components of
service delivery:
Service-level management emphasizes the importance of determining service
needs from the customer inward, not from ICT outward. First, define the
customer's service needs and then build a service-level agreement around those
needs.
Financial management focuses on understanding exactly what it costs to supply a
particular service to a customer. It involves thinking of ICT as a business rather
than just an internal department.
Capacity management looks at managing both the capacity of assets and the
performance of those assets to provide the level of service the customer needs.
Availability management is all about providing service to the customer -- to
agreed service levels -- as well as continually examining the reliability of the ICT
infrastructure to improve upon the availability of service.
Continuity management identifies the critical services a business needs to stay in
business and focuses on providing the right level of service to maintain continuity
during typical day-to-day operations as well as under adverse circumstances
such as disaster recovery.
With the publication of version 3, a number of additional components as listed below
have been added:
Strategy generation
Service design aspects
Municipal ICT Governance Guidelines
Page 60 of 93
Supplier management
Outsourced models
Service knowledge management system
Application design and management
Technology architecture design and management
Service measurement
Event measurement
Request fulfillment
The list below shows how Service Delivery and Service Support have been
positioned in version 3:
Municipal ICT Governance Guidelines
Page 61 of 93
A. 2.2 ISO/IEC 20000
ISO/IEC 20000-1:2005 defines the requirements for a service provider to deliver
managed services.
It may be used
by businesses that are going out to tender for their services;
to provide a consistent approach by all service providers in a supply chain;
to benchmark ICT service management;
as the basis for an independent assessment;
to demonstrate the ability to meet customer requirements;
to improve services.
ISO/IEC 20000-1:2005 promotes the adoption of an integrated process approach to
effectively deliver managed services to meet business and customer requirements.
For an organisation to function effectively it has to identify and manage numerous
linked activities. Co-ordinate integration and implementation of the service
management processes provides the ongoing control, greater efficiency and
opportunities for continual improvement.
Organisations require increasingly advanced facilities (at minimum cost) to meet their
business needs. With the increasing dependencies in support services and the
diverse range of technologies available, service providers can struggle to maintain
high levels of customer service. Working reactively, they spend too little time
planning, training, reviewing, investigating, and working with customers. The result is
a failure to adopt structured, proactive working practices. Those same service
providers are being asked for improved quality, lower costs, greater flexibility, and
faster response to customers.
In contrast, effective service management delivers high levels of customer service
and customer satisfaction. It also recognizes that services and service management
are essential to helping organizations generate revenue and be cost-effective. The
ISO/IEC 20000 series enables service providers to understand how to enhance the
quality of service delivered to their customers, both internal and external.
Municipal ICT Governance Guidelines
Page 62 of 93
The ISO/IEC 20000 series draws a distinction between the best practices of
processes, which are independent of organisational form or size and organisational
names and structures. The ISO/IEC 20000 series applies to both large and small
service providers, and the requirements for best practice service management
processes are independent of the service provider's organisational form. These
service management processes deliver the best possible service to meet a
customer's business needs within agreed resource levels, i.e. service that is
professional, cost-effective and with risks which are understood and managed.
Municipal ICT Governance Guidelines
Page 63 of 93
A 3 SECURITY MANAGEMENT
A 3.1 ISO/IEC 27001
ISO/IEC 27001 is the formal standard against which organisations may seek
independent certification of their Information Security Management Systems
(meaning their frameworks to design, implement, manage, maintain and enforce
information security processes and controls systematically and consistently
throughout the organisations).
The standard covers all types of organisations (e.g. commercial enterprises,
government agencies and non-profit organisations). It specifies the requirements for
establishing, implementing, operating, monitoring, reviewing, maintaining and
improving documented ISMS within the context of the organisation’s overall risk
management processes. It specifies requirements for the implementation of security
controls customized to the needs of individual organizations or parts thereof.
ISO/IEC 27001 provides an ISMS model for adequate and proportionate security
controls to protect information assets and give confidence to interested parties.
According to JTC1/SC27, the ISO/IEC committee responsible for the ’27000 series
and related standards, ’27001 “is intended to be suitable for several different types of
use, including:
Use within organisations to formulate security requirements and objectives;
Use within organisations as a way to ensure that security risks are cost-effectively
managed;
Use within organisations to ensure compliance with laws and regulations;
Municipal ICT Governance Guidelines
Page 64 of 93
Use within an organisation as a process framework for the implementation and
management of controls to ensure that the specific security objectives of an
organisation are met;
The definition of new information security management processes;
Identification and clarification of existing information security management
processes;
Use by the management of organisations to determine the status of information
security management activities;
Use by the internal and external auditors of organisations to demonstrate the
information security policies, directives and standards adopted by an organisation
and determine the degree of compliance with those policies, directives and
standards;
Use by organisations to provide relevant information about information security
policies, directives, standards and procedures to trading partners and other
organisations that they interact with for operational or commercial reasons;
Implementation of a business enabling information security; and
Use by organisations to provide relevant information about information security to
customers.”
The information security controls from ISO/IEC 27002 are noted in an appendix to
ISO/IEC 27001, rather like a menu. Organisations adopting ISO/IEC 27001 are free
to choose whichever specific information security controls are applicable to their
particular information security situations, drawing on those listed in the menu and
potentially supplementing them with other a la carte options. As with ISO/IEC 27002,
the key to selecting applicable controls is to undertake a comprehensive assessment
of the organisation’s information security risks.
A 3.2 ISO/IEC 27001 CONTROLS
ISO/IEC 27002 Controls
Clause Sec Control Objective
Organisation of Information security
6.1 Internal Organisation
6.2 External Parties
Asset Management 7.1 Responsibility for Assets
7.2 Information classification
Human Resource Security
8.1 Prior to Employment
8.2 During Employment
8.3 Termination or change of employment
Physical and Environmental 9.1 Secure Areas
Municipal ICT Governance Guidelines
Page 65 of 93
ISO/IEC 27002 Controls
Clause Sec Control Objective
Security 9.2 Equipment security
Communications and Operations Management
10.1 Operational Procedures and responsibilities
10.2 Third Party Service Delivery Management
10.3 System Planning and Acceptance
10.4 Protection against Malicious and Mobile Code
10.5 Back-Up
Communications and Operations Management
10.6 Network Security Management
10.7 Media Handling
10.8 Exchange of Information
10.9 Electronic Commerce Services
10.10 Monitoring
Access Control
11.1 Business Requirement for Access Control
11.2 User Access Management
11.3 User Responsibilities
11.4 Network Access control
11.5 Operating System Access Control
11.6 Application access control
11.7 Mobile Computing and Teleworking
Information Systems Acquisition Development and Maintenance
12.1 Security Requirements of Information Systems
12.2 Correct Processing in Applications
12.3 Cryptographic controls
12.4 Security of System Files
12.5 Security in Development & Support Processes
12.6 Technical Vulnerability Management
Information Security Incident Management
13.1 Reporting Information Security Events and Weaknesses
13.2 Management of Information Security Incidents and Improvements
Business Continuity Management
14.1 Information Security Aspects of Business Continuity Management
Compliance
15.1 Compliance with Legal Requirements
15.2 Compliance with Security Policies and Standards and Technical compliance
15.3 Information System Audit Considerations
Municipal ICT Governance Guidelines
Page 66 of 93
A.4 BUSINESS CONTINUITY / DISASTER RECOVERY
A 4.1 BS 25999
Continued operations in the event of a disruption, whether due to a major disaster or
a minor incident is a fundamental requirement for any organisation. BS 25999, the
world’s first British standard for business continuity management (BCM), has been
developed to help you minimize the risk of such disruptions.
By helping to put the fundamentals of a BCM system in place, the standard is
designed to keep a company’s business going during the most challenging and
unexpected circumstances – protecting its staff, preserving its reputation and
providing the ability to continue to operate and trade.
BS 25999 has been developed by a broad based group of world class experts
representing a cross-section of industry sectors and the government to establish the
process, principles and terminology of Business Continuity Management.
BS 25999 is suitable for any organisation, large or small, from any sector. It is
particularly relevant for organisations which operate in high risk environments such as
finance, telecommunications, transport and the public sector, where the ability to
continue operating is paramount for the organisation itself and its customers and
stakeholders.
BS 25999 comprises two parts:
BS 25999-1:2006 Part 1, the Code of Practice, provides BCM best practice
recommendations. Please note that this is a guidance document only.
Municipal ICT Governance Guidelines
Page 67 of 93
BS 25999-2:2007 Part 2, the Specification, provides the requirements for a
Business Continuity Management System (BCMS) based on BCM best practice.
This is the part of the standard that can be used to demonstrate compliance via
an auditing and certification process.
The contents of the Code of Practice are as follows:
Section 1 - Scope and Applicability. This section defines the scope of the standard,
making clear that it describes generic best practice that should be tailored to the
organisation implementing it
Section 2 - Terms and Definitions. This section describes the terminology and
definitions used within the body of the standard
Section 3 - Overview of Business Continuity Management. A short overview is the
subject of the standard. It is not meant to be a beginner’s guide but describes the
overall processes, its relationship with risk management and reasons for an
organization to implement along with the benefits
Section 4 - The Business Continuity Management Policy. Central to the
implementation of business continuity is having a clear, unambiguous and
appropriately resourced policy
Section 5 - BCM Program Management. Program management is at the heart of the
whole BCM process and the standard defines an approach
Section 6 - Understanding the organisation. In order to apply appropriate business
continuity strategies and tactics the organization has to be fully understood, its critical
activities, resources, duties, obligations, threats, risks and overall risk appetite.
Section 7 - Determining BCM Strategies. Once the organisation is thoroughly
understood the overall business continuity strategies can be defined that are
appropriate.
Section 8 - Developing and implementing a BCM response. The tactical means by
which business continuity is delivered. These include incident management
structures, incident management and business continuity plans.
Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture.
Without testing the BCM response an organization cannot be certain that they will
meet their requirements. Exercise, maintenance and review processes will enable the
business continuity capability to continue to meet the organizations goals.
Section 10 - Embedding BCM into the organizations culture. Business continuity
should not exist in a vacuum but become part of the way that the organization is
managed.
Municipal ICT Governance Guidelines
Page 68 of 93
The contents of the Specification (BS 25999-2) are as follows:
Section 1 - Scope. Defines the scope of the standard, the requirements for
implementing and operating a documented business continuity management system
(BCMS)
Section 2 - Terms and Definitions. This section describes the terminology and
definitions used within the body of the standard
Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of
the standard is predicated on the well-established Plan-Do-Check-Act model of
continuous improvement. The first step is to plan the BCMS, establishing and
embedding it within the organisation.
Section 4 - Implementing and Operating the BCMS (DO) Actually implement ones
plans. This section includes a number of topics that are found in Part 1 although Part
1 should only be used for general guidance and information. Only what is in Part 2
can be assessed.
Section 5 - Monitoring and Reviewing the BCMS (CHECK). To ensure that the BCMS
is continually monitored the Check stage covers internal audit and management
review of the BCMS
Section 6 Maintaining and Improving the BCMS (ACT) To ensure that the BCMS is
both maintained and improved on an ongoing basis this section looks at preventative
and corrective action.
Municipal ICT Governance Guidelines
Page 69 of 93
A 4.2 ISO/IEC 24762
ISO/IEC 24762 is aimed at aiding the operation of an Information Security
Management System (ISMS) by providing guidance on the provision of Information
and Communications Technology Disaster Recovery (ICT DR) services as part of
business continuity management.
Information security management is the process by which management aims to
achieve effective confidentiality, integrity and availability of information and service.
When an organisation implements an ISMS the risks of interruptions to business
activities for any reason should always be identified. ISO/IEC 27001 and ISO/IEC
27002 include a control objective for information security aspects of business
continuity management (refer to Control Objective 14.1 in ISO/IEC 27002:2005), the
implementation of which will reduce those risks. That control objective is supported by
controls to be selected and implemented as part of the ISMS process. Business
continuity management is an integral part of a holistic risk management process that
safeguards the interests of an organisation’s key stakeholders, reputation, brand and
value creating activities through:
identifying potential threats that may cause adverse impacts on an organization’s
business operations, and
associated risks;
providing a framework for building resilience for business operations;
providing capabilities, facilities, processes, action task lists, etc., for effective
responses to disasters and failures.
In planning for business continuity, the fallback arrangements for information
processing and communication facilities become beneficial during periods of minor
outages and essential for ensuring information and service availability during a
disaster or failure for the (complete) recovery of activities over a period of time. Such
Municipal ICT Governance Guidelines
Page 70 of 93
fallback arrangements may include arrangements with third parties in the form of
reciprocal agreements, or commercial subscription services.
A 4.2.1 ISO/IEC 24762 CONTROLS
The standard list specific requirements for ICT DR Service providers to continuously
improve their ICT DR services.
ISO/IEC 24762 Controls
Clause Sec Control Objective
ICT Disaster Recovery
5.1 General
5.2 Environmental stability
5.3 Asset management
5.4 Proximity of site
5.5 Vendor management
5.6 Outsourcing arrangements
5.7 Information security
5.8 Activation and deactivation of disaster recovery plan
5.9 Training and education
5.10 Testing and ICT systems
5.11 Business continuity for ICT DR services providers
5.12 Documentation and periodic review
ICT Disaster Recovery Facilities
6.1 General
6.2 Location of recovery sites
6.3. Physical access controls
6.4 Physical security controls
6.5 Dedicated areas
6.6 Environmental controls
6.7 Telecommunications
6.8 Power supply
6.9 Cable management
6.10 Fire protection
6.11 Emergency Operations Centre (EOC)
6.12 Restricted facilities
6.13 Non recovery amenities
6.14 Physical facilities and support equipment life cycle
6.15 Testing
Outsourced Service Provider’s Capability
7.1 General
7.2 Review organisation disaster recovery status
7.3 Facilities requirements
7.4 Expertise
7.5 Logical access control
7.6 ICT equipment and operation readiness
7.7 Simultaneous recovery support
7.8 Levels of service
7.9 Types of service
7.10 Proximity of service
7.11 Subscription ratio for shared services
Municipal ICT Governance Guidelines
Page 71 of 93
S
k
i
l
l
7.12 Activation of subscribed services
7.13 Organisation testing
7.14 Changes in capability
7.15 Emergency response plan
7.16 Self-assessment
Selection of Recovery Sites
8.1 General
8.2 Infrastructure
8.3 Skilled manpower and support
8.4 Critical mass of vendors and suppliers
8.5 Local service providers’ track records
8.6 Proactive local support
Continuous Improvement
9.1 General
9.2 ICT DR trends
9.3 Performance measurements
9.4 Scalability
9.5 Risk mitigation
Municipal ICT Governance Guidelines
Page 72 of 93
A 5 MINIMUM IT GENERAL CONTROLS
A 5.1 AIM
Accounting officers / with the support if ICT professionals ensure that their
institutions use and maintain information systems that are appropriate to facilitate
the preparation of accurate financial statements
Good governance of the business therefore must include IT governance, a fact
which is recognised in the King III report
In terms of information system risks Auditor General SA audits focus on the
following areas
1. IT Governance
2. Security Management
3. User / Account Access Controls
4. Programme Change Management
5. Data Centre Management
6. Facilities and Environmental Controls
7. IT Service Continuity
A5.2 IT GOVERNANCE
An IT Governance framework has been adopted. The framework should give due
considerations to IT risks, adequate processes and controls to ensure IT value
and improved service delivery.
An IT strategic plan that supports business requirements and ensures that IT
spending remains in line with the approved organization strategy is in place.
Organization structure, indicating roles and responsibilities to ensure that IT
investments are aligned and delivered in accordance with enterprise strategies
and objectives.
Comprehensive IT risk assessments to identify emerging risks are performed and
risks are recorded in a risk register.
Responsibilities for information security have been delegated to a dedicated
information security officer, independent of the system administrator.
The relationship with suppliers is managed through signed service level
agreements (SLAs) to ensure the quality thereof.
IT service performance is periodically reviewed against targets. Analysis of the
cause of any deviations and initiation of remedial action to address the underlying
causes is performed promptly.
A project management framework that defines the scope and boundaries of
managing IT projects, as well as the method to be adopted and applied to each
project undertaken.
Municipal ICT Governance Guidelines
Page 73 of 93
Internal auditors that evaluate internal controls in the IT environment need to be
technically competent.
A5.3 SECURITY MANAGEMENT
IT Security policies and procedures for the administration of security measures
over the network, operating system and application systems is designed and
implemented. These need to be enforced and updated on a regular basis.
IT security awareness initiatives and campaigns are carried out.
Evidence that IT security is managed at the highest appropriate organizational
level is maintained.
Strong password controls to authenticate system access, are implemented.
Firewalls and routers are configured correctly within the network environment to
ensure optimal protection against unauthorised access.
Patch management processes to prevent exploitation of vulnerabilities are
implemented.
Antivirus software is be implemented across the organisation to protect
information systems and technology from malware.
System configurations need to ensure that security vulnerabilities and incidents
are detected, monitored, reported and resolved on a regular basis.
Activities within the system network including databases are tracked, using audit
trails and reviewed o a regular basis by someone independent of administration
functions and in a senior position.
A5.4 USER / ACCOUNT ACCESS CONTROL
Formally documented and approved user account management standards and
procedures are in place.
Formal access request documentation for registering users, changing of access
rights, password resets and termination of access rights is completed and
approved by management.
The number of users with administrator privileges that can perform all functions
pertaining to user account management is minimised.
Activities of system administrators are monitored by an independent person, in a
senior position.
Periodic reviews of employee access rights and privileges to ensure it is in line
with their job responsibilities are performed.
A5.5 PROGRAM CHANGE MANAGEMENT
Formal documented and approved program change control policies and
procedures are established and implemented.
Programmers do not have access to the production environments. Where
programmers have been granted access, this access is monitored.
Municipal ICT Governance Guidelines
Page 74 of 93
Formal change request documentation is completed for all program changes and
approved by management.
Formal user acceptance testing is done on all changes before migration to the
production environment.
A5.6 DATA CENTRE MANAGEMENT
Changes to database management software are controlled.
Access to system software is restricted to personnel with corresponding job
responsibilities by access control software.
Installation of all system software is logged to establish an audit trail and
reviewed by management.
Hardware equipment changes/maintenance and testing are scheduled to
minimize the impact on operations and users.
A5.7 FACILITIES AND ENVIRONMENTAL CONTROLS
Physical access to sensitive areas (e.g. computer room, operations, printing
rooms, storage rooms, ups/generators, network rooms, tape library, offsite
backup storage facility) is controlled
Environmental controls within data centres/computer rooms (e.g. water and
smoke detectors, fire suppression system, fire extinguishers, air conditioning
systems) are adequately implemented and tested periodically
A5.8 IT SERVICE CONTINUITY
The IT continuity and disaster recovery plans have been incorporated into the
organizational business continuity plan.
The IT continuity plan and DRP has been distributed, updated and tested and is
also stored at an offsite location.
An IT backup and retention strategy has been implemented.
Backup procedures for data and programs exist and are performed according to
above strategy.
Backups are stored in a secure offsite storage facility.
Physical access and environmental controls over offsite the storage facility are
implemented.
Municipal ICT Governance Guidelines
Page 75 of 93
A6 TYPICAL STRUCTURE OF AN ICT ORGANISATION
The diagram below shows a typical IT organisational structure:
Chief Information
Officer
Human Resources
Finance
Operations
Vendor
Management
Architecture
Security
Project Office
Application
Development
Help Desk
Data Centre Operations
Data/Voice Network
IT Strategy; Policies & Standards; Portfolio Management; Security & Compliance
Assigned to business areas; Manage business portfolio and budget; Close to the business
Technology Direction; Project Management; Supplier Management
Implementation; Operations; Maintenance
Based on the above, suggested roles and responsibilities could be derived as follows:
The Chief Information Officer - The CIO is the top person in charge of the IT
Organisation, and typically reports into the Municipal Manager The CIO is responsible for
the overall budget, prioritising IT projects with the municipality, managing the overall IT
portfolio, and enforcing all policies and standards within the IT organisation.
Business Unit Managers – BU Managers represent business roles that report into IT,
but dotted line into various business units within the municipality. The job of the business
unit manager is to be the eyes and ears of IT with the business…gathering requirements,
prioritising projects, building business cases, and kicking off and overseeing projects from
a business perspective.
Project Management Office - The PMO is the organisation inside of IT responsible for
ensuring projects comes in on time, and on budget. Through good process and
enforcement of policies, a strong PMO is critical to the success of any IT organisation.
Vendor Management - Because IT could potentially be a large budget line item for any
municipality, and because the contracts can be very large, it is advisable to put an IT
Vendor Management process in place that works very closely with procurement.
Architecture and Security - Architecture and Security is the technical group inside of IT
that figures out “how” projects will be delivered technically.
Implementation Resources - Implementation Resources are the individuals who actually
put together/support the IT systems. They are made up of helpdesk resources,
Municipal ICT Governance Guidelines
Page 76 of 93
application developers, infrastructure resources (e.g. System Administrators, Database
Administrators, etc.), and individuals who maintain the data and voice networks.
Municipal ICT Governance Guidelines
Page 77 of 93
A7 SUGGESTED TRAINING CURRICULUM
The following training focus areas should be considered:
A7.1 KING III CORPORATE CODE OF GOVERNANCE
ICT governance is not an isolated discipline but it is an integral part of overall
corporate governance.
King III Foundation training will assists staff to understand and articulate the
difference between Corporate Governance and ICT Governance and how the
principles of good governance should apply equally to information and information
technology resources. While it will be of value to be familiar with the Code in its
entirety, it is strongly suggested that at least those areas within the Code that deals
specifically with ICT governance (Chapter 5) should be understood. The chapter
deals with the following areas:
The effective and efficient management of ICT resources to facilitate the
achievement of corporate objectives
The ‘apply or explain’ basis of the Code
ICT governance as an integral part of overall corporate governance.
After the course, every student should have an understanding of:
The 7 principles and 24 practices that companies must apply for better
governance of information technology
How to apply these principles and practices to establish an ICT Governance
Charter, ICT Governance Framework, ICT Policies, Accountability Framework,
Risk Management Plan and an ICT Controls Framework
A7.2 CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY
Control Objectives for Information and related Technology (CobiT®) provides good
practices across a domain and process framework and presents activities in a
manageable and logical structure. CobiT Foundation training will assists staff to
understand and articulate the risks and benefits of ICT, and to find ways to deal with
the following areas:
The principles of ICT Governance
Using CobiT as an ICT Governance Framework
How ICT governance resolves management issues
Understand ICT resources and information criteria
Understand how business goals drive ICT goals and ICT processes.
Municipal ICT Governance Guidelines
Page 78 of 93
Understand how CobiT aligns with other standards and frameworks
After the course, every student should:
Understand ICT governance process theory and the business expectations of
what ICT has to deliver
ICT governance control audit requirements
Understand how to conduct a situational assessment of ICT's maturity and
measure ICT's performance
Understand the relevance of CobiT as an ICT control framework, the high level
principles of CobiT, as well as a practical approach to implementing the
management guidelines
Provide a perspective of the complimentary roles that CobiT, ITIL and ISO 27000
play in establishing a comprehensive ICT governance framework.
A7.3 SERVICE MANAGEMENT
Although the current IT Infrastructure Library (ITIL) is version 3, all the core
processes of version 2 have been retained, albeit in a different category. The ISO
20000 certification standard is also largely based on ITIL V2. ITIL version 2 defined
service management best practices as 10 core processes divided into two major
functional areas: Service Support and Service Delivery. Within each of the 10 core
areas is a series of activities designed to help ICT not only manage and maintain
current demands for service, but also react quickly to change as the nature of ICT-
dependency evolves.
The five “Service Support” processes are Service Desk Management & the processes
of Incident Management, Problem Management, Configuration Management, Change
Management and Release Management.
The five “Service Delivery” processes are, Capacity Management, Availability
Management, Service Level Management, IT Service Continuity and Financial
Management for IT Services.
After the course, every student should have established:
Knowledge of the concepts of each ITIL management process
Global insight into the relationships between the ITIL management processes and
the added value of the ICT services and the purpose of the total organisation
Global insight into the organisation and change aspects related to the
implementation of the ITIL management processes
Municipal ICT Governance Guidelines
Page 79 of 93
Global insight into the power relations, resistance, interest, unclear organisation
strategies and structures during the implementation of the ITIL management
processes
A clear enough understanding of how Service Management integrate with other
best practices such as ISO 27000 and CobiT to lay the foundation for improved
ICT service delivery.
A7.4 SECURITY MANAGEMENT
Security Management Foundation training will assist staff to understand the basic
components of Information Security and how a management framework can assist in
managing and mitigating security risks.
ISO 27000 Foundation training will assists staff to understand and articulate the
following areas:
Information Security alignment with business objectives
Information Security alignment with ICT architecture
Information Security Risk Assessments
Information Security Strategy
Information Security policies, and processes
Information Security Standards implementation matrix
After the course, every student should have established:
Knowledge of the concepts of each ISO 27002 control clause
Global insight into the relationships between the Security Management processes
and how that support the purpose of the total organisation
Global insight into the organisation and change aspects related to the
implementation of the Information Security Framework
Global insight into the relations, resistance, interest, organisation strategies and
structures during the implementation of Information Security Management
processes
A clear enough understanding of how Security Management integrate with other
best practices such as ITIL and CobiT lay the foundation for improved ICT service
delivery.
A7.5 BUSINESS CONTINUITY
BS 25999 provides a basis for understanding, developing and implementing business
continuity within an organisation and gives confidence in business-to-business and
Municipal ICT Governance Guidelines
Page 80 of 93
business-to customer dealings. It also contains a comprehensive set of requirements
based on BCM best practice and covers the whole BCM lifecycle.
BS 25999 Foundation training will assists staff to understand and articulate the
following areas:
The Business Continuity Management policy and strategy
BCM program management
Developing and implementing a BCM response
Exercising, maintenance, audit and self-assessment of the BCM culture
Embedding BCM into the organisation’s culture
After the course, every student should have an understanding of:
Fundamentals of Business Continuity Management
The importance of understanding the organisation
The importance of identifying business critical processes and the impact of non-
availability
A7.8 DISASTER RECOVERY
ISO 24762 provides a basis for understanding, developing and implementing disaster
recovery plans. ISO 24762 Foundation training will assists staff to understand and
articulate the following areas:
Disaster recovery facilities
Outsourced Service Provider capabilities
Disaster recovery sites
Continuous improvement
After the course, every student should have an understanding of:
Fundamentals of Disaster Recovery Management
How Disaster Recovery fits in as a sub set of Business Continuity
The importance of understanding the organisation
The importance of ICT applications and systems that support business critical
processes and the impact of non-availability
ICT Governance Guidelines
Page 81 of 93
ADDENDUM B – SELF ASSESSMENT
A formal program to review ICT Governance maturity for municipalities should be in place. The foundation of the ICT Governance maturity evaluation
and ratings is the metrics established for each of the categories as outlined below. ICT Governance should be evaluated against these criteria on (at
least) an annual basis.
Note: All sections denoted by ** are questions compiled by the Auditor General, and are used during normal IT internal audits
Legend:
Comprehensive in content and effective in supporting ICT Governance goals and objectives
Containing most of the information necessary to support the desired ICT Governance goals and objectives. Gaps have been
identified and improvements are recommended
Incomplete and/or ineffective ICT Governance information. Significant gaps have been identified and improvements are
recommended.
ICT Governance Guidelines
Page 82 of 93
Self-Assessment for ICT Governance
Business IT Alignment (BITA)
Define a strategic ICT plan Rating
Has Executive Management ensured that an ICT internal control framework, including an ICT Strategy and policies is adopted and
implemented?
Are the business and ICT strategies integrated, clearly linking enterprise goals and IT goals and recognising opportunities as well as
current capability limitations?
Has the ICT strategic plan defined, in co-operation with the relevant stakeholders, how ICT will contribute to the enterprise’s strategic
objectives (goals) and related costs and risks?
Has a technology direction plan been established which is appropriate to realise the ICT strategy and the business systems
architecture requirements?
Is there an established financial framework for ICT that drives budgeting and cost/benefit analysis, based on investment, service and
asset portfolios?
Is there an established process to prepare and manage a budget reflecting the priorities of ICT-enabled investment programs,
including the ongoing costs of operating and maintaining the current infrastructure?
ICT Governance Guidelines
Page 83 of 93
RACI Matrix (Responsible, Accountable, Consulted, and Informed)
Responsibility of the Municipal Manager’s Office (Executive Management) Rating
Does the Municipal Manager assume responsibility for the Governance of ICT and place it on the Executive Management agenda?
Did the Municipal Manager appoint an ICT steering committee of similar function to assist with its governance of ICT?
Delegation of authority Rating
Did the Municipal Manager appoint a Chief Information Officer responsible for the management of ICT?
Roles and responsibilities Rating
Has roles and responsibilities for all ICT functions been defined and implemented
Are staff of the ICT function trained in accordance with the defined training and implementation plan and associated materials, as part
of every information systems development, implementation or modification project?
Communication Rating
Are the business and ICT strategies communicated to all concerned?
ICT Governance Guidelines
Page 84 of 93
Application Management
Identify automated solutions Rating
Is there an identified, prioritised and agreed business, functional and technical requirement covering the full scope of all initiatives
required by the municipality to achieve the expected outcomes of the ICT-enabled investment program?
Acquire and maintain software solutions Rating
Is there an effective process to translate business requirements into a high-level design specifications for software development,
taking into account the municipality’s technological direction and information architecture?
** Is there an IT acquisition policy?
** Is there a documented IT acquisition process / procedures?
Procure IT resources Rating
Has the municipality developed and follow procedures and standards that are consistent with the municipality’s overall procurement
process and acquisition strategy to ensure that the acquisition of ICT-related infrastructure, facilities, hardware, software and services
satisfies business requirements?
ICT Governance Guidelines
Page 85 of 93
Data Management
Manage data Rating
Is there a process that ensures that source documents expected from the business are received?
Are there procedures for data storage and archival, to ensure that data remain accessible and usable?
Are there procedures to maintain an inventory of onsite media and ensure its usability and integrity?
Are there procedures to prevent access to sensitive data and software from equipment or media when it is disposed of or transferred
to another use?
Are there procedures for backup and restoration of systems, data and documentation in line with business requirements and
continuity plans?
Are there arrangements to identify and apply security requirements applicable to the receipt, processing, physical storage and output
of data and sensitive messages?
System Software and Maintenance
Operating system, Security & Database Software Rating
** Are there maintenance procedures for all system software?
ICT Governance Guidelines
Page 86 of 93
**Is there a maintenance schedule for all system software?
** Is there a formally documented and approved system software change control procedure?
** Are all system software changes tested in a separate test environment before migration to production?
** Do programmers have access to the test and production environments? If packaged system, does the vendor have access to the
production environment?
** If programmers / vendors have access to the test and production environments, is this access being monitored by an independent
person on a regular basis to ensure that only authorised changes are being made?
** Are the programmers separated from the system operators?
** Are all system software changes formally approved before migration to production?
** Can a previous version of the system software be restored, if necessary?
** Are all program changes approved by user management before migration to the production environment?
** Are all program changes approved by user management before migration to the production environment?
** Are all program changes being migrated to the production environment by an independent person (not the programming staff)?
ICT Governance Guidelines
Page 87 of 93
Access Control
Physical Access Rating
** Are there policies which cover physical access to IT environments?
** Is access to sensitive areas by authorised visitors (including technical support staff, engineers, and cleaners) supervised?
** Is physical access outside normal working hours controlled?
** Are formal authorisation requests forms completed for access to sensitive areas?
** Does the controller of the access control system periodically review whether employees’ current access on the system is
commensurate with their job responsibilities?
** Are formal authorisation requests forms completed for access to sensitive areas?
Environmental Access Rating
** Are there policies which cover environmental controls, e.g. eating/drinking/ smoking in computer rooms, flammable materials in
computer rooms, etc.
** Is there a formal, documented and tested emergency evacuation plan in place?
ICT Governance Guidelines
Page 88 of 93
Process Management
Manage changes Rating
Is there a formal change management procedure to handle all requests (including maintenance and patches) for changes to
applications, procedures, processes, system and service parameters, and the underlying platforms?
Is there a process for defining, raising, assessing and authorising emergency changes that do not follow the established change
process?
Define and manage service levels Rating
Is there a defined framework that provides a formalised service level management process between the customer and service
provider?
Are service level agreements for all critical ICT services defined, agreed and based on customer requirements and ICT capabilities?
Is specified service level performance criteria continuously monitored?
Ensure continuous service Rating
Is there a framework for ICT continuity, (disaster recovery) to support enterprise wide business continuity management with a
consistent process?
Is the ICT continuity plan tested on a regular basis to ensure that ICT systems can be effectively recovered?
ICT Governance Guidelines
Page 89 of 93
** Has adequate training been provided to identified key personnel?
Effective asset management Rating
Does the Municipal Manager’s Office ensure that all personal information is treated by the municipality as an important business
asset and is identified?
Does the Municipal Manager’s Office approve the information security strategy and delegate and empower management to
implement the strategy?
Ensure Operating System, Network Database and security Rating
Is ICT security managed at the highest appropriate organisational level so the management of security actions is in line with business
requirements?
Are processes in place to ensure that security techniques and related management procedures (e.g., firewalls, security appliances,
network segmentation and intrusion detection) are used to organise access and control information flows from and to networks?
** Is a patch management process in place to ensure up-to-date security patches across the entity?
** Is there operating system security (server) baseline policies/procedure?
** Is the ability to make modifications to overall system security parameters limited to appropriate staff and are these functions dealt
with in their job descriptions?
** Is the security administrator notified of employees who have changed roles and responsibilities, transferred, or been terminated?
ICT Governance Guidelines
Page 90 of 93
(Access privileges of such employees are immediately changed to reflect their new status)
** Are there policy/procedures for (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise access
and control information flows from and to networks in place?
** Are there database security related policies?
** Do programmers have access to the database?
Operate Networks Rating
** Are there policies /procedures related to the operations of the network?
** Are the network lines and devices being monitored for the performance of and faults on the network (e.g. network bandwidth/
capacity exist for the effective functioning and availability of the network)?
** Is there a maintenance schedule for the network devices? (e.g. firewalls, routers, hub, switches, gateways)
Manage service desk and incidents Rating
Is there an established service desk function to register, communicate, dispatch and analyse all calls, reported incidents, service
requests and information demands?
Are reports produced for service desk activity to enable management to measure service performance and service response times
and to identify trends or recurring problems, so service can be continually improved?
ICT Governance Guidelines
Page 91 of 93
Manage the configuration Rating
Is there an established central repository (database) that contains all relevant information on configuration items?
Is there a process to review and verify on a regular basis, using, where necessary, appropriate tools, the status of configuration items
to confirm the integrity of the current and historical configuration data and to compare against the actual situation?
Risk Management
ICT as an integral part of the municipality’s risk management Rating
Does management regularly demonstrate to the Municipal Manager’s Office that the municipality has adequate business resilience
arrangements in place for disaster recovery
Risk and audit committee assistance to the Municipal Manager’s Office Rating
Does the Risk Committee ensure that ICT risks are adequately addressed?
Assess and manage ICT risk Rating
Are events identified (threats and vulnerabilities) that have a potential impact on the goals or operations of the enterprise, including
business, regulatory, legal, technology, trading partner, human resources and operational aspects?
Is a risk assessment undertaken on a regular basis to assess the likelihood and impact of all identified risks, using qualitative and
ICT Governance Guidelines
Page 92 of 93
quantitative methods?
** Is there an IT risk and control framework adopted for the entity to respond to the IT risks?
** Have IT Risk/Control Assessments been performed?
** Does an IT Risk Register exist for the monitoring of IT risks identified?
IT Metrics
Monitor and evaluate ICT performance Rating
Between ICT and the business, are there a balanced set of performance objectives, measures, targets and benchmarks defined?
Are there periodic reviews of performance against targets?
Are management reports for senior management’s reviewed for organisational progress toward identified goals, specifically in terms
of the performance of ICT-enabled investment programs, service levels of individual programs and ICT’s contribution to that
performance?
** Is system performance being monitored and reported to management?
** Is there a capacity plan for the applications and infrastructure?
ICT Governance Guidelines
Page 93 of 93
Ensure regulatory requirements Rating
Is there a process to ensure timely identification of local and international legal, contractual, and regulatory requirements related to
information, information service delivery, (including third-party services), the ICT organisation, processes and infrastructure?
Is there a process to review and optimise ICT policies, standards and procedures to ensure that legal and regulatory requirements
are covered efficiently?
Has the Municipal Manager’s Office ensured that the municipality complies with ICT laws and that ICT related rules, codes and
standards are considered?