no 1

IT Governance

– how to get the right and secured IT services

Bjorn Undall and Bengt E W Andersson

The Swedish National Audit Office

Oman

2007-03-03

no 2

How to become excellent IT users and at the same time how to guarantee safety in the use of information and IT-services?

Experiences and conclusions from 15 IT audit projects during 2002 - 2007

no 3

The Cabinet expresses • A strong need for government

agencies to become excellent IT users. One important area is the development of electronic government services (e-services).

• A strong need for secure IT services. (The protection of the confidentiality, integrity, availability and traceability of data and also the protection of IT systems).

no 4

Identify anddevelop

investmentproposal

Assess theinvestmentproposal

Select andapprove

Manage theimplement-

ation

Knowledgemanage-

ment

Develop andmaintain

INVITprocesses.

The essential components of an efficient INVIT process

no 5

Develop proposals. Agencies:

• did not elicit good ideas as to how their operations could be developed using IT

• had difficulties in making business development strategies sufficiently specific to support change proposals

• rarely undertook systematic reviews of their business activities

no 6

• Assess proposals: • The investment ideas did not link in

well enough to their operational strategies,

• increased risk for the ideas not leading to the business benefits sought by each agency.

• proposals setting out the comparative costs, risks and effects of alternative approaches were not adequately dealt with,

• nor were proposals clearly linked to other IT investment and development projects.

no 7

Select proposals for implementation:• investment decisions were not

always based on clear descriptions of a proposal’s expected business benefits and implementation risks.

• decision-makers were prevented from obtaining a clear and comprehensive understanding of an investment proposal.

no 8

Manage/control implementation • Governance of the IT projects was

exercised at too low a management level.

• IT projects were also inadequately integrated into other development projects and the evolution of the environments in which the IT systems were intended to operate or which they were intended to support.

no 9

Manage/control implementation• Shortcomings as to change working

methods, to staff and organisation development.

• The management and control of individual business projects was more geared to reacting to problems that arise than to systematic risk assessment

• Well-established methods and models for managing and undertaking development work were not used consistently.

no 10

Knowledge management: • Experiences and knowledge of

different components of the INVIT-process were not utilised in a systematic way,

• An area for improvement.• Difficult to obtain an overview

of the knowledge that exists, and to gain access to it when it was needed.

no 11

Create and maintain the INVIT-process: • The agencies, despite their large

experience of IT investment, had considerable shortcomings in their direction and governance of investment processes.

• Only one of the agencies had developed some procedures to use experiences from investment projects already carried out.

no 12

Initially we thought that the five chosen agencies were rather good in IT governance. The audit showed that even though they were very experienced IT users and heavily dependant on IT there were some serious obstacles. To sum up, there was a large potential for development of the entire IT investment process.

no 13

Auditing the development of electronic government

In the years 2002 – 2003: How well are government web sites adapted to the needs and prerequisites of the individual user?

In the years 2003 – 2004: How effective is the direction of the Cabinet in transforming the public government into an electronic government?

no 14

• 2002. The agencies’ websites and the e‑services offered did not promote an efficient dialogue, and also failed to meet certain accessibility requirements. • 2004. Government agencies had difficulty in developing good e‑services. •2004. A great risk for deficiencies in the electronic communication •2004. Problems in producing good e‑services based on inter-agency collaboration

no 15

• 2004. The Cabinet’s direction was very limited as regards the types of e‑services to which the agencies should give priority.

• The Cabinet had chosen to direct the development of the support provided to public administration

• The Cabinet’s follow-up was inadequately developed,

• The Cabinet’s reports to the Swedish Parliament contained no information about the effects of the e‑government efforts.

• The Cabinet has constantly maintained that Sweden is well to the fore internationally.

no 16

Information Security audits

no 17

What is Information security Management (ISM)? Protecting information assets• against manipulation and

destruction

• preserving availability

• preserving confidentiality

• and audit trail

no 18

Our choice

• The two avenues:

• 1. Substantive audit of actual security

• 2. Internal control: ISM

no 19

What do we want to establish?• If internal control of information

security work is carried out according to the material parts of ISO 17799 + swedish regulations. Focus: management

no 20

• If government is taking responsibility for it´s agencies´information security

no 21

Reports

• To the auditees: 10 individual reports on problems found and suggested remedies

• To Cabinet and parliament: is there sufficient control, support and guidance for the agencies?

• Our annual report 2007

no 22

Some results

• Important parts of ISMS missing or defective: control environment (leadership attitudes, IS-objectives), risk analysis (methods, responsibilities, comprehensiveness), reporting upwards, follow-up, IS education….

no 23

More results

• Priority to tech measures rather than attitudes, skills and behavior

• Leadership interest, attitudes and competence as to ISM

no 24

Leadership´s role in ISM

• What it isn´t: being hostage in tech decisions

• Formulate security requirements coupled to agency´s goals

• Define the agency´s appitite for risk

• Checking the residual risk

no 25

More on role

• Decide on reporting routines to management

• Decide on resources for IS

• Check how they are used: relate cost to age structure of IT-systems etc

no 26

• Conclusion: The ISMS does not - in most cases - form a comprehensive system (follow-up, reporting, responsibilities)

no 27

More conclusions

• Conclusion: tools for leadership is missing, making it hard for top management to lead IS work

• Conclusion: the potential of investment in IS is not well exploited. The amount of resources invested and the costs are not even known!

no 28

Key lessons and conclusions We have chosen agencies that are heavily

dependant on IT and with many years of experiences in governing the use of IT

Still significant lack of capability in leadership at all levels

Urgent need for stronger IT governance at both top management and the Cabinet level to ensure that the right IT services will be conceived, developed and implemented, and that these services will meet all important requirements of information security

This is extremely important in the transition to electronic government.