Government of Malta - MITA1...Corporate Governance - The Wider Context Ziolkowski (2005) defines...

Unclassified

of 19

Government of Malta Reference: GMICT X 0004-1:2012 Version: 6.0

Effective: 6 December 2012

ICT Governance Framework This document is part of the GMICT Policy Framework

http://ictpolicies.gov.mt

Underlined terms are defined in the Vocabulary.

Purpose This document focuses on a set of principles, processes and stakeholders related to the ICT Policy Management Lifecycle for the Government of Malta, that is the compilation, authorisation, publication, ongoing monitoring and review of GMICT Policy. This is an integral part of a wider ICT governance framework for the Government of Malta, components of which are interrelated with this area, but which are seen to be focussed upon separately and possibly included in forthcoming versions of this document.

Scope and Applicability This document focuses on the Government of Malta ICT policy management lifecycle, as part of a wider ICT Governance framework which is also defined in this document.

1. Corporate Governance - The Wider Context Ziolkowski (2005) defines corporate governance as dealing with a ‘whole host of issues surrounding and emanating from the requirement of management to ensure that an organisation or organisational unit is efficient and effective in carrying out its proper functions’.

The need for corporate governance has been gaining ground over the past few years. Following the Enron and Worldcom scandals in the US and the Parmalat and Royal Dutch/Shell scandals in Europe, the EU Commission notes that:

‘…financial scandals have prompted a new, active debate on corporate governance, and the necessary restoration of confidence is one more reason for new initiatives at EU level. Investors, large and small, are demanding more transparency and better information on companies, and are seeking to gain more influence on the way the public companies they own operate.’

EU Commission Communication COM (2003) 284 final modernising company law and enhancing corporate governance in the European Union - A plan to move forward (EU Action Plan), 2003, p. 7.

Thus, various legal initiatives, both on an EU level as well as within the US are being undertaken. The initiatives are driven by a number of common principles, key of which are:

o Transparency of information and internal procedures;

o Accessibility of information, based on the premise that information that is not easily accessible is no information at all;

o Authenticity of information which calls for the need to protect integrity of information (information management);

GMICT X 0004-1:2012 ICT Governance

Framework version 6.0

Unclassified

of 19

o Third party audit to verify compliance to rules and practices;

o Director’s responsibility and accountability to ensure legal compliance with the mandatory corporate governance framework;

o Information technology enablement whereby technological tools, processes and practices are recognized as reliable sources for good corporate governance.

Indeed, as can be noted, ICT has practically permeated all facets of a business, including the generation and sustainability of its information. Thus, corporate governance essentially needs to include governance from an ICT perspective.

2. ICT Governance - Definition In very simplistic terms, ICT governance is thus increasingly seen as an essential subset of corporate governance. However, there still does not appear to be a clear cut definition of the ICT Governance concept (Ziolkowski and Clark, 2005).

Therefore reference to various sources and in particular to known ICT Governance standards or best practices, shall be made for useful and practical explanations of ICT Governance. The IT Governance Institute (2007) defines ICT Governance as ‘the responsibility of executives and the board of directors and consists of the leadership, organisational structures and processes that ensure that the enterprises’ IT sustains and extends the organisation’s strategies and objectives’ (p5). ISO/IEC 38500, the international standard for corporate governance of ICT, tends to be more specific. It identifies ‘six principles for good ICT governance’ which are also identically identified in AS8015-2005, the Australian Standard for Corporate Governance of Information and Communication Technology (ICT)

o Responsibility – the need to establish clearly understood responsibilities for ICT

o Strategy – the need to plan ICT to best support the organisation’s business

o Acquisition – the need to acquire ICT validly

o Performance – the need to ensure that ICT performs well whenever required

o Conformance – the need to ensure that ICT conforms with formal rules

o Human Behaviour – the need to ensure that ICT respects human factors, through ICT policies, practices and decisions.

The human factor aspect is also emphasised, albeit intrinsically by Lallana (2010), in a definition of ICT Governance from a public sector perspective. It is defined as ‘the use of ICT in the domain of administration – including public service delivery, regulation, law enforcement, security, improving bureaucratic efficiency and policy making – and the domain of politics – the range of activities related to how society makes decisions and establishes values that are binding upon its members at the local, national and global levels’.

From a more practical point of view, the Department of Education and Training of the Queensland Government (Australia) view ICT Governance within the public sector. Such a framework is viewed as encompassing the following strands:

o ICT Policy Management

o ICT Budget Management

o ICT Risk Management

o ICT Strategy Management along with ICT Portfolio Investment and ICT Investment Delivery

o Enterprise Architecture Management

o Benefit Management



Unclassified

of 19

As can be noted in the above model, ICT policy management, plays a critical role in ICT Governance, although it is not the sole factor. It is seen to embody the earlier principles of Human Behaviour and Conformance. As implied earlier within the document’s scope, focus, albeit at this stage, shall be made on this factor - the ICT policy management aspect of ICT Governance – and in particular to ICT policy development, given that the compliance aspect is dealt with separately. Other factors of ICT Governance may need to be referred to in further detail in subsequent versions of this document.

3. Guiding Model being Adapted Lallana (2010) argues that ‘…governments seeking to maximise the use of ICT in the pursuit of development goals need to develop an ICT Governance framework’ (Lallana, 2010, p6).

Thus, within the Government of Malta ICT context, this ICT Governance Framework shall apply and adapt parts of Control Objectives for Information and related Technology (CObIT), where applicable. CObIT is an internationally recognised control framework that is likely to be already known and understood amongst a number of stakeholders possibly including Government CIOs and third party suppliers. Reference to such framework shall facilitate a shared, common understanding among all stakeholders involved.

CObIT was developed by the IT Governance Institute (an ISACA research institute) which provides a holistic set of control objectives, processes, measures and best practices for information technology management. It has emerged out of another framework developed by the Committee of Sponsoring Organisations (COSO), which focuses on internal and financial controls.

The development of CObIT versions 3 and 4 had seen increased alignment of this framework to other internationally recognised standards and best practices such as Information Technology Infrastructure Library (ITIL), ISO 27001 and PRojects IN Controlled Environments (PRINCE2). In fact, in organisations where these last-mentioned standards and frameworks are already implemented, it is recommended that they are used in conjunction with CObIT.

The latest version of CObIT (version 5) was recently published as a design exposure draft. It builds upon the current version 4.1 and integrates into it the IT Governance Institute’s own Val IT 2.0 and Risk IT frameworks as well as aligns itself more fully to the ISO/IEC 38500 domains.

The advantages seen to be gained from the adoption and adaptation of CObIT include better alignment of ICT with business exigencies and requirements and an understandable applicability of ICT from a strategic (management) perspective.

4. Framework Scoping This Section establishes the scope of the ICT Governance Framework for Policy Management based on CObIT. It also refers to other ICT Governance stakeholders within MITA, given that as outlined in the MITA Strategic Plan 2009-2012, MITA is ‘the central driver of ICT policy, programmes and initiatives in Malta, <that is mandated to> lead ICT strategy development and drive the deployment of an effective ICT Governance framework within the Public Sector’.

Thus, based on CObIT, the Policy Management function is directly and mainly focussed on the:

o ‘Plan and Organise’ COBIT process and in particular, PO6 – ‘Communicate Management aims and direction’. As can be noted, this process element is made up of control elements that relate to IT policy and control environment, IT policy management, policy, standards and procedures rollout and communication.

o ‘Monitor and Evaluate’ COBIT process, and in particular, ME 4.1 – ‘Establishment of IT governance framework’.



Unclassified

of 19

On the other hand, the COBIT process control objectives indicate other areas of ICT governance, with which the Policy Management function would need to interact. Such indications are shown Table 1 below.

Governance Stakeholders within MITA (excluding Policy management)

COBIT process involved

o Strategy, Planning and Performance, CIO liaison function

o Plan and Organise

o Deliver and Support

o Monitor and Evaluate

o Technology and Systems Governance function, namely:

o Compliance Management

o Technology strategy

o Technology operational alignment

o Data Governance function

o Quality Assurance (Governance)

o Change management function

o Patch management function

o Plan and Organise

o Acquire and Implement



o Information Security function- related Governance role

o Plan and Organise



o Sourcing and Vendor management function o Plan and Organise



o Legal, risk and compliance function o Plan and Organise



o Information Systems and Transformation function o Plan and Organise


o Corporate Affairs function o Plan and Organise


o Service Management function o Acquire and Implement


o Human Capital function o Deliver and Support

Table 1 The involvement of stakeholders within the Public Sector, such as the Chief Information Officers, is not excluded e.g. with respect to independent assurance.

Additionally, policy development, budgeting and strategic planning call for interaction by respective internal MITA functions within corresponding key roles within the Public Sector..

Further forthcoming evolvements in the stakeholder mapping are not excluded.



Unclassified

of 19

5. Framework Approach The previous Section has identified two process objectives of COBIT which can be assimilated to the policy development role. Related process guidelines proposed as part of the COBIT framework are referred to for direction and adaptation in the ICT Governance Framework, as indicated in Table 2, below.

Process objective

Process control objective

Process guidelines Proposed Action

PO6 Communicate management aims and direction

PO6.1 IT Policy and Control environment

Define an IT policy and control framework (including defining elements of a control environment which is based, among others, on a culture which supports value delivery, teamwork, risk management, promotes compliance, continuous process improvement.

o Attached ICT Governance Framework which includes, among others o Underlying Principles o Terms of Reference o Policy development

lifecycle

PO6.3 IT Policies management

Develop and maintain a set of policies to support IT strategy

o Reference is made to GMICT Policy Roadmap document

PO6.4 Policy,

Standard and procedures rollout

Roll out and enforce IT policies o Reference is made to GMICT Policy Roadmap document

o Compliance dealt with under a separate management framework

PO 6.5 Communication of IT objectives and Direction

Communicate awareness and understanding of policies, framework

o Seminars as referred to in MITA Strategic Plan 2009-2012 – Strategic Coverage 2

ME4 – Monitor and evaluate

ME4.1 Establishment of an IT Governance Framework

o Integrate IT governance with corporate governance objectives

o Provide for independent assurance regarding compliance with IT policies

o Reference is made to the Underlying Principles

o Compliance dealt with under a separate management framework

Table 2



Unclassified

of 19

6. Underlying Principles As indicated in the previous Section, one key component of the Governance Framework is the definition of the elements of the IT policy and control environment. Therefore, based on the Government of Malta Strategy as reflected in the MITA Strategic Plan 2009-2012, the following principles are drawn for the Government of Malta ICT Policy Management function:

o Transformation-driven approach with a view to allowing for more value added and lower cost for Government

o Continuous monitoring of emerging trends within the information society fields

o Continuous improvement in policy management

o Independence from administrative or operational function which may impair objectivity in policy management

o Risk averse approach with respect to Government security interests

o Private sector involvement, in policy development, as and where applicable to the maximum extent possible

o Open standards and technology approach

o Close collaboration with other aspects of ICT governance, which include, but are not limited to, Business, Information Security governance, Data governance and Compliance

o Communication and involvement of all stakeholders concerned, including the public

o Identified ownership for each policy.

The principles shall serve as the basis for the formation of policies, which shall be identified and prioritised as part of the GMICT Policy Roadmap.

The GMICT Policy Management function reserves the right not to reflect all feedback received, prior to or following publication of a GMICT policy, within subsequent GMICT policy content.

7. GMICT Policy Definitions and Scope

7.1 Definitions Table 3, below, presents a list of specific types of GMICT Policy as defined by the GMICT Policy Management function.

GMICT Policy type Definition

GMICT Policy

A direction, line, manifesto, principle or stance of a strategic nature stating the official intention of Government. A lucid, vendor-neutral statement about Government's intentions in the Information and Communications Technology (ICT) field. Statements intended to regulate Public Sector behaviour with respect to the adoption and use of ICT in Government.



Unclassified

of 19

GMICT Policy type Definition

GMICT Standard A specification or configuration required for ICT related products, services or operations.

GMICT Directive

Instructions related to the implementation of Policies and Standards

GMICT Procedure

A document which establishes an official (and authorised) way of doing something. This is normally expressed in a workflow format.

GMICT Form

A document specifying various items of information thatneed to be submitted, usually as part of a Procedure

Table 3

7.2 Scope GMICT Policy apply to all of the Public Sector, in line with the Statute of MITA, which states that: “It shall be a purpose of the Agency to deliver and manage the execution of all programmes related to the implementation of information technology and related systems in Government with the aim of enhancing public service delivery” (Statement 3(1b)).

8. Terms of Reference for the Policy Management function Following the underlying principles, the following Terms of Reference are drawn for the GMICT Policy Management function:

1. To identify new GMICT Policy requirements and to recommend appropriate GMICT Policy development to the Chief Technology Officer.

2. To act as the point of reference with respect to interpretation of published GMICT Policy.

3. To oversee the development of GMICT Policy drafted by its primary policy contributor and be responsible for its review, leading to publication.

4. To foster further collaboration with all stakeholders, including but not limited to the Office of the CIOs, the Security Governance function, the Data Governance function and the Compliance Management function.

5. To induce awareness of GMICT Policy established among the stakeholders concerned.



Unclassified

of 19

9. The GMICT Policy Roadmap – Considerations 9.1 Broad perspectives The GMICT Policy Roadmap is issued as a separate document. The COBIT process objectives identified for policy development provide an insight into business perspectives which the Policy Roadmap may need to pursue. Such perspectives, identified in detail in Appendix 1, are categorised into four domains as follows:

1. Finance point of view - This perspective is seen to cover the need to manage IT-related business risks in Government through:

o Addressing governance requirements in line with high level direction (Government’s ICT strategy)

o Protecting critical and confidential information

o Ensuring trust in automated business transactions and information exchanges

o Ensuring robustness of ICT service and infrastructure, including disaster recovery.

As can be noted, the above objectives particularly cover the need for ICT security and trust, apart from adequate preparations and planning for ICT service delivery and infrastructure implementations.

2. An internally focussed perspective - covering a number of areas critical to Government, in particular with respect to compliance to existing legislation, regulations, contracts and policies, change management and business efficiency based on lower costs and enhanced productivity.

3. A customer oriented perspective – which, is seen to be addressed through

o Seeing to governance requirements in line with Government’s ICT strategy

o Ensuring transparency and understanding of ICT policy

o Ensuring trust in ICT service delivery

o Ensuring service effectiveness, continuity and availability

4. A learning and growth perspective- whereby the need for managing product and business innovation is considered as a crucial component in enhancing service delivery

9.2 Approach to establishment of Roadmap Such perspectives are only indicative. They are high level, broad and generic, and are thus only seen as an initial means of determining the overall course of action evolving within the GMICT Policy Roadmap. A more pragmatic approach shall therefore be applied in the establishment of the Roadmap. Thus, the Roadmap shall refer to authoritative sources –documented and verbal – that have a direct bearing on Government’s ICT direction. The above perspectives may serve more of a confirmatory purpose to the findings.

9.3 Approach to sustainability of Roadmap The GMICT Policy Roadmap, along with the Policy deliverables it identifies and schedules, shall also need to reflect changing ICT and business realities. This forms part of the Policy Management Lifecycle as defined in the next Section.



Unclassified

of 19

10. GMICT Policy Management Lifecycle The following diagrams present the GMICT policy management lifecycle that is based upon the:

o The COBIT processes for the GMICT policy management role as identified earlier

o The underlying principles highlighted earlier, and that form an integral part of the ICT Governance Framework



Unclassified

of 19



Unclassified

of 19

11. GMICT Policy Authorisation The GMICT Policy management lifecycle essentially calls for management involvement particularly during the policy authorisation process. GMICT Policy documentation shall therefore be authorised at the appropriate management level within MITA, based upon criteria as indicated in Table 4, below.

Potential Criteria

Acronym

Meaning of Acronym

Further explanation

STR

Strategic Importance of the Policy to the Public Sector

Implies the significance of the policy upon:

o the public, society, national interest,

o any other matter which carries significant sensitivity to Government interests e.g. security, Government policy

OPR

Degree of change expected to operational business practices in the Public Sector (including MITA) through introduction of the Policy

Implies the degree of change required in current work practices / processes for conformance to the Policy

Table 4



Unclassified

of 19

12. GMICT Policy Compliance Any GMICT Policy document carries an Effective Date, which refers to the date from when the provisions of the particular document start to apply. However, it is also understood that there may be instances when it is not possible for the provisions of a GMICT policy document to be implemented with immediate effect as from the Effective Date.

Therefore, the GMICT Policy Management function addresses such a possibility in two ways, prior to GMICT Policy document publication, specifically during the drafting and the review stages:

(i) The GMICT Policy template includes an optional Section related to Compliance. This Section is expected to provide parameter(s) of applicability, transition requirement(s) and corresponding date(s) by which part or all of a Policy document is expected to be complied with. The Transition requirements are not expected to be highly specific, particularly where various implementation scenarios are known to exist within the context under consideration. However they should at least be expected to outline the common high level requirements expected across all of the various potential scenarios.

(ii) The review process of draft GMICT Policy documents is inherently expected to provide first-hand feedback from its effected stakeholders. The feedback is mainly expected to focus on the validity of the principles underlying Policy statements as well as any potential issues of enforcement of the proposed Policy document. It should therefore serve as a mechanism for assessing the impact of the Policy and for any compliance parameters or timelines to be established prior to the Policy’s publication.



Unclassified

of 19

References

1. Calder, A (2008), ISO/IEC 38500, The IT governance standard, IT Governance Publishing, UK, p. 19

2. IT Governance Institute (2007), COBIT 4.1, www.itgi.org

3. Lallana, E. (2010), ICT for Development policy, process and governance, Briefing Note 2, United Nations Asian and Pacific Training Centre for ICT for Development, January 2010

4. MITA Strategic Plan 2009-2010

5. Pye, G. and Warren,M.J. (2006), ‘Striking a balance between ethics and ICT Governance’, Australasian Journal of Information Systems , 13, 2, 201-207

6. Queensland Government - Department of Education and Training(2009), ICT Governance Summary,Version 1.1, Trim 2009/95440

7. Moir, S.T.W. (2008), The Calder-Moir IT Governance Framework – Overview, Version 2.0, July 2008

8. Ziolkowski, R. and Clark, E. (2005), ‘Standards of ICT Governance: The need for stronger epistemological foundations in shifting sands’, The Asia Pacific Journal of Public Administration, 26,1, 77-90

Modification History Version Effective Date Changes

1.0 08/11/2010 Initial Release

2.0 18/11/2010 Second Release

3.0 23/11/2010 Third Release- based on update to Policy Management Lifecycle

4.0 13/06/2011

5.0 16/04/2012 Addition of the Policy Lifecycle: Escalation procedure

6.0 06/12/2012 Addition of Scope of GMICT Policy Suite (Section 7.2)

Issuing Authority This document has been issued with the authority of the Malta Information Technology Agency.

Contact Information Government ICT Policies, Directives, Standards and associated publications can be found at http://ictpolicies.gov.mt.

Any suggestions, queries or requests for clarification regarding Government ICT Policies, Directives and Standards may be forwarded to [email protected].



Unclassified

of 19

Appendix 1– IT goals of COBIT processes related to policy development

Processes IT Goals

Plan and Organise

PO6 – Communicate management aims and direction

12- Ensure transparency and understanding of IT cost, benefits, strategy , policies and service levels

13- Ensure proper use and performance of the applications and technology solutions

19 - Ensure that critical and confidential information is withheld from those who should not have access to it

20 - Ensure that automated business transactions and information exchanges can be trusted

21- Ensure that IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster

22- Ensure minimum business impact in the event of an IT service disruption or change

Monitor and evaluate

ME4 - Provide IT governance

2 - Respond to governance requirements in line with board direction

12 - Ensure transparency and understanding of IT cost, benefits, strategy , policies and service levels

27- Ensure IT compliance with laws, regulations and contracts

28- Ensure that IT demonstrates cost-efficient service quality, continuous improvement and readiness for future change

The targeted IT goals in turn, cover a number of business goals, as follows: IT Goals Business Goals Overall Business

Goal 1 Respond to business requirements in alignment

with the business strategy Create agility in responding to changing business requirements

Customer perspective

Manage business change Internal perspective

2 Respond to governance requirements in line

with board direction Manage IT-related business risk Financial

perspective Improve corporate governance

and transparency Obtain reliable and useful

information for strategic decision making


Provide compliance with external laws, regulations and contracts

Internal perspective Provide compliance with internal

policies 5 Create IT agility Create agility in responding to

changing business requirements Customer perspective

Manage business change Internal



Unclassified

of 19

IT Goals Business Goals Overall Business Goal perspective

Manage product and business innovation

Learning and growth perspective

12 Ensure transparency and understanding of IT

cost, benefits, strategy , policies and service levels

Obtain reliable and useful information for strategic decision making


13 Ensure proper use and performance of the

applications and technology solutions Provide compliance with internal policies

Internal perspective

Lower process costs Improve and maintain operational

and staff productivity 19 Ensure that critical and confidential information

is withheld from those who should not have access to it



Manage IT-related business risk Financial perspective

20 Ensure that automated business transactions

and information exchanges can be trusted Provide compliance with external laws, regulations and contracts


Obtain reliable and useful information for strategic decision making



21 Ensure that IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster




22 Ensure minimum business impact in the event of an IT service disruption or change

Establish service continuity and availability



27 Ensure IT compliance with laws, regulations and contracts



28 Ensure that IT demonstrates cost-efficient

service quality, continuous improvement and readiness for future change

Manage business change Internal perspective

Manage product and business innovation

Learning and growth perspective

Government of Malta - MITA1...Corporate Governance - The Wider Context Ziolkowski (2005) defines...

Documents

Transcript of Government of Malta - MITA1...Corporate Governance - The Wider Context Ziolkowski (2005) defines...