Transcription
Department of Police, Roads and TransportFREE STATE PROVINCEIT GOVERNANCE FRAMEWORKDATEREVISIONDocument ID7 March 20121.0ICT-006-032012Digitally signed by davhulak@freetrans.gov.zaCN davhulak@freetrans.gov.zadavhulak@freetrans.gov.za DN:Reason: I attest to the accuracy and integrity of this documentDate: 2012.04.26 10:33:19 02'00'1 P a g eIT Governance Framework
Index1. IntroductionPage 32. Various Definitions of GovernancePage 43. Corporate Governance versus IT GovernancePage 43.1 Corporate GovernancePage 53.2 IT GovernancePage 54IT Governance FrameworkPage 65What IT Governance will deliver & 5 Governance focusPage 86Five IT Governance Decision Areas (Domain)Page 107Decision Model and Governance StylePage 118IT Governance MechanismPage 1298.1 Governance MatrixPage 138.2 Roles and ResponsibilityPage 138.3 Governance MapPage 15IT Governance ProcessPage 1510 IT Policies, Standards and ProceduresPage 2011 IT ProcessPage 2012 IT GovernancePage 2113 SignaturesPage 212 P a g eIT Governance Framework
1. IntroductionThis was compiled using the information that was prepared by Mr Gawie Wellemse as aProvincial Strategy direction through the leadership of his CIO, Mr Tshepo Motiki, who is aprovincial Chairperson of the Provincial Government Information Technology Council.From relative obscurity a few years ago, several factors have come together to make theconcept of formal Information Technology (IT) Governance a good idea for virtually everyorganisation, both public and private. Key motivators include the need to comply with agrowing list of regulations related to financial and technological accountability, and pressurefrom shareholders e.g. Department of Public Service and Administration (DPSA) andcustomers.IT Governance has been described by Gartner2 as an effective and efficient management of ITresources to facilitate the achievement of business goals and objectives. Simply put, it’s puttingstructure around how organisations align IT strategy with business strategy, ensuring thatorganisations stay on track to achieve their strategies and goals and implementing good ways tomeasure IT’s performance. It ensures that all stakeholders’ interests are taken into account andthat processes provide measurable results.IT does not exist for its own sake within an organisation; it is there to ensure that businessachieves sustainable success. IT Governance becomes a management practice for governingthe processes and decisions related to the use of IT within the organisation. IT Governance hasrisen in importance because of the widening gulf between what the business expects and whatIT is prepared to deliver. IT has grown to be seen as a cost centre with little direct benefits tothe organisation it serves. An IT Governance framework is meant to align IT functions to thebusiness, minimise the risk IT introduces and ensure that there is value in the investment madein IT.Organizations today are subject to many regulations governing data retention, confidentialinformation, financial accountability and recovery from disasters. While none of theseregulations requires an IT Governance framework, many have found it to be an excellent wayto ensure regulatory compliance. By implementing IT governance, the organisation will havethe internal controls needed to meet the core guidelines of many of these regulations, such asthe Public Services Act (PSA), 1994 (Proclamation Nr. 103 of 1994), the Public FinancialManagement Act (PFMA), 1999 (Act 1 of 1999, as amended by Act 29 of 1999) and the StateInformation Technology Agency (SITA) Act, 1998 (Act 88 of 1998 as amended by Act 38 of2002).1Provincial Government of the Western Cape (2010). InformationTechnology Governance Strategy. Pages 129 (main source). 2 The GartnerGroup is an international body that delivers technology research to globaltechnology business leaders to make informed decisions on key initiatives.3 P a g eIT Governance Framework
2. Various Definitions of IT Governancea) The structure, oversight and management processes which ensure the delivery of theexpected benefits of IT in a controlled way to help enhance the long term sustainablesuccess of the enterprise.b) IT governance is the responsibility of the board of directors and executive management.It is an integral part of enterprise governance and consists of the leadership andorganisational structures and processes that ensure that the organisation’s IT sustainsand extends the organisation’s strategies and objectives.c) A structure of relationships and processes to direct and control the enterprise in order toachieve the enterprise’s goals by adding value while balancing risk versus return overIT and its processes.d) Specifying the decision rights and accountability framework to encourage desirablebehaviours in the use of IT.e) Governance is not about what decisions get made – that is management – but it is aboutwho makes the decisions and how they are made.f) IT governance is the term used to describe how those persons entrusted withgovernance of an entity will consider IT in their supervision, monitoring, control anddirection of the entity. How IT is applied will have an immense impact on whether theentity will attain its vision, mission or strategic goals.3Brisebois R Boyd G & Shadid Z. (2010). What is IT Governance? Available:http://www.intosaiitaudit.org/intoit article /25 p30top35.pdf. Last accessed 28January 2011.3. Corporate Governance versus IT GovernanceCorporate Governance is the set of processes, customs, policies, laws, management practicesand institutions affecting the way an entity is controlled and managed. It incorporates all therelationships among the many stakeholders involved and aims to organize them to meet thegoals of the organization in the most effective and efficient manner possible. An effectivecorporate governance strategy allows an organization to manage all aspects of its business inorder to meet its objectives.Information technology governance, however, is a subset discipline of Corporate Governance.Although it is sometimes mistaken as a field of study on its own, IT Governance is actually apart of the overall Corporate Governance Strategy of an organization. IT Governance andassociated governance mechanisms provide the linkage between responsible CorporateGovernance and effective IT Management.4 P a g eIT Governance Framework
3.1 Corporate GovernanceThe field of Corporate Governance is a multifaceted subject that includes several fields ofstudy. These fields include areas such as:a) Accountability and fiduciary duty. These advocate the implementation of guidelinesand mechanisms to ensure management acts in good faith and that the publicorganization is protected from wrongdoing or fraud.b) Economic efficiency view. This involves how the corporate governance system intendsto optimize results, and meet its objectives.c) Strategic efficiency view. This involves public policy objectives that are not directlymeasurable in economic terms such as alleviation of poverty, access to markets, incomestabilization, health care and job creation. These are issues that are the main focus ofmost public sector institutions and are not readily measured in economic terms.d) Stakeholder view. This area of study focuses more attention and accountability on otherstakeholders such as citizens, employees, businesses and other levels of government(i.e. provincial, municipal or local authorities).3.2 IT GovernanceIT Governance focuses specifically on information technology systems, their performance andrisk management. The primary goals of IT Governance are to assure that the investments in ITgenerate business value, and to mitigate the risks that are associated with IT. This can be doneby implementing an organizational structure with well-defined roles for the responsibility ofinformation, business processes, applications and infrastructure.IT governance should be viewed as how IT creates value that fits into the overall CorporateGovernance Strategy of the organization, and never be seen as a discipline on its own. In takingthis approach, all stakeholders would be required to participate in the decision making process.This creates a shared acceptance of responsibility for critical systems and ensures that ITrelated decisions are made and driven by the business and not vice versa.IT governance is needed to ensure that the investments in IT generate value reward andmitigate IT associated risks, avoiding failure. IT is central to organizational success – effectiveand efficient delivery of services and goods – especially when the IT is designed to bring aboutchange in an organization. This change process commonly referred to as ’businesstransformation’ is now the prime enabler of new business models both in the private and publicsectors. Business transformation offers many rewards, but it also has the potential for manyrisks, which may disrupt operations and have unintended consequences. The dilemma becomeshow to balance risk and rewards when using IT to enable organizational change.5 P a g eIT Governance Framework
4. IT Governance FrameworkIT Governance focuses specifically on information technology systems, their performance andrisk management. The primary goals of IT Governance are to assure that the investments in ITgenerate business value, and to mitigate the risks that are associated with IT. This can be doneby implementing an organisational structure with well-defined roles for the responsibility ofinformation, business processes, applications and infrastructure.IT Governance deals with how IT decisions are made and by whom detailing who has decisionmaking rights, who is supposed to provide the input to inform the decisions and who isaccountable for implementing the decisions. It is ultimately about making IT decisions the rightway. Governance of IT will help the Free State Provincial Government (FSPG) to integrate ITwith the business and improve the cost effectiveness of IT.The IT Governance framework will deal with the following:a) What key IT decisions are need to be made and by whom?b) What decision models are to be used in these decisions?c) What IT Governance structures, processes, strategy, policies, standards and procedures arerequired for correct decision making?d) What IT processes and procedures are required ensure that IT ultimately serves thebusiness?4Brisebois R Boyd G & Shadid Z. (2010). What is IT /intoit articles/25 p30top35.pdf.Last accessed 28 January 2011.The IT Governance framework is aligned with the King III Code of Practice for IT Governanceas well as best practice control and process frameworks in supporting business aligned use ofand investment in IT. The key frameworks that support this governance framework are thefollowing:6 P a g eIT Governance Framework
FrameworkControl Objectives for InformationTechnologyProjects in Controlled EnvironmentsCapability Maturity Model IntegrationInformation Technology InfrastructureLibrariesInformation Technology RiskManagementInternational Organization forStandardization 27000Publicly Available Specifications 56Publicly Available Specifications 77AcronymCOBITPRINCE2CMMIDescriptionProvides comprehensive IT Governance Processes,IT alignment and IT controls.Managing IT projects an realizing value from IT.Process improvement approach used in thedevelopment of applications (software).Set of processes for managing IT services.ITILITRMISO 2700Framework for managing and mitigating risksresultant from IT.Framework for information security.PAS 56PAS 77Guide to Business Continuity Management.Guide to IT Service Continuity ManagementThe Provincial Government Information Technology Officers Council (PGITOC) adopted5COBIT as the overall IT governance framework for the FSPG. The following diagramillustrates how the different frameworks (with COBIT as the overarching framework) workunitedly to provide guidance in the governance of IT from strategic to process level:Diagram illustrating how the different frameworks work unitedly (with COBIT overarching).5Sun Microsystems Inc. (2010). Positioning of Frameworks. nglish/frameworks/GroupDocuments/frameworks v3 111908.pdf. Last accessed 27/01/2011.7 P a g eIT Governance Framework
5. What IT Governance will deliver and the five IT Governance focus areasThere are two major outcomes from IT Governance:1. IT value delivery to departments.2. Mitigating IT related risks.Both the above-mentioned outcomes are achieved throughfocusing on the five IT Governance areas6 as illustrated on theimage to the right and explained below.NR12345AREAIT GOVENANCE FOCUS AREASDESCRIPTIONFocuses on ensuring the linkage of business and IT plans, on defining,maintaining and validating the IT value proposition and on aligning IToperations with the organization operations.Is about executing the value proposition throughout the delivery cycle,Valueensuring that IT delivers the promised benefits against the strategy,Deliveryconcentrating on optimizing costs and proving value of IT.Requires risk awareness by senior management, a clear understandingRiskManagement of the organization’s appetite for risk, transparency about thesignificant risks to the organization and embedding of risk managementresponsibilities into the organization.Is about the optimal investment in, and the proper management of,ResourceManagement critical IT resources: Processes, people, applications, infrastructure andinformation. Key issues related to the optimization of knowledge andinfrastructure.Performance Tracks and monitors strategy implementation, project completion,Measurement resource usage, process performance and service delivery, using, forexample, balanced scorecards resource and usage dashboards thattranslate strategy into action to achieve goals measureable beyondconventional accounting.StrategicAlignmentStrategic Alignment: Linking business and IT plan. Defining, maintaining and validating the IT value proposition. Aligning IT operations with the organization operations. Provide collaborative solutions that contain costs while improvingadministrative efficiency and managerial effectiveness.Best Practices: Integrated approach to business/IT strategy. Cascading strategy and objectives down into the organization. Co-responsibility of business and IT. Clearer objectives for IT investments. IT Strategy and IT Standing Committees.8 P a g eIT Governance Framework
Value Delivery: Executing the value proposition throughout the delivery cycle. Ensuring that IT delivers the promised benefits against the strategy. Concentrating on optimizing expenses and proving IT’s value. Controllingprojects and operational processes with practices that increase probability ofsuccess (budget, risk, quality etc.).Best Practices: Tracking of business value of IT. Enabling effective valuemeasurements (ROI, TCO etc.). Disciplined approach to project managementwith a larger role for the business. Commitment to formalmethodologies/processes for application development and service delivery. Enterprise architecture planning.Risk Management: Requires risk awareness of senior management, a clearunderstanding of the organization’, appetite for risk and transparency aboutthe significant risks to the organization. Embeds risk managementresponsibilities in the operation of the organization. Addresses the safeguardof IT assets, disaster recovery and continuity of operations.Best Practices: Awareness of IT risks based on continuous assessment. Transparency to all stakeholders. Establishing responsibility and embeddingrisk management into the organization. An integral part of compliance andassurance. Use of formal IT risk and control frameworks. Processmanagement disciplines.Resource Management: Optimal investment, use and allocation of ITresources and capabilities (people, applications, infrastructure, and data). Maximizing the efficiency of these assets and optimizing their costs. Optimizing knowledge and the IT infrastructure. Knowing where, when andhow to outsourceBest Practices: Supply/demand balancing. Practices to train and sustain staff. Consumption base chargeback. Formalized vendor management disciplines.Performance Measurement: Using balanced scorecards that translate strategy into action to achieve goalsmeasureable beyond conventional accounting. Measuring relationships and assets necessary to compete (customer focus,process efficiency and the ability to learn and grow). Tracking project delivery and monitoring IT services.Best Practices: IT balanced scorecard as emerging reporting system. A management reporting system that feeds back into the strategy. Use of benchmarking for performance comparison. IT scorecard approval by the key stakeholders for alignment.6Saull, R. (2006). IT Governance. A Framework for Performance andCompliance. Available: http://itgi.jp/conf200611/ronsaull.pdf. Last accessed28 January 2011.9 P a g eIT Governance Framework
6. Five IT Governance Decisions Areas (Domains)7IT Governance necessitates key decisions regarding IT in the FSPG. Some of these decisionsmust be made in conjunction with the business to get full value from the IT investment. It isimportant to articulate these key decision areas (domains) in order for IT to perform accordingto requirements. The following five key IT decision areas exist:7University of West Florida (2009). IT Governance. Available:http://argowiki.com/index.php?title IT Governance. Last accessed01February 2011.10 P a g eIT Governance Framework
7. Decision Model and Governance StyleThe FSPG has chosen a decentralised model (IT unit per department) for providing IT goods andservices to the various departments. Strategic IT matters are considered by the PGITOC that ischaired by the Chief Information Officer (CIO) (Department of the Premier) with IT Managers ofthe various departments as members. It is imperative to immerse IT into the business so that itsplans are aligned to the business and its decisions and the business decisions are concluded in theright manner that advances the objectives of the departments.There are generally six general governance styles for providing input or making decisionsregarding the five key IT decision areas (domains) mentioned in paragraphs 6.1 to 6.5. The stylesreflect a mix of shared responsibilities (for input and decision making) between IT and business ingoverning the five decision areas.The following six classic styles exist in a typical IT Governance structure: The FSPG ITGovernance uses a mix of governance styles across the five decision areas. The variety of styleshighlights different required roles for input and decision making in support of business needs. Theprimary IT governance styles for the FSPG are the Business and IT Monarchy as well as theDuopoly style.Nr. Style1. poly6.Anarchy11 P a g eDescriptionThis is where the Head of the Department, the Chief Financial Officer (CFO) and theChief Information Officer (CIO)/ IT Manager (the so called C-level executives) makethe decisions. Recently the CIO/IT Manager has been more involved and has a moreactive role in the decision making within the business monarchy level. At this level,decisions are derived from input from many areas.The IT monarchy consists of IT executives (CIO and IT Managers). Within thisgovernance archetype, decisions could be made by way of an IT leadership committee(for example the PGITOC). At this level, decision rights for both IT InfrastructureStrategies and IT Architecture are the responsibility of the IT monarchy.Feudal governance is characterized by delegated or otherwise dispersed governingrights. The exercising of decision making is highly localized, and central leadership isweak or at least unobtrusive. This model usually arises in organizations with highlyindependent and incongruent business units.This governance archetype attempt to balance responsibilities in the decision makingprocess. Normally this form of decision making consists of the C-level executives andrepresentatives from one other tier within the organization (for example businessleaders tier, business process owners tier, IT leaders tier, etc.). The federal approach isoften used for input rights, but less often for decision rights. Given the breadth ofopinions under this structure, it is no surprise that there is a propensity for discord.This archetype is characterized by a two party involvement consisting of one IT groupand one business group. This archetype could be used by the business side to introducebusiness objectives and by the IT side to introduce available technologies so both sidescan ultimately reach decisions on viable solutions.Business process owners and end users have decision rights under this archetype.Surprisingly, most large firms display elements of anarchy. When optimization andcustomization supersede sharing and standardization, it makes sense to delegatedecision rights to end-users.IT Governance Framework
8. IT Governance MechanismThe FSPG has adopted formal governance mechanisms in order to implement thegovernance styles and decision model. These governance mechanisms and structuresare there to ensure joint decision making where necessary, allocating accountabilityand responsibility for IT decisions.These formal governance mechanisms are the following:Nr. Mechanism1 ExecutiveCouncil23456789AcronymDescriptionEXCOSet the strategic objectives for the Province.Ensure that the DPRT has an appropriate ITprocurement and system which is fair, equitable,competitive and cost-effective.ChiefCFOEnsure that the prescriptions of the Public FinanceFinancialManagement Act (PFMA), 1999, (Act 1of 1999) asOfficeramended by Act 29 of 1999 including the Framework forSupply Chain Management (SCM) are being adheredto.Form ofFoHoD All the accounting officers (Heads of Department) in theHeads ofFSPG. It acts as a forum responsible for guiding IT andDepartmentextracting maximum strategic value out of IT.Give practical effect to the responsibilities of the Head ofChiefCIOInformationDepartment to keep departments updated on strategic ITOfficermatters and developments.ProvincialPGITOC Plan, coordinate, monitor and share InformationGovernmentManagement and Information Technology between theInformationdepartments. The PGITOC is ultimately responsible forTechnologyIT Governance.CouncilStandingSCInvestigate, consider and make recommendations toCommitteesPGITOC regarding IT matters.ServiceSLASpecify and measure IT services. SLAs also includeLevelMemoranda of Understanding (MOUs).AgreementsBusinessBUMDetermine business and IT requirements and relaying itUnitto CIO/IT Managers.ManagersHead ofDepartment12 P a g eHoDIT Governance Framework
8.1 Governance Matrix (Input and Decision Rights)IT structureStrategiesRightsInput DecisionDGFoHoDSCPGITOCCIODECISION AREAIT C,BUM,CIOBusiness ITApplicationNeedsRightsInputDecisionCIOBUMIT FOCIOBUMCIOAnarchyThe net result from the governance mechanisms over the five key IT decision areas is thefollowing:a) Collaborative decision making between the departments and IT leadership for ITPrinciples, IT Investment and Prioritization.b) IT leadership has the responsibility for finalising IT Infrastructure Strategies and ITArchitecture.c) Departmental input in determining IT Application Needs.8.2 Roles and Responsibilities (Accountability Framework)8.2.1 Head of DepartmentIn terms of Section 38 (1)(a)(iii) of the PFMA (Act 1 of 1999, as amended by Act 29 of1999) the accounting officer (HoD) for a department (PRT) must ensure that the departmenthas and maintains an appropriate procurement and provisioning system which is fair, equitable,transparent, competitive and cost-effective. Flowing from this the Director General (DG) isaccountable for IT Governance at Provincial level and this role is dispatched at a departmentallevel to the Head of Department (HoD), in this case, HoD: Police, Roads and Transport. TheHoD has also delegated some of his responsibilities to the CIO, who among other things,ensure that IT Governance is in place and that IT supports FSPG objectives. The HODs areultimately responsible for cultivating an understanding for the value of IT within theirdepartments.8.2.2 Provincial Government Information Technology Officers CouncilThe PGITOC champions IT innovations in the FSPG. In so doing, the PGITOC considerscrosscutting IT related solutions proposed by departments for implementation and makerecommendations on their approval to FoHoD. The Council thus functions as a gatekeeper forproposed crosscutting IT solutions. The PGITOC also makes recommendations on the adoptionof proposed IT strategies, policies, norms and standards.The PGITOC also considers IT architecture variations and reviews IT risk strategy forconsistency with the architecture. The CITCOM is also responsible for defining multidepartmental and single departmental initiatives and approving IT standards. In sum, the13 P a g eIT Governance Framework
PGITOC is the de facto IT Strategy Committee and acts on behalf of FoHoD (to which it isaccountable) on how to best use IT within the organisation.The PGITOC operations are regulated by the following:a)b)c)d)e)f)Free State Growth and Development Strategy Plan.Individual department’s strategic and IT plans.Integrated Development Plan (IDP).SITA Act, 1998 and Regulations.Public Service Acts and RegulationsPublic Finance Management Act, 1999 and Regulations.The PGITOC is governed by a Charter approved by FoHoD and meets at least once everymonth (and whenever circumstances so determine). The PGITOC is constituted by thefollowing:a)b)c)d)CIO who is the Chairperson.IT Managers from each department as appointed by the HODs.Managers in the IT unit of the PRT.Provincial representative of the State Information Technology Agency (SITA) asAssociate Members only on the standing committees.e) Secretary – official from the IT unit, Department of Premier.The following Standing Committees exist within the PGITOC:a)b)c)d)Procurement and IT Economic DevelopmentE-government and –governance.Risk, Audit, Projects and Change ManagementSecurity, Architecture and Free and Open Source Software (FOSS).The Departmental Steering Committee (Steercom) is governed by a Charter approved by theDepartment of Police, Roads and Transport and meets at least once every month (and whenevercircumstances so determine). The steercom is constituted by the following:a) Chairperson: To be an Executive Manager appointed by the HoD.b) Members: Departmental CIO and Business managers in accordance to the mandate theHoD may decide with an aim to beef-up the decision making process.c) Secretary: official from the Service Management division of the ICT Unit, PRT.The CIO reports to the Corporate Service Executive, who reports to the Head of Department,simultaneously, the CIO will report to the PGITOC that will report to FoHoD and theDepartment of Public Service and Administration through the CIO and the office of theGovernment Chief Information Officer (GCIO). Steercom members report to the HOD, who inturn reports to their Member of EXCO.8.2.3 Departmental Chief Information OfficerA Provincial IT Manager is responsible for the following:a) Represent the department at the Government Information Technology Officers Councilon provincial level (PGITOC).b) Interact regularly on matters of IT governance with the PGITOC.14 P a g eIT Governance Framework
c) Report on a regular basis to Senior Management (SM) in the department as well as tothe PGITOC in order to ensure transparency of IT operations and implementation.d) Implement and monitor an IT Governance framework (COBIT) to deliver value andmanage risk.e) Implement IT strategies, policies, standards and procedures.f) Implement an organisational structure geared for getting value out of IT fordepartments.g) Implement governance structures (e.g. SLAs).h) Create an awareness of the maturity levels of governancei) Implement an IT planning process that is integrated with the departmental strategydevelopment process.j) Align IT operations with departmental operations.k) Translate business requirements into efficient and effective IT solutions.8.3 Governance Map9. IT Governance ProcessControl Objectives for Information and related Technology (COBIT) provides comprehensivegood practices and processes for enforcing successful governance of IT – embedding IT and itsvalue within the FSPG.COBIT contributes to IT governance by providing a framework to ensure that:a) IT is aligned to Departments and their business;b) IT enables departments and maximises benefits;c) IT resources are used responsibly; andd) IT risks are managed appropriately.COBIT has four domains that contain control processes to be used in achieving governance(primarily resource utilisation, business alignment of IT, value delivery and the management ofIT risk). The four COBIT domains are: Plan and Organise (PO), Acquire and Implement (AI),Deliver and Support (DS) and Monitor and Evaluate (ME).15 P a g eIT Governance Framework
Control Objectives for Information and related Technology (COBIT) provides comprehensivegood practices and processes for enforcing successful governance of IT – embedding IT and itsvalue within the FSPG.COBIT contributes to IT governance by providing aframework to ensure thata) IT is aligned to Departments and their business;b) IT enables departments and maximises benefits;c) IT resources are used responsibly; andd) IT risks are managed appropriately.COBIT has four domains that contain control processes to beused in achieving governance (primarily resource utilisation,business alignment of IT, value delivery
The IT Governance framework is aligned with the King III Code of Practice for IT Governance as well as best practice control and process frameworks in supporting business aligned use of and investment in IT. The key frameworks that support this governance framework are the following: 4 Brisebois R Boyd G & Shadid Z. (2010).
