ict governance roadmap fy2014 to fy2016 - … approved cgictict...doj&cd ict governance roadmap...

ICT GOVERNANCE ROADMAP

FY2014 to FY2016

DOJ&CD ICT Governance Roadmap

of 46

Table of Contents

1 Abbreviations ........................................................................................................................................ 4

2 Background........................................................................................................................................... 5

3 High-level ICT governance roadmap ................................................................................................... 6

4 King III ICT governance assessment results ....................................................................................... 7

5 COBIT assessment results ................................................................................................................ 19

6 Recommender ....................................................................................... Error! Bookmark not defined.

7 Approver ................................................................................................. Error! Bookmark not defined.

List of Figures

Figure 1: DOJ&CD ICT Governance Roadmap (high-level) ......................................................................... 6

Figure 2: DOJ&CD King III assessment results (ICT governance focus area view) ............................... 11

Figure 3: DOJ&CD King III assessment results (King III principles view) ............................................... 18

Figure 4: COBIT 4.1 framework ................................................................................................................ 19


of 46

List of Tables

Table 1 : Abbreviations ................................................................................................................................ 4

Table 2 : IT governance focus areas ........................................................................................................... 8

Table 3 : King III IT governance principles .................................................................................................. 9

Table 4 : King III assessment rating scale .................................................................................................. 9

Table 5 : DOJ&CD King III assessment results (ICT governance focus area view) ............................... 11

Table 6 : DOJ&CD King III assessment results (King III principles view – P1) ...................................... 12




Table 10 : DOJ&CD King III assessment results (King III principles view – P5) .................................... 15



Table 13 : COBIT 4.1 assessment colour scheme .................................................................................. 20

Table 14 : COBIT 4.1 maturity rating scale ............................................................................................. 21

Table 15 : COBIT 4.1 maturity levels across the 6 dimensions assessed ............................................ 22

Table 16 : DOJ&CD COBIT 4.1 assessement .......................................................................................... 23

Table 17 : Detail underpinning the roadmap .......................................................................................... 45


of 46

1 Abbreviations

Abbreviation Definition

CD / D Chief Director / Director

CGICT Corporate Governance of Information and Communication Technology

COBIT Control Objectives for Information and Related Technology

DOJ&CD / the

Department

Department of Justice and Constitutional Development

(Reference to Department includes public administration in all spheres of

government, organs of state and public enterprises as per Section 195 of the

Constitution, Act No 108 of 1996, as amended) under the control of the

DOJ&CD).

DPSA Department of Public Service and Administration

EA Enterprise Architecture

ExCo Executive Committee

FOSAD Forum of South African Director Generals

GITO Government Information Technology Officer

GWEA Government Wide Enterprise Architecture

ICT Information and Communication Technology

IT Information Technology

ISM Information and Systems Management. Also referred to as the ICT component.

ISO International Organisations for Standardisation

ITIL Information Technology Infrastructure Library

MPAT Management Performance Assessment Tool

OLA Operational-level Agreement

ROI Return on Investment

SCM Supply Chain Management

SLA Service Level Agreement

Table 1 : Abbreviations


of 46

2 Background

2.1 The Department has decided to intensify the use of Information and Communication

Technology (ICT) as a strategic business enabler to deliver justice services more effectively and

efficiently. The Department's Strategic Plan for the period 2012 – 2017, includes a number of

concerns around the current state of the Department's ICT landscape, but further identifies

opportunities where the use of ICT can add significant value to the Department.

2.2 The Department‟s Internal Audit and Risk Management functions, together with the

Presidency‟s Management Performance Assessment Tool (MPAT) and Forum of South African

Director Generals (FOSAD) assessments, indicated that the Governance of ICT within the

Department was not at an expected level of maturity.

2.3 In recognition of the importance of the Governance of ICT, a number of internationally

recognised frameworks and standards, such as the King III Code and Control Objectives for

Information and Related Technology (COBIT), have been developed to provide context for the

institutionalisation of Corporate Governance of ICT.

2.4 A Public Service - wide oversight structure was established by the Department of Public Service

and Administration (DPSA) to foster an integrated approach for the Corporate Governance of

ICT and ensure proper coordination between stakeholders. This is established in the

Corporate Governance of ICT Policy Framework, to which the Department has to comply.

2.5 In response to the above factors, the Department developed a „Corporate Governance of ICT

Policy Framework‟ and „Corporate Governance of ICT Charter‟. The Department also

conducted an assessment against the King III IT governance principles and recommendations

as well as against the processes of the COBIT 4.1 framework to determine the current level of

ICT maturity. Based on the outcome of the assessments as well as through discussions with

relevant stakeholders within the Information and Systems Management (ISM) function, the ICT

governance roadmap overleaf (Figure 1) depicts the recommended activities / initiatives that

the Department should consider over the next three years.


of 46

ICT G

overnance

Inform

ation Security

Strategy ICT Service Management

14 Security Strategy

Develop a security

strategy based on

business requirements

for security.

15 Security Policies

Update and approve the security policy landscape.

16 Information

Handling

Establish classification and handling criteria for

electronic information.

17 Implement Security

Continuous implementation of security

strategy

18 Security Awareness

Roll out a security awareness program.

19 Security Reporting

Establish security reporting.

20 ITSM Processes

Finalise ICT Service Management processes e.g.:

Change ManagementService Desk

Incident ManagementProblem ManagementCapacity Management

SLA/Contract ManagementStorage, Backup and Retention

Systems Development Life Cycle

37 ITSM Tools and

Process

Implement ICT Service Management processes on

tools of choice.

21 Technology Strategy

Conclude the technology

infrastructure strategy,

plan and roadmap.

27 EA Strategy

Define the enterprise

architecture value

proposition and strategy.

24 ICT Portfolio

Management Framework

Develop a framework for

ICT portfolio/programme

and project management.

25 ICT Strategy

Review and update the

existing ICT strategy,

aligned to the business.

26 ICT Service Catalogue

Define the service

catalogue with the business.

28 Enterprise Architecture

Develop and implement

enterprise architecture.

12 Value Delivery

Report on ICT value

delivery and performance

measures.

7 ISM KPIs

Embed ICT

performance measures

within staff KPIs.

FY2014 FY2015 FY2016

1 CGICT Policy Framework & Charter

Develop, approve and implement the ICT

governance framework.

3 ICT Management Framework

Review ICT organisation and finalise

roles and responsibilies. Fill vacant

positions.

8 ICT Governance Awareness

Define communication strategy for ICT

aims and direction to business

stakeholders and ICT staff.

22 Sustainability

Develop green IT strategy

and plans.

2 Governance of ICT Framework

Develop, implement and monitor an IT

internal control framework (CobiT 5).

4 Risk Management Policy

Include ICT risk

management within risk

management policy and

approve policy.

9 ICT Audits

Agree ICT audit approach

and include ICT audits

within Internal Audit Plan.

10 ICT Audit Action Plan

Deliver on the audit action

plan and the requirements

from the compliance unit

action plan.

6 ICT Policies

Develop an IT policy

framework.5 Compliance

Identify laws and

regulations and ensure

compliance.

31 OLA’s

Develop, implement and monitor OLA's.

38 Supplier Audits

Report on ICT governance and service delivery by third party

service providers.

32 SLA’s with Business

Establish SLA's with the business, including the

responsibility of the business.

30 ICT Service Providers

Identify all ICT service providers and formalise relationships between

partners.

36 Data Centres

Take control of air

conditioners and

consolidate data center

equipment.

DOJ&CD

ICT Governance Roadmap13 Optimisation

Ongoing review of

ICT governance

29 ICT Project Practices

Apply project management

principles to all ICT projects.

11 Monitoring

Establish monitoring of

internal policies, procedures

and processes.

Tactical StrategicS

erv

ice

Ce

ntric

ICT

Ce

ntric

33 Business Impact

Assessment

Perform business impact assessment for ICT

continuity.

34 ICT Continuity Strategy

Complete the IT continuity strategy, policy, plan and

architecture.

35 ICT Continuity

Implementation

Implement and test the ICT continuity strategy.

23 Justice College

Work with Justice College to

formalise IT training plan

and ensure implementation.

3 High-level ICT governance roadmap

Figure 1 below provides high level recommendations of the ICT governance activities / initiatives that the Department should consider over the next three years (FY2014 – FY2016) based on the areas of improvement

identified.

Figure 1: DOJ&CD ICT Governance Roadmap (high-level)


of 46

4 King III ICT governance assessment results

4.1 Introduction to King III Chapter 5

The South African corporate governance landscape has been shaped and pushed to the forefront of

global best practice over the last two decades by the findings and guidelines laid down by the King

Committee. With the release of the third iteration in September 2009, these governance principles

have been further expanded and enhanced to keep pace with global developments and cater for the

demands of the ever-changing modern business environment.

The King III report has been divided into nine chapters, each focusing on a specific area of

governance. For the first time since the launch of the King reports, Information Technology (IT) has

been included in a separate chapter, recognising the growing importance of adequate governance

over the IT function as it becomes more and more pervasive within modern-day organisations and

their operations.

Chapter 5 of the King III report is divided into seven principles, each with a number of

recommendations (48 in total) that serve as guidelines for alignment to generally accepted good

practice in the IT governance arena.

The seven principles are:

5.1 The board should be responsible for information technology (IT) governance;

5.2 IT should be aligned with the performance and sustainability objectives of the company;

5.3 The board should delegate to management the responsibility for the implementation of an IT

governance framework;

5.4 The board should monitor and evaluate significant IT investment and expenditure;

5.5 IT should form an integral part of the company‟s risk management;

5.6 The board should ensure that information assets are managed effectively; and

5.7 A risk committee and audit committee should assist the board in carrying out its IT

responsibilities.


of 46

4.2 King III assessment findings

In December 2012, PwC facilitated an assessment against the King III principles and

recommendations through a workshop session with ISM management. The main objective of the

assessment was to assist ISM management in assessing the maturity against the ICT principles and

recommendations against King III as well as identify areas for improvement.

The workshop covered the following 13 IT governance focus areas, as well as the 7 IT governance

principles contained within Chapter 5 of the King III report:

# IT governance focus area

1 IT strategy and business & IT alignment

2 IT value delivery & performance management

3 Information security and management

4 IT governance framework

5 Roles and responsibilities

6 IT compliance to laws and regulations

7 Business continuity / disaster recovery

8 IT project management & benefit realisation

9 IT sustainability

10 IT risk management

11 Third Party management

12 Acquisitions and disposals

13 IT cost management

Table 2 : IT governance focus areas


of 46

Principle # Principle description

5.1 The Board should be responsible for IT Governance.

5.2 IT should be aligned with the performance and sustainability objectives of the company.

5.3 The Board should delegate to management the responsibility for the implementation of an IT


5.4 The Board should monitor and evaluate significant IT investment and expenditure.

5.5 IT should form an integral part of the company‟s risk management.

5.6 The Board should ensure that information assets are managed effectively.

5.7 A risk committee and audit committee should assist the Board in carrying out its IT

responsibilities.

Table 3 : King III IT governance principles

The summarised results from the IT governance assessment performed against the 13 IT governance

focus areas and against the 7 King III IT governance principles are revealed in the spider diagrams

(Figure 2 and Figure 3) on the following pages.

The rating scales used to populate our tool are:

Answers to

assessment

questions

Rating explanation

Yes/always 5

Controls and/or processes are formal and optimised, and are applied

without fail. Responsibility and accountability for control

application/execution has been adequately assigned.

To a large extent 4 Controls and/or processes are mostly formalised and defined and

applied regularly.

To some extent 3 Controls and/or processes can be seen as repeatable and formalised to

a certain extent; attempts are made to apply controls repeatedly.

Rarely 2 Controls and/or processes exist but are applied infrequently, and

require a fair amount of formalisation.

No/never 1 Controls and/or processes are non-existent, or are never applied.

Table 4 : King III assessment rating scale


of 46

4.3 Benchmarking data

With the release of the King III report in September 2009, organisations have performed King III IT

governance assessments to determine their maturity levels against the principles and

recommendations of „Chapter 5: Governance of IT‟ in the King III report.

We have compared the outcome of the King III IT governance assessment performed at the

Department with the assessments that we have performed since September 2009, to provide you

with an indication of how you compare with other organisations in this respect. Our benchmark

repository contains information built up from equivalent reviews at other clients. All client data is

anonymised and is not mentioned or referenced in any way.

As with all benchmarks, the analysis should be treated as indicative rather than comprehensive.

Different organisations may exhibit different IT governance arrangements and may require different

levels of control over their IT activities.

Our benchmarking data as shown in the table below has been collated from performing King III IT

governance assessments at 46 South African companies across the following industries:

Healthcare Asset Management

Investment Government / Parastatal

Mining Technology and Telecoms

Manufacturing Distribution

Pharmaceuticals Industrial

Insurance Medical Aid

Higher Education Financial institution

Tables 5 and 6 and Figures 2 and 3 are based on the Department‟s maturity scores for the IT

governance focus areas and King III Chapter 5 IT governance principles, mapped against our

benchmarked averages for the corresponding areas. Focus areas where the Department have scored

higher than the overall benchmarked average have been highlighted in green and where the

Department has scored lower that the overall benchmarked average have been highlighted in red.

IT governance focus area The Department Benchmark

averages


of 46

IT strategy and business & IT alignment 3.75 3.76

IT value delivery & performance management 2.17 3.14

Information security and management 2.90 3.09

IT governance framework 1.75 2.79

Roles and responsibilities 3.92 3.42

IT compliance to laws and regulations 3.33 3.00

Business continuity / disaster recovery 3.00 3.41

IT project management & benefit realisation 3.00 2.98

IT sustainability 2.50 3.25

IT risk management 4.00 4.02

Third Party management 4.00 3.25

Acquisitions and disposals 3.50 4.01

IT cost management 3.33 3.81

Table 5 : DOJ&CD King III assessment results (ICT governance focus area view)

Figure 2: DOJ&CD King III assessment results (ICT governance focus area view)

IT Governance Focus Area Graph

0

1

2

3

4

5

IT Strategy and Alignment

Value Delivery andPerformance

Information Security

IT Governance Framework

Roles and Responsibilities

Compliance

BCP/DRPIT Project Management

IT Sustainability

IT Risk Management

3rd Parties

Acquisitions and Disposals

IT Cost Management

Benchmark

DOJCD


of 46

Applicability to the public sector Requirements for national and provincial

government

The

Department

Benchmark

averages

Principle 5.1 The Board should be responsible for IT Governance

Chapter 5 (1) (B) of the Public Service Regulations places an

obligation on the head of institution to ensure that the acquisition,

management and use of information technology by the institution

improves:

direct or indirect service delivery to the public, including, but

not limited to, equal access by the public to services

delivered by the

institution;

the productivity of the institution; and

the cost-efficiency of the institution.

The information technology planning guidelines published and

adopted by the Government Information and Technology Officers

Committee in 2002, applies across government institutions and

provides guidance to public sector organisations on how to align IT

objectives to the overall organizational strategy.

The guidelines also refer to the internationally recognised COBIT.

Responsibility of the accounting officer, set out in

Treasury regulation 5.2 and to be reported on in the

annual report as well as the quarterly report to the

executive authority in terms of Treasury Regulation

5.3.1.

2.00 2.70

Table 6 : DOJ&CD King III assessment results (King III principles view – P1)


of 46


government

The

Department

Benchmark

averages

Principle 5.2 IT should be aligned with the performance and sustainability objectives of the company

The vision of Government is to become an entity driven by service

excellence through providing quality and sustainable services in an

effective and economic manner through equitable resource

distribution and also through the creation of sustainable growth

where all communities live in harmony and prosperity.

The Public Service Regulations acknowledge the important role that

IT has to play in achieving government‟s vision, through the

establishment of a requirement, for all institutions and governmental

institutions to manage IT effectively and efficiently. The regulations

stipulate that the acquisition, management and use of information

technology shall be informed by the Batho Pele principle of offering

equal access to services, increases in productivity and the lowering

of costs.

Section 38 1(a) of the PFMA prescribes the duty of

the accounting officer to ensure that the institution

has and maintains effective, efficient and

transparent systems of financial and risk

management and internal control. This can be read

to include IT systems. This interpretation is

supported by Treasury Regulation 5.2.2, which

states that the strategic plan of the institution

should make reference to its proposed IT

acquisitions or expansion with reference to an IT

plan.

Chapter 5 of the Public Service Regulations further

supports the underlying value of electronic

government (through acquisition and management)

as discussed in the adjacent column including IT

security and interoperability.

2.86 3.35



of 46


government

The

Department

Benchmark

averages

Principle 5.3 The Board should delegate to management the responsibility for the implementation of an IT governance framework

The Minimum Information Security Standards stipulate that the head

of every institution bears overall responsibility for the provision and

maintenance of security in his or her institution. This is, however, to

be delegated to the head of the security component within the

organisation.

The accounting officer assigns the responsibility to

the CIO, who in turn reports to the accounting

officer.

4.00 3.72



government

The

Department

Benchmark

averages

Principle 5.4 The Board should monitor and evaluate significant IT investment and expenditure

See comments above. The responsibility as set out in the PFMA (as noted

above) would be delegated to the CIO whilst

Treasury Regulation 3.2.11 requires the internal

audit function to evaluate the controls in the

information systems (allowing for the assessment of

effective utilisation of the investment).

The PFMA does not require independent assurance

on information systems. However, assurance over

other matters that may be prescribed (section 40(3)

(b)) might include such assurance.

3.36 3.45



of 46


government

The

Department

Benchmark

averages

Principle 5.5 IT should form an integral part of the company‟s risk management

The National Treasury Risk Management Framework encourages

institutions to adhere to the principles espoused in King II, given its

promotion of an advanced level of institutional conduct. Since King II

has been superseded by King III, it can be reasonably assumed that

the principles embodied in King III will be endorsed in future

revisions of the Framework. The Framework is applicable to all public

sector institutions and comprehensively articulates IT risk

management processes in the public sector.

This is the responsibility of the accounting officer,

although IT risk management may be performed by

the ICT committee.

3.29 3.42



of 46


government

The

Department

Benchmark

averages

Principle 5.6 The Board should ensure that information assets are managed effectively

The right to privacy is enshrined in the Constitution and gives effect

to this right by way of mandatory procedures and mechanisms for

the handling and processing of personal information, in line with

current international trends and laws on privacy.

The Protection of Personal Information (PPI) Bill, applying to both

public and private sector institutions, will regulate the processing of

„personal information‟, including its collection, recording, and

storage.

The Promotion of Access to Information Act (PAIA) provides public

access to records of institutions, including those of national,

provincial and local government.

The PFMA does not expressly deal with the

management of information, except for the

requirement that the accounting officer must

ensure that the institution has and maintains

effective, efficient and transparent systems of

financial and risk management and internal control.

However, institutions are required to comply with

the requirements of the PAIA, which includes the

preparation of a manual of functions and records

held by the institution in at least three official

languages. Public sector institutions can refer to the

Minimum Information Security Standards (MISS),

which were written by the National Intelligence

Agency and published by the Department, in

conjunction with standards such as International

Organisations for Standardisation (ISO) 27001 and

27002 for guidance on how to implement policies,

procedures, controls and safeguards that will

facilitate compliance with the requirements of the

PPI bill.

3.00 3.30



of 46


government

The

Department

Benchmark

averages

Principle 5.7 A risk committee and audit committee should assist the Board in carrying out its IT responsibilities

See comments above. As discussed above, the accounting officer must

ensure that the institution has and maintains

effective, efficient and transparent systems of

financial and risk management and internal control

(section 38(1)(a) of the PFMA). In so doing, the Risk

Management Framework developed by National

Treasury should be followed. This prescribes the

enablers of risk management to be:

risk management policy;

risk management strategy;

basic requirements for ERM

implementation; and

funding of ERM.

The management of IT risk might include the State

Information Technology Agency (SITA) as its

mandate provides for the provision of such services

(section 7 of the SITA Act).

4.20 3.90



of 46

Figure 3: DOJ&CD King III assessment results (King III principles view)

Application of King Principles

0

1

2

3

4

5

Principle 5.1

Principle 5.2

Principle 5.3

Principle 5.4Principle 5.5

Principle 5.6

Principle 5.7

DOJCD

Benchmark


of 46

5 COBIT assessment results

5.1 Introduction to COBIT 4.1

COBIT is published by the Information Systems Audit and Control Association (ISACA). COBIT is

currently the framework of choice for ICT internal controls and is favoured by the DPSA, the Auditor-

General and the Government Information Technology Officer (GITO) Council. COBIT 4.1 consists of 34

“Processes”, in turn grouped into four "Domains".

Figure 4: COBIT 4.1 framework


of 46

In January 2013, PwC facilitated an assessment against the COBIT 4.1 standard in a series of

workshops with ISM management. The main objective of the assessment was to assist ISM

management in assessing the maturity of each of the COBIT framework‟s 34 processes, taking into

account the relative importance of each process, and to identify areas for improvement based on the

desired levels of maturity.

The following section provides a summary of the assessment results, including the agreed actions to

address the identified areas for improvement.

3 and higher

Green indicates ICT processes where maturity is 3 or higher. It is likely that no gap exists

between the actual and desired maturity levels. IT management do not believe that it

would make business sense or add value to improve the maturity of the specific process.

1.5 and higher,

less than 3

Yellow indicates an ICT process where maturity is less than 3, but equal or more than 1.5.

In this case, there is usually a gap between the actual and desired maturity levels. ICT

management are of the view that the process should be improved.

Less than 1.5

Red indicates a process maturity of less than 1.5 and that there is a significant gap

between the actual and desired maturity levels. ICT management have identified this as a

process that must be improved.

Table 13 : COBIT 4.1 assessment colour scheme


of 46

5.2 COBIT assessment maturity rating (current and desired)

COBIT 4.1 offers maturity modelling for management and control over IT processes. The maturity

levels range between non-existent (0) to optimised (5), as explained below:

Maturity

rating Description

0 Non-existent There is a complete lack of any recognisable processes. The enterprise has not

even recognised that there is an issue to be addressed.

1 Initial/Ad

Hoc

There is evidence that the enterprise has recognised that the issues exist and

need to be addressed. There are, however, no standardised processes;

instead, there are ad hoc approaches that tend to be applied on an individual

or case-by-case basis. The overall approach to management is disorganised.

2 Repeatable

but Intuitive

Processes have developed to the stage where similar procedures are followed

by different people undertaking the same task. There is no formal training or

communication of standard procedures, and responsibility is left to the

individual. There is a high degree of reliance on the knowledge of individuals

and, therefore, errors are likely.

3 Defined

Process

Procedures have been standardised and documented, and communicated

through training. It is mandated that these processes should be followed;

however, it is unlikely that deviations will be detected. The procedures

themselves are not sophisticated but are the formalisation of existing

practices.

4

Managed

and

Measurable

Management monitors and measures compliance with procedures and takes

action where processes appear not to be working effectively. Processes are

under constant improvement and provide good practice. Automation and tools

are used in a limited or fragmented way.

5 Optimised

Processes have been refined to a level of good practice, based on the results

of continuous improvement and maturity modelling with other enterprises. IT is

used in an integrated way to automate the workflow, providing tools to improve

quality and effectiveness, making the enterprise quick to adapt.

Table 14 : COBIT 4.1 maturity rating scale

The maturity assessment is conducted with respect to six dimensions as shown on the next page.


of 46

Table 15 : COBIT 4.1 maturity levels across the 6 dimensions assessed

Table 16 below is based on the Department‟s current and target maturity scores for each of the COBIT processes as per the COBIT 4.1 standard.


of 46

Table 16 : DOJ&CD COBIT 4.1 assessement

ActualAwareness and

Communication

Policies,

Standards and

Procedures

Tools and

Automation

Skills and

expertise

Responsibility &

Accountability

Goal Setting &

MeasurementTarget

Awareness and

Communication

Policies,

Standards and

Procedures

Tools and

Automation

Skills and

expertise

Responsibility &

Accountability

Goal Setting &

MeasurementGap

PO1 Define a strategic IT Plan 1.50 1 2 1 1.5 1.5 2 3.00 2.00 3.00 1.00 3.00 3.00 3.00 1.5

PO2 Define the information architecture 1.00 1 1 1 1 1 2 1.50 1.00 1.00 1.00 1.00 2.00 2.00 0.5

PO3 Determine technological direction 2.00 2 2 2 2 2.5 2 3.00 3.00 3.00 2.00 3.00 3.00 3.00 1.0

PO4 Define the IT processes, organisation and relationships 2.00 2 2 2 2 2 2 3.00 3.00 3.00 3.00 3.00 3.00 3.00 1.0

PO5 Manage the IT investment 2.75 3 3 3 3 3 2 3.00 3.00 3.00 3.00 3.00 3.00 2.50 0.3

PO6 Communicate management aims and direction 1.58 1 2 1 2 1.5 2 2.25 2.00 2.50 1.50 2.50 3.00 2.00 0.7

PO7 Manage IT Human resources 3.00 3 3 3 3 3 3 3.00 3.00 3.00 3.00 3.00 3.00 3.00

PO8 Manage quality 1.00 1 1 1 1 1 1 1.00 1.00 1.00 1.00 1.00 1.00 1.00

PO9 Assess and manage IT risks 3.00 3 3 3 3 3 3 3.00 3.00 3.00 3.00 3.00 3.00 3.00

PO10 Manage projects 2.25 3 2 2 2 2 3 3.00 3.00 3.00 2.00 3.00 3.00 3.00 0.8

AI1 Identify automated solutions 2.50 2 2 1 2 2 2.5 3.00 2.50 2.50 1.00 2.00 3.00 3.00 0.5

AI2 Acquire and maintain application software 2.50 2.5 2.5 2 2 2.5 2.5 3.00 3.00 3.00 2.50 3.00 3.00 3.00 0.5

AI3 Acquire and maintain technology infrastructure 2.50 3 3 2.5 2.5 1.5 3 3.00 3.00 3.00 3.00 3.00 3.00 3.00 0.5

AI4 Enable operation and use 1.25 1.5 1.5 1 1 1.5 1 2.25 3.00 2.50 1.50 2.50 2.00 2.00 1.0

AI5 Procure IT resources 3.00 3 3 3 3 3 3 3.00 3.00 3.00 3.00 3.00 3.00 3.00

AI6 Manage changes 1.50 1.5 1 1 2 2 2 3.00 3.00 3.00 1.00 3.00 3.00 3.00 1.5

AI7 Install and accredit solutions and changes 1.50 1.5 1 1 2 2 2 3.25 3.00 3.00 1.00 3.00 3.00 3.00 1.8

DS1 Define and manage service levels 1.00 2 2 1 1 1 2 2.00 3.00 3.00 1.00 2.00 2.00 2.00 1.0

DS2 Manage third-party services 2.00 1.5 2 2.5 2 2 2 3.00 2.00 2.00 3.00 3.00 3.00 2.50 1.0

DS3 Manage performance and capacity 1.00 1.5 2 2 1 1 1 2.00 3.00 2.00 3.00 2.00 2.00 2.00 1.0

DS4 Ensure continuous service 2.00 1.5 1 1.5 1.5 1 1.5 2.50 3.00 2.00 2.00 1.50 2.00 2.50 0.5

DS5 Ensure systems security 1.50 1.5 2 2 1.5 1 1.5 2.50 2.00 2.00 3.00 3.00 2.00 2.50 1.0

DS6 Identify and allocate costs 2.75 3 2.5 3 2 3 3 3.00 3.00 3.00 3.00 2.00 3.00 3.00 0.3

DS7 Educate and train users 1.00 1.5 1 1 1 1 1 1.75 2.00 1.50 1.50 1.50 2.00 2.00 0.8

DS8 Manage service desk and incidents 3.50 3 2 3 2.5 2.5 2 4.00 3.00 3.00 3.00 3.00 3.00 3.00 0.5

DS9 Manage the configuration 1.00 1 1 1 1 1 1.5 3.00 3.00 3.00 3.00 3.00 3.00 3.00 2.0

DS10 Manage problems 1.75 2 1.5 2 2 1.5 1.5 3.00 3.00 3.00 3.00 3.00 3.00 2.50 1.3

DS11 Manage data 1.50 2 1.5 1.5 1.5 1 1 2.00 2.00 2.00 2.00 2.00 2.00 2.50 0.5

DS12 Manage the physical environment 2.00 2 2 2 1 1.5 1.5 3.00 2.00 2.00 2.00 2.00 3.00 3.00 1.0

DS13 Manage operations 1.50 2 1 1.5 1.5 2 2 3.00 3.00 2.50 3.00 3.00 3.00 3.00 1.5

ME1 Monitor and evaluate IT performance 2.25 2 2 2 3 3 2 2.50 3.00 3.00 3.00 3.00 3.00 2.50 0.3

ME2 Monitor and evaluate internal control 2.25 3 3 2 2 2 2 3.00 3.00 3.00 2.00 2.00 2.00 2.00 0.8

ME3 Ensure regulatory compliance 2.25 3 2 1 2 3 2 3.00 3.00 3.00 1.00 2.00 3.00 3.00 0.8

ME4 Provide IT Governance 1.75 2 2 1 2 2 2 3.00 3.00 3.00 2.00 3.00 3.00 3.00 1.3

CobiT Process

Dimension Level Actuals Dimension Level Target


of 46

5.3 Areas of improvement aligned to the high level ICT governance roadmap

COBIT 4.1 process Reference to roadmap

Current

Maturity

Target

Maturity

Actions

PO1 Define a Strategic IT Plan

1.5 3 Actions identified in the COBIT 4.1 workshop

1. Formulate an ICT strategic planning framework and consult on a more

regular basis with the business during this process.

2. Formalise the responsibility of IT managers for ICT strategic planning.

Consider overall ICT strategic alignment with the business.

Related actions identified in the King III workshop

3. Review and update the existing ICT Strategy.

4. Ensure all business units provide input into the strategy process.

5. Define the service catalogue in conjunction with the business.

Related DPSA framework requirement

6. Ensure that the ICT strategy is incorporated into the Departments'

strategic plan that will enable the achievement of the Department‟s

objectives (To be implemented in a phased approach).

7. Ensure that the ICT Management Framework comprising management

processes, organisational structures, roles and responsibilities, activities

and required skills and competencies are defined, approved and

implemented, (To be implemented in a phased approach).

8. As per the DPSA‟s Public Service Corporate Governance of ICT Policy

Framework, both the 'APO02 Manage Strategy' and 'APO05 Manage

Portfolio' in COBIT 5 are priority processes and should be implemented.

Responsible officials Line item

Director (D):IT Strategy 1, 3 - 8 (To be implemented in a phased

approach)

Chief Director (CD):IT

Strategy and Risk

2 (To be implemented in a phased

approach)

25. ICT Strategy

26. ICT Service

Catalogue

Further guidance

In order to achieve alignment between the business and ICT, ICT planning should be performed in parallel with

strategic planning frameworks published by the Department of National Treasury (e.g. Strategic Plans, Medium-term

Expenditure Framework, Risk Management, Annual Performance Plans etc.). Refer to these frameworks for more

information on the overall process. Strategic alignment can be planned, amongst others, with the assistance of an

enterprise architecture methodology as prescribed in the Government-wide Enterprise Architecture (GWEA)


of 46


Current

Maturity

Target

Maturity

Actions

Framework).

ITIL v3 SD 4.1 provides guidelines for the establishment of a service catalogue.

PO2 Define the information architecture

1 1.5 Actions identified in the COBIT 4.1 workshop

1. Establish the value proposition for Enterprise Architecture (EA) and

define the EA strategy. The ISM Function should consider initially

training existing staff that have been identified. Once identified staff

have been trained, embed EA within the Department aligned to the

DPSA requirements (refer to points 3 and 4 below).


2. Develop and implement EA within the Department (cover all domains e.g.

information, technology, applications, business needs etc.).


3. The Department should consider creating capacity to fulfil the role of an

EA (To be implemented in a phased approach).


Framework, the 'APO03 Manage Enterprise Architecture' in COBIT 5 is a

priority process and should be implemented.


CD:IT Strategy 1 (To be implemented in a phased

approach)

Head of ISM 2 - 4 (To be implemented in a phased

approach)

27. EA Strategy

28. Enterprise

Architecture

Further guidance

Refer to GWEA Framework (and by implication the TOGAF framework).

PO3 Determine technological direction

2 3 Actions identified in the COBIT 4.1 workshop

1. Conclude and finalise the technology infrastructure strategy, plan and

roadmap.

2. Integrate the infrastructure strategy into the overall ICT strategy.

3. Solidify the technology plans and strategies.


21. Technology

Strategy (plans and

roadmap)

22. Sustainability


of 46


Current

Maturity

Target

Maturity

Actions

4. Develop a green ICT strategy and plan aligned to the Department's overall

sustainability objectives. Align the strategy and plans to the DPSA's green

ICT policy as well as applicable environmental acts.


5. ICT strategies incorporated into the Departments' strategic plan that will

enable the achievement of the Department’s objectives (To be

implemented in a phased approach).


D:IT Infrastructure 1 (To be implemented in a phased

approach)

D:IT Strategy Officer 2 (To be implemented in a phased

approach)

D:IT Strategy 3, 4, 5 (To be implemented in a phased

approach)

Further guidance

Refer to the Government-wide Enterprise Architecture (GWEA) Framework (and by implication the TOGAF framework).

PO4 Define the IT processes, organisation and relationships


1. Increase awareness of the ICT organisation as well as the services

offered by ISM.

2. Finalise ICT roles and responsibilities. Finalise the organisational

structure and align the job descriptions. Fill vacant positions. Upgrade

positions that need to be upgraded to ensure market related

compensation.

3. Finalise the ICT governance framework and its associated committees.

4. Develop KPI‟s aligned to the ICT organisation structure.


5. Revisit the ICT organisation structure aligned with the strategic direction

of the Department.


6. Approved and implemented ICT Management Framework that defines

management processes, organisational structures, roles and

1. Corporate

Governance of

Information and

Communication

Technology (CGICT)

Policy Framework &

Charter

3. ICT Management

Framework

7. ISM KPIs

8. ICT Governance

Awareness including

ICT organisation

structure and ICT

services.


of 46


Current

Maturity

Target

Maturity

Actions

responsibilities, KPIs, activities as well as required skills and

competencies (To be implemented in a phased approach).


Framework, the 'APO01 Manage the IT Management Framework' in

COBIT 5 is a priority process and should be implemented.


CD:IT Strategy and

Risk

1 - 7 (To be implemented in a phased

approach)

Further guidance

COBIT 5 establishes 'Organisational Structures' as an important enabler and should consider the following at a

minimum:

Operating principles (The practical arrangements regarding how the structure will operate, such as frequency of

meetings, documentation and housekeeping rules);

Composition (Structures have members, who are internal or external stakeholders);

Span of control (The boundaries of the organisational structure‟s decision rights);

Level of authority/decision rights (The decisions that the structure is authorised to take);

Delegation of authority (The structure can delegate (a subset of) its decision rights to other structures reporting

to it); and

Escalation procedures (The escalation path for a structure describes the required actions in case of problems in

making decisions).

PO5 Manage the IT investment


1. Formalise benefits realisation on projects. Consideration should be

given to updating the existing Project Management Framework.


2. Report on Return on Investment (ROI) from ICT investments and projects

as part of the ExCo / Director General (ExCo / (DG) reporting process.

3. Ensure management has a clear view on the ownership of IT costs

across the Department.

4. Measure the value received from ICT.


5. Approved and implemented Departmental Portfolio Management

Framework that includes ICT portfolio/programme and project

12. Value Delivery

24. ICT Portfolio

Management

Framework


of 46


Current

Maturity

Target

Maturity

Actions

management (To be implemented in a phased approach).


Framework, the 'APO05 Manage Portfolio' in COBIT 5 is a priority process

and should be implemented.


D:IT Strategy 1, 5, 6 (To be implemented in a phased

approach)

CD:IT Strategy 2, 3, 4 (To be implemented in a phased

approach)

Further guidance

The Information Technology Infrastructure Library (ITIL) SS 5.1 process has guidance on ICT financial management and

ROI. The ValIT Framework from ISACA deals exclusively with ICT value management practices.

PO6 Communicate management aims and direction

1.5 2.25 Actions identified in the COBIT 4.1 workshop

1. Define a communication strategy for ICT aims and direction.

2. Establish ICT co-coordinators meetings.

3. Establish regional heads forum.

4. Formalise the interaction at the ICT Steering Committee and ensure that

business form part of the ICT Steering Committee. Consideration should

be given to promoting ICT presence at ExCo level.


5. Develop an ICT policy framework.

6. Ensure ICT governance is a standing item on the ExCo agenda and

discussed at every ExCo meeting.

7. Provide regular feedback on implementation of ICT governance across

the Department.

8. The ICT Steering Committee terms of reference should be reviewed on a

periodic basis to ensure that it is up-to-date, relevant and effective.

9. Develop and rollout ICT governance awareness training across the

Department.


10. Approved and implemented Corporate Governance of ICT Policy

Framework and ICT Charter (To be implemented in a phased approach).

11. Governance of ICT Framework approved and implemented (COBIT

1. CGICT Policy

Framework & Charter

2. Governance of ICT

Framework

6. ICT Policies

8. ICT Governance

Awareness

11. Monitoring


of 46


Current

Maturity

Target

Maturity

Actions

5) (To be implemented in a phased approach).

12. A Governance Champion designated and responsibilities allocated

(To be implemented in a phased approach).


D:IT Strategy 1, 3 (To be implemented in a phased

approach)

D:Business

Relationship

Management


approach)

D:ICT Governance and

Compliance


approach)

Further guidance

ICT policies can be communicated in a number of ways including through the human resources induction process,

signing of policies, clicking a logon-screen, e-mail communication, publishing on an intranet, or formal awareness

campaigns.

PO7 Manage IT Human resources


1. Continuous team communication to promote transparency / trust (“tone

at the top”). Discuss the staff motivation challenge at Management

Committee level.


All ICT Directors/Chief

Directors


approach)

N/A

Further guidance

N/A

PO8 Manage quality


1. None


CD:ICT Optimisation

and QA

Director: Quality

None (information only)

N/A


of 46


Current

Maturity

Target

Maturity

Actions

Assurance

PO9 Assess and manage IT risks


1. ISM Management should consider delving further into the ICT risks i.e.

generic risks vs. risks that apply to individual environments.


2. Approved and implemented Risk Management Policy that includes the

management of business-related ICT risks (To be implemented in a

phased approach).


Framework, 'APO12 Manage Risk' in COBIT 5 is a priority process and

should be implemented.



Compliance


approach)

4. Risk Management

Policy

Further guidance

None.

PO10 Manage projects


1. Review and formalise the existing project management methodology.


2. Ensure that the documentation and retention of lessons learnt for all ICT

projects are stored centrally for future use.

3. Ensure that post implementation reviews are conducted and reported on

to the relevant stakeholders.

4. Ensure project management standards and principles are applied to all

ICT projects.

5. Report on ROI from ICT investments and projects as part of the ExCo /

DG reporting process.


6. Approved and implemented Departmental Portfolio Management

12. Value Delivery

24. ICT Portfolio

Management

Framework

29. ICT Project

Practices (e.g. lessons

learnt and post

implementation

reviews)


of 46


Current

Maturity

Target

Maturity

Actions

Framework that includes ICT portfolio/programme and project

management (To be implemented in a phased approach).


Framework, 'BAI01 Manage Programmes and Projects' in COBIT 5 is a

priority process and should be implemented.


D:ICT Project Portfolio

Management,

1 , 6, 7 (To be implemented in a phased

approach)


Management & D:ICT

Governance and

Compliance

2, 3, 4, 5 (To be implemented in a phased

approach)

Further guidance

PMBOK and Prince II are industry standards that provide project management good practices. COBIT 4.1/5 also

includes key ICT project controls. Consideration should be given to using automated project and portfolio management

tools.

AI1 Identify automated solutions


1. Raise awareness of the need to approve ICT projects based on business

benefits.

2. Define responsibilities and accountability for identifying automated

solutions.

3. Formalise existing practices into a Systems Development Lifecycle

(SDLC) framework document.



Management &

D:Business Analysis


approach)

8. ICT Governance

Awareness

11. Monitoring

3. ICT Management

Framework

20. ITSM Processes

37. ITSM Tools and

Processes

Further guidance

Consideration should be given to the following when developing or updating the SDLC framework:

COBIT 4.1/5, ITIL v3, ISO 27002, CMMi and OpenSAMM (focuses on the risks and controls of web development)

AI2 Acquire and maintain application software

2.5 3 Actions identified in the COBIT 4.1 workshop 3. ICT Management


of 46


Current

Maturity

Target

Maturity

Actions

1. Ensure vacant positions in testing have been filled and software

development services are acquired

2. Formalise existing practices into the SDLC framework document.

3. Acquire business analysis and testing tools.


D: Business Analysis &

CD:ICT Optimisation

and Quality Assurance


approach)

Framework

20. ITSM Processes

37. ITSM Tools and

Processes

AI3 Acquire and maintain technology infrastructure


1. Ensure roles and responsibilities for the technology infrastructure have

been defined in the ICT Management framework and embedded into the

day to day operations of ISM.

2. ISM should build a suitable lab environment for testing tools. Security

requirements should be considered e.g. segregation of duties.


D:IT Infrastructure 1, 2 (To be implemented in a phased

approach)

3. ICT Management

Framework

20. ITSM Processes

21. Technology

Strategy

37. ITSM Tools and

Processes

Further guidance

The ITIL ST 4.4 process provides guidance on establishing a testing environment.

AI4 Enable operation and use


1. Define the framework for deploying ICT solutions to end-users.

2. Embed responsibilities into performance agreements between the

business and ISM e.g. business system ownership.

3. Improve the process to transfer knowledge from development to

operations teams.


D:Business Systems 1, 3 (To be implemented in a phased

approach)

D:Business

Relationship


approach)

20. ITSM Processes

37. ITSM Tools and

Processes


of 46


Current

Maturity

Target

Maturity

Actions

Management

Further guidance

The ITIL ST 4.4 process provides guidance on deployment of solutions, as well as knowledge transfer.

AI5 Procure IT resources

3 3 N/A N/A

AI6 Manage changes and AI7 Install and accredit solutions and changes


1. Review the Change Control Board (CCB) terms of reference to ensure

that it is up-to-date, effective and relevant including the membership of

the CCB.

2. Ensure that the change and release management process and

procedures are defined accurately to ensure efficiencies and

effectiveness. ISM Management should enforce the process and

procedures rigorously within the Department.


D:Business Systems,

D:Quality Assurance &

CD:ICT Optimisations

and Quality Assurance

1, 2 (To be implemented in a phased

approach)

20. ITSM Processes

30. ICT Service

Providers

37. ITSM Tools and

Processes

Further guidance

The ITIL ST 4.2 and ST 4.4 processes provide guidance on Change and Release Management. Change Management is

also a primary focus of COBIT and ISO 27002.

DS1 Define and manage service levels


1. Set up the Service Level Agreement (SLA‟s) with the business as it

relates to infrastructure support and business applications.

2. Ensure that the existing EOH, SITA, SITA VPN contracts become the

responsibility of the ISM function. Translate these responsibilities into

the business and ISM responsibilities/roles.

20. ITSM Processes

31. OLAs with the

business

32. SLAs with the

business


of 46


Current

Maturity

Target

Maturity

Actions


3. Develop and implement SLAs / Operational-Level Agreements (OLA)

within the Department.

4. Monitor and report on outcomes of SLAs / OLAs to ExCo.

5. Define a service catalogue in conjunction with the business.


CD:ICT Service

Delivery and

Stakeholder

Management &

D: Service Delivery


approach)

37. ITSM Tools and

Processes

Further guidance

Service catalogues should be reviewed on a periodic basis to ensure that these are up-to-date and relevant.

DS2 Manage third-party services


1. Establish formal interaction with service providers i.e. Engagement

Model.

2. Strengthen the relationships between the service delivery management,

and other teams (specifically ICT infrastructure and business systems).


3. Report on effectiveness of ICT governance and service delivery by third

party service providers relating to IT goods/services being outsourced.

4. Relook at SLA / contract management as well as enforcement of

penalties for non-performance.



Framework, 'APO10 Manage Suppliers' in COBIT 5 is a priority process



CD:ICT Service

Delivery and

Stakeholder

Management &


approach)

20. ITSM Processes

30. ICT Service

Providers

37. ITSM Tools and

Processes

38. Supplier Audits


of 46


Current

Maturity

Target

Maturity

Actions

D:Service Delivery

D:IT Sourcing 3 - 5 (To be implemented in a phased

approach)

Further guidance

The ITIL v3 SD 4.2 process provides guidance on Service Level Management and SD 4.7 on Supplier Management.

Management should consider performing ISA3402 audits. The ISA3402 standard is an international standard for

auditing supplier environments.

DS3 Manage performance and capacity


1. Clearly define the technology capacity targets of IT resources, as well as

the measurement approach and the responsibility to collect the

measurement data and produce meaningful reporting. The

responsibility to action the report outcomes must also be defined and

implemented.


D:IT Infrastructure 1 (To be implemented in a phased

approach)

20. ITSM Processes

37. ITSM Tools and

Process

Further guidance

The ITIL v3 SD 4.3 process provides guidance on Capacity Management.

DS4 Ensure continuous service


1. Ensure that the ICT continuity strategy, policy, plan and conceptual

architecture is aligned to the DPSA framework as well as to the

Departmental business continuity plan.

2. Commence with technology solution implementation, subject to

availability of funding.


3. Align the ICT continuity capability to the overall business continuity

program.

4. Ensure that business impact assessments are performed on a periodic

basis and kept up-to-date.

5. Formalise the business continuity programme - develop formal business

33. Business Impact

Assessment

34. ICT Continuity

Strategy

35. ICT Continuity

Implementation


of 46


Current

Maturity

Target

Maturity

Actions

continuity plans (BCP) for all branches.

6. Ensure that these plans are tested on a regular basis.

7. Perform end-to-end ICT continuity testing.


8. Approved ICT Continuity Plan informed by Departmental Business

Continuity Plan and Strategy.


Framework, 'DSS04 Manage continuity' in COBIT 5 is a priority process



D:IT Infrastructure 1 - 9 (To be implemented in a phased

approach)

Further guidance

The ITIL v3 SD 4.4 and 4.5 processes provide guidance on ICT Continuity Management.

Management should also consider standards such as ISO 27031, BS25999 and the Uptime Institute Tier classification

for data centres for further information and guidance.

DS5 Ensure systems security


1. Develop the information security strategy based on business

requirements for information security. Develop the information security

plan, based on the information security strategy.

2. Review and update/develop the information security policy landscape

accordingly.


3. Formalise an information security strategy. Once approved, the

information security strategy should be implemented and monitored.

4. Identify all sensitive and personal information across the Department

and classify these according to the Information Security Policy.

5. Assign appropriate handling criteria to all information including

electronic form (with guidance and direction from the business).

6. Focus on ensuring security awareness is bedded down in the

Department. Develop a security awareness plan and rollout awareness

across the Department (consideration should be given to use of

technology for user training).

14. Information

Security Strategy

15. Information

Security Policy

16. Information

Handling

17. Implement Security

18. Security Awareness

19. Security Reporting

20. ITSM Processes

37. ITSM Tools and


of 46


Current

Maturity

Target

Maturity

Actions


7. Approved and implemented ICT Security Policy (To be implemented in a

phased approach).


Framework, 'APO13 Manage Security' in COBIT 5 is a priority process



D:IT Infrastructure &


Compliance


approach)

Process

Further guidance

Information Security is usually deployed using the Information Security Management System (ISMS) lifecycle approach

(refer ISO 27001). The key generic activities related to ISMS include:

Obtaining senior management commitment for information security;

Understanding the Department;

Identifying key risks and vulnerabilities;

Identifying key laws and regulations;

Developing action plans to address risks and vulnerabilities;

Developing security governance including structures, process and roles and responsibilities;

Developing information security policies;

Developing an implementation strategy;

Providing sufficient information security resources;

Operating information security;

Providing training and awareness;

Detecting and responding to information security incidents;

Conducting audits of information security controls; and

Improving information security controls (the lifecycle process repeats).

Further guidance can be obtained from the ISO 27000 series, COBIT 4.1/5, Minimum Information Security Standards,

Information Security Forum, OpenSAMM etc.

DS6 Identify and allocate costs


1. Formally document the ICT cost allocation process and entrench the

roles and responsibilities within ISM.

2. Perform a skills assessment on staff to understand level of financial

3. ICT Management

Framework

20. ITSM Processes


of 46


Current

Maturity

Target

Maturity

Actions

management skills.


3. Ensure management has a clear view on the ownership of IT costs

across the Department.


All CD‟s and D‟s 1 - 3 (To be implemented in a phased

approach)

Further guidance

ITIL v3 SS 5.1 provides guidance on ICT Financial Management.

DS7 Educate and train users

1 1.75 Actions identified in the COBIT 4.1 workshop

1. Work in collaboration with Justice College to formalise an ICT training

plan (especially basic computer literacy and business applications

training).

2. Work in collaboration with Justice College to ensure implementation of

training required.



Management &

D:Business Systems


approach)

23. Justice College

DS8 Manage service desk and incidents


1. Finalise the processes as they relate to Service Desk and Incident

Management. Implement the processes on the tool of choice (ITSM7

and CMDB project).

2. Implement the internal operating model.


CD:IT Service

Management and

Stakeholder

Management &

D:ICT Service Delivery


approach)

20. ITSM Processes

37. ITSM Tools and

Process


of 46


Current

Maturity

Target

Maturity

Actions

Head of ISM 2 (To be implemented in a phased

approach)

Further guidance

The ITIL v3 SD 4.1, 4.2, 4.3 and 6.2 processes provide guidance on Service Desk and Incident Management.

DS9 Manage the configuration


1. Implement the full Configuration Management Database (CMDB). Once

implemented, ISM Management should ensure that the CMDB is

sustained.


D:IT Infrastructure

D:ICT Service Delivery

& CD:IT Service

Management and

Stakeholder

Management


approach)

20. ITSM Processes

37. ITSM Tools and

Process

Further guidance

The ITIL v3 ST 4.3 process provides guidance on Service Asset and Configuration Management.

DS10 Manage problems


1. Finalise the Problem Management process.

2. Clearly define roles and responsibilities for Problem Management.


CD:IT Service

Management and

Stakeholder

Management


approach)

3. ICT Management

Framework

20. ITSM Processes

37. ITSM Tools and

Process

Further guidance

The ITIL v3 SO 4.4 provides guidance on Problem Management.

DS11 Manage data


1. Ensure that IT disposal forms parts of the Supply Chain Management

(SCM) policy.

3. ICT Management

Framework


of 46


Current

Maturity

Target

Maturity

Actions

2. Finalise the storage and retention requirements for both paper based

and electronic files as well as electronic mail.

3. Define and implement a media library for the Department.

4. Review and update the Backup and Restoration Policy and related

processes e.g. DCRS (Digital Court Recording System).

5. Ensure that full responsibility is assigned to the relevant staff.


D:IT Sourcing 1 (To be implemented in a phased

approach)

D:IT Infrastructure and


Compliance


approach)

6. ICT Policies

20. ITSM Processes

37. ITSM Tools and

Process

DS12 Manage the physical environment


1. Take over control of air conditioners and consolidate the physical

equipment in the data centres.


2. Approved and implemented ICT Security Policy (To be implemented in a

phased approach).


Framework, 'DSS01 Manage Operations' in COBIT 5 is a priority process



D:IT Infrastructure 1 – 3 (To be implemented in a phased

approach)

36. Data Centres

37. ITSM Tools and

Process

Further guidance

None.

DS13 Manage operations


1. Finalise and implement ICT operational processes.



20. ITSM Processes

37. ITSM Tools and

Process


of 46


Current

Maturity

Target

Maturity

Actions

Framework, 'DSS01 Manage Operations' in COBIT 5 is a priority process



D:IT Infrastructure 1, 2 (To be implemented in a phased

approach)

Further guidance

The ITIL v3 SO section 4.3 , 5 and 6 provides guidance on ICT operations.

ME1 Monitor and evaluate IT performance


1. Once performance measurement results are known, ISM Management

should take relevant action.

2. Integrate the ISM performance report into the performance agreements

of ISM staff.


3. Define the service catalogue in conjunction with business.

4. Develop a formal ICT value proposition. Maintain and review the ICT

value proposition on a periodic basis.

5. Align performance metrics to the value proposition.

6. Measure the value received from ICT including from ICT strategic

projects and investments.

7. Report on value delivery to ExCo.

8. Report on ROI from IT investments and projects as part of the ExCo /DG

reporting process.


9. Approved ICT Annual Performance Plan for 2015 to 2016 with a

description of how it will be monitored (To be implemented in a phased

approach).

10. Improve Corporate Governance of ICT (Continuous Improvement

Roadmap) (To be implemented in a phased approach).

11. As per the DPSA‟s Public Service Corporate Governance of ICT

Policy Framework, 'MEA01 Monitor, Evaluate and Assess Performance

and Conformance' in COBIT 5 is a priority process and should be

implemented.

7. ISM KPIs

12. Value Delivery

13. Optimisation

26. ICT Service

Catalogue


of 46


Current

Maturity

Target

Maturity

Actions


D:IT Strategy &

CD:IT Strategy

1 – 6, 10,

11

(To be implemented in a phased

approach)

Head of ISM 7 – 9 (To be implemented in a phased

approach)

Further guidance

ISM Management should consider the following when evaluating ICT value:

aligning the ICT function‟s performance with the business performance objectives;

embedding Return on Investment thinking when considering the ICT budget and projects;

monitoring Return on Investment post-implementation of projects;

developing an ICT balanced scorecard;

developing service level agreements between ICT and the business; and

conducting user satisfaction surveys.

ITIL v3 SD 4.1 provides guidelines for the establishment of a service catalogue.

ME2 Monitor and evaluate internal control


1. ISM Management to agree the ICT audit approach with the internal audit

function.


2. Develop, implement and monitor an ICT internal control framework and

report outcomes to ExCo / DG on progress.

3. ISM Management should regularly monitor adherence to internal

policies, processes, standards and procedures.

4. Non-compliance to internal policies, processes, standards and

procedures should be dealt with in a consistent manner aligned to an

approved non-compliance process.

5. Management should consider ways in which ICT can be used for the

purposes or risk management and compliance to relevant laws,

regulations and standards.


6. Governance of ICT Framework approved and implemented (COBIT 5) (To


Framework

5. Compliance

9. ICT Audits

10. ICT Audit Action

Plan

11. Monitoring


of 46


Current

Maturity

Target

Maturity

Actions

be implemented in a phased approach).

7. Approved and implemented Internal Audit Plan that includes ICT audits




Compliance


approach)

Further guidance

ISM Management should implement controls that are relevant to their environment based on the ICT risks and risk

profile.

ME3 Ensure regulatory compliance


1. Deliver on the IT audit requirements defined by the Compliance Unit in

relation to ensuring regulatory compliance.


2. Identify all ICT related laws, regulations, codes and standards that the

Department needs to comply with.

3. Based on point 2, develop a checklist and perform period reviews

against these.

4. Identify areas of improvement and remediation actions.

5. Report the outcomes of these ICT compliance reviews to the ExCo / DG.


6. Approved ICT Continuity Plan informed by Departmental Business

Continuity Plan and Strategy.



Compliance


approach)

5. Compliance

9. ICT Audits

10. ICT Audit Action

Plan

11. Monitoring

Further guidance

None.

ME4 Provide IT Governance

1.75 3 Actions identified in the COBIT 4.1 workshop 1. CGICT Policy


of 46


Current

Maturity

Target

Maturity

Actions

1. Finalise the ICT governance framework (achieving Phase 1 of the DPSA

framework) (To be implemented in a phased approach).

2. Obtain buy-in from the business.


3. Integrate the ICT governance framework into the overall corporate


4. Ensure ICT governance is a standing item on the ExCo agenda and

discussed at every EXCO meeting.

5. Provide regular feedback on implementation of ICT governance across

the Department.

6. Develop and rollout ICT governance awareness training across the

Department.

7. Develop metrics to monitor effectiveness of IT governance awareness

training.

13. The ICT Steering Committee terms of reference should be reviewed

on a periodic basis to ensure that it is up-to-date, relevant and effective.

8. Ensure continuous improvement of the ICT governance framework and

charter.


9. Approved and implemented Corporate Governance of ICT Policy

Framework and ICT Charter (To be implemented in a phased approach).

10. Governance of ICT Framework approved and implemented (COBIT

5) (To be implemented in a phased approach).

11. A Governance Champion designated and responsibilities allocated


12. Improve Corporate Governance of ICT (Continuous Improvement

Roadmap) (To be implemented in a phased approach).

13. As per the DPSA‟s Public Service Corporate Governance of ICT

Policy Framework, 'EDM01 Governance framework setting and

maintenance' in COBIT 5 is a priority process and should be

implemented.



Compliance


approach)

Framework & Charter


Framework

3. ICT Management

Framework

8. ICT Governance

Awareness

13. Optimisation


of 46


Current

Maturity

Target

Maturity

Actions

Further guidance

Refer to the DPSA CGICT Policy Framework for more information

Table 17 : Detail underpinning the roadmap


of 46

ict governance roadmap fy2014 to fy2016 - … approved cgictict...doj&cd ict governance roadmap...

Documents