ict governance roadmap fy2014 to fy2016 - … approved cgictict...doj&cd ict governance roadmap...
TRANSCRIPT
ICT GOVERNANCE ROADMAP
FY2014 to FY2016
DOJ&CD ICT Governance Roadmap
Page 2 of 46
Table of Contents
1 Abbreviations ........................................................................................................................................ 4
2 Background........................................................................................................................................... 5
3 High-level ICT governance roadmap ................................................................................................... 6
4 King III ICT governance assessment results ....................................................................................... 7
5 COBIT assessment results ................................................................................................................ 19
6 Recommender ....................................................................................... Error! Bookmark not defined.
7 Approver ................................................................................................. Error! Bookmark not defined.
List of Figures
Figure 1: DOJ&CD ICT Governance Roadmap (high-level) ......................................................................... 6
Figure 2: DOJ&CD King III assessment results (ICT governance focus area view) ............................... 11
Figure 3: DOJ&CD King III assessment results (King III principles view) ............................................... 18
Figure 4: COBIT 4.1 framework ................................................................................................................ 19
DOJ&CD ICT Governance Roadmap
Page 3 of 46
List of Tables
Table 1 : Abbreviations ................................................................................................................................ 4
Table 2 : IT governance focus areas ........................................................................................................... 8
Table 3 : King III IT governance principles .................................................................................................. 9
Table 4 : King III assessment rating scale .................................................................................................. 9
Table 5 : DOJ&CD King III assessment results (ICT governance focus area view) ............................... 11
Table 6 : DOJ&CD King III assessment results (King III principles view – P1) ...................................... 12
Table 7 : DOJ&CD King III assessment results (King III principles view – P2) ...................................... 13
Table 8 : DOJ&CD King III assessment results (King III principles view – P3) ...................................... 14
Table 9 : DOJ&CD King III assessment results (King III principles view – P4) ...................................... 14
Table 10 : DOJ&CD King III assessment results (King III principles view – P5) .................................... 15
Table 11 : DOJ&CD King III assessment results (King III principles view – P6) .................................... 16
Table 12 : DOJ&CD King III assessment results (King III principles view – P7) .................................... 17
Table 13 : COBIT 4.1 assessment colour scheme .................................................................................. 20
Table 14 : COBIT 4.1 maturity rating scale ............................................................................................. 21
Table 15 : COBIT 4.1 maturity levels across the 6 dimensions assessed ............................................ 22
Table 16 : DOJ&CD COBIT 4.1 assessement .......................................................................................... 23
Table 17 : Detail underpinning the roadmap .......................................................................................... 45
DOJ&CD ICT Governance Roadmap
Page 4 of 46
1 Abbreviations
Abbreviation Definition
CD / D Chief Director / Director
CGICT Corporate Governance of Information and Communication Technology
COBIT Control Objectives for Information and Related Technology
DOJ&CD / the
Department
Department of Justice and Constitutional Development
(Reference to Department includes public administration in all spheres of
government, organs of state and public enterprises as per Section 195 of the
Constitution, Act No 108 of 1996, as amended) under the control of the
DOJ&CD).
DPSA Department of Public Service and Administration
EA Enterprise Architecture
ExCo Executive Committee
FOSAD Forum of South African Director Generals
GITO Government Information Technology Officer
GWEA Government Wide Enterprise Architecture
ICT Information and Communication Technology
IT Information Technology
ISM Information and Systems Management. Also referred to as the ICT component.
ISO International Organisations for Standardisation
ITIL Information Technology Infrastructure Library
MPAT Management Performance Assessment Tool
OLA Operational-level Agreement
ROI Return on Investment
SCM Supply Chain Management
SLA Service Level Agreement
Table 1 : Abbreviations
DOJ&CD ICT Governance Roadmap
Page 5 of 46
2 Background
2.1 The Department has decided to intensify the use of Information and Communication
Technology (ICT) as a strategic business enabler to deliver justice services more effectively and
efficiently. The Department's Strategic Plan for the period 2012 – 2017, includes a number of
concerns around the current state of the Department's ICT landscape, but further identifies
opportunities where the use of ICT can add significant value to the Department.
2.2 The Department‟s Internal Audit and Risk Management functions, together with the
Presidency‟s Management Performance Assessment Tool (MPAT) and Forum of South African
Director Generals (FOSAD) assessments, indicated that the Governance of ICT within the
Department was not at an expected level of maturity.
2.3 In recognition of the importance of the Governance of ICT, a number of internationally
recognised frameworks and standards, such as the King III Code and Control Objectives for
Information and Related Technology (COBIT), have been developed to provide context for the
institutionalisation of Corporate Governance of ICT.
2.4 A Public Service - wide oversight structure was established by the Department of Public Service
and Administration (DPSA) to foster an integrated approach for the Corporate Governance of
ICT and ensure proper coordination between stakeholders. This is established in the
Corporate Governance of ICT Policy Framework, to which the Department has to comply.
2.5 In response to the above factors, the Department developed a „Corporate Governance of ICT
Policy Framework‟ and „Corporate Governance of ICT Charter‟. The Department also
conducted an assessment against the King III IT governance principles and recommendations
as well as against the processes of the COBIT 4.1 framework to determine the current level of
ICT maturity. Based on the outcome of the assessments as well as through discussions with
relevant stakeholders within the Information and Systems Management (ISM) function, the ICT
governance roadmap overleaf (Figure 1) depicts the recommended activities / initiatives that
the Department should consider over the next three years.
DOJ&CD ICT Governance Roadmap
Page 6 of 46
ICT G
overnance
Inform
ation Security
Strategy ICT Service Management
14 Security Strategy
Develop a security
strategy based on
business requirements
for security.
15 Security Policies
Update and approve the security policy landscape.
16 Information
Handling
Establish classification and handling criteria for
electronic information.
17 Implement Security
Continuous implementation of security
strategy
18 Security Awareness
Roll out a security awareness program.
19 Security Reporting
Establish security reporting.
20 ITSM Processes
Finalise ICT Service Management processes e.g.:
Change ManagementService Desk
Incident ManagementProblem ManagementCapacity Management
SLA/Contract ManagementStorage, Backup and Retention
Systems Development Life Cycle
37 ITSM Tools and
Process
Implement ICT Service Management processes on
tools of choice.
21 Technology Strategy
Conclude the technology
infrastructure strategy,
plan and roadmap.
27 EA Strategy
Define the enterprise
architecture value
proposition and strategy.
24 ICT Portfolio
Management Framework
Develop a framework for
ICT portfolio/programme
and project management.
25 ICT Strategy
Review and update the
existing ICT strategy,
aligned to the business.
26 ICT Service Catalogue
Define the service
catalogue with the business.
28 Enterprise Architecture
Develop and implement
enterprise architecture.
12 Value Delivery
Report on ICT value
delivery and performance
measures.
7 ISM KPIs
Embed ICT
performance measures
within staff KPIs.
FY2014 FY2015 FY2016
1 CGICT Policy Framework & Charter
Develop, approve and implement the ICT
governance framework.
3 ICT Management Framework
Review ICT organisation and finalise
roles and responsibilies. Fill vacant
positions.
8 ICT Governance Awareness
Define communication strategy for ICT
aims and direction to business
stakeholders and ICT staff.
22 Sustainability
Develop green IT strategy
and plans.
2 Governance of ICT Framework
Develop, implement and monitor an IT
internal control framework (CobiT 5).
4 Risk Management Policy
Include ICT risk
management within risk
management policy and
approve policy.
9 ICT Audits
Agree ICT audit approach
and include ICT audits
within Internal Audit Plan.
10 ICT Audit Action Plan
Deliver on the audit action
plan and the requirements
from the compliance unit
action plan.
6 ICT Policies
Develop an IT policy
framework.5 Compliance
Identify laws and
regulations and ensure
compliance.
31 OLA’s
Develop, implement and monitor OLA's.
38 Supplier Audits
Report on ICT governance and service delivery by third party
service providers.
32 SLA’s with Business
Establish SLA's with the business, including the
responsibility of the business.
30 ICT Service Providers
Identify all ICT service providers and formalise relationships between
partners.
36 Data Centres
Take control of air
conditioners and
consolidate data center
equipment.
DOJ&CD
ICT Governance Roadmap13 Optimisation
Ongoing review of
ICT governance
29 ICT Project Practices
Apply project management
principles to all ICT projects.
11 Monitoring
Establish monitoring of
internal policies, procedures
and processes.
Tactical StrategicS
erv
ice
Ce
ntric
ICT
Ce
ntric
33 Business Impact
Assessment
Perform business impact assessment for ICT
continuity.
34 ICT Continuity Strategy
Complete the IT continuity strategy, policy, plan and
architecture.
35 ICT Continuity
Implementation
Implement and test the ICT continuity strategy.
23 Justice College
Work with Justice College to
formalise IT training plan
and ensure implementation.
3 High-level ICT governance roadmap
Figure 1 below provides high level recommendations of the ICT governance activities / initiatives that the Department should consider over the next three years (FY2014 – FY2016) based on the areas of improvement
identified.
Figure 1: DOJ&CD ICT Governance Roadmap (high-level)
DOJ&CD ICT Governance Roadmap
Page 7 of 46
4 King III ICT governance assessment results
4.1 Introduction to King III Chapter 5
The South African corporate governance landscape has been shaped and pushed to the forefront of
global best practice over the last two decades by the findings and guidelines laid down by the King
Committee. With the release of the third iteration in September 2009, these governance principles
have been further expanded and enhanced to keep pace with global developments and cater for the
demands of the ever-changing modern business environment.
The King III report has been divided into nine chapters, each focusing on a specific area of
governance. For the first time since the launch of the King reports, Information Technology (IT) has
been included in a separate chapter, recognising the growing importance of adequate governance
over the IT function as it becomes more and more pervasive within modern-day organisations and
their operations.
Chapter 5 of the King III report is divided into seven principles, each with a number of
recommendations (48 in total) that serve as guidelines for alignment to generally accepted good
practice in the IT governance arena.
The seven principles are:
5.1 The board should be responsible for information technology (IT) governance;
5.2 IT should be aligned with the performance and sustainability objectives of the company;
5.3 The board should delegate to management the responsibility for the implementation of an IT
governance framework;
5.4 The board should monitor and evaluate significant IT investment and expenditure;
5.5 IT should form an integral part of the company‟s risk management;
5.6 The board should ensure that information assets are managed effectively; and
5.7 A risk committee and audit committee should assist the board in carrying out its IT
responsibilities.
DOJ&CD ICT Governance Roadmap
Page 8 of 46
4.2 King III assessment findings
In December 2012, PwC facilitated an assessment against the King III principles and
recommendations through a workshop session with ISM management. The main objective of the
assessment was to assist ISM management in assessing the maturity against the ICT principles and
recommendations against King III as well as identify areas for improvement.
The workshop covered the following 13 IT governance focus areas, as well as the 7 IT governance
principles contained within Chapter 5 of the King III report:
# IT governance focus area
1 IT strategy and business & IT alignment
2 IT value delivery & performance management
3 Information security and management
4 IT governance framework
5 Roles and responsibilities
6 IT compliance to laws and regulations
7 Business continuity / disaster recovery
8 IT project management & benefit realisation
9 IT sustainability
10 IT risk management
11 Third Party management
12 Acquisitions and disposals
13 IT cost management
Table 2 : IT governance focus areas
DOJ&CD ICT Governance Roadmap
Page 9 of 46
Principle # Principle description
5.1 The Board should be responsible for IT Governance.
5.2 IT should be aligned with the performance and sustainability objectives of the company.
5.3 The Board should delegate to management the responsibility for the implementation of an IT
governance framework.
5.4 The Board should monitor and evaluate significant IT investment and expenditure.
5.5 IT should form an integral part of the company‟s risk management.
5.6 The Board should ensure that information assets are managed effectively.
5.7 A risk committee and audit committee should assist the Board in carrying out its IT
responsibilities.
Table 3 : King III IT governance principles
The summarised results from the IT governance assessment performed against the 13 IT governance
focus areas and against the 7 King III IT governance principles are revealed in the spider diagrams
(Figure 2 and Figure 3) on the following pages.
The rating scales used to populate our tool are:
Answers to
assessment
questions
Rating explanation
Yes/always 5
Controls and/or processes are formal and optimised, and are applied
without fail. Responsibility and accountability for control
application/execution has been adequately assigned.
To a large extent 4 Controls and/or processes are mostly formalised and defined and
applied regularly.
To some extent 3 Controls and/or processes can be seen as repeatable and formalised to
a certain extent; attempts are made to apply controls repeatedly.
Rarely 2 Controls and/or processes exist but are applied infrequently, and
require a fair amount of formalisation.
No/never 1 Controls and/or processes are non-existent, or are never applied.
Table 4 : King III assessment rating scale
DOJ&CD ICT Governance Roadmap
Page 10 of 46
4.3 Benchmarking data
With the release of the King III report in September 2009, organisations have performed King III IT
governance assessments to determine their maturity levels against the principles and
recommendations of „Chapter 5: Governance of IT‟ in the King III report.
We have compared the outcome of the King III IT governance assessment performed at the
Department with the assessments that we have performed since September 2009, to provide you
with an indication of how you compare with other organisations in this respect. Our benchmark
repository contains information built up from equivalent reviews at other clients. All client data is
anonymised and is not mentioned or referenced in any way.
As with all benchmarks, the analysis should be treated as indicative rather than comprehensive.
Different organisations may exhibit different IT governance arrangements and may require different
levels of control over their IT activities.
Our benchmarking data as shown in the table below has been collated from performing King III IT
governance assessments at 46 South African companies across the following industries:
Healthcare Asset Management
Investment Government / Parastatal
Mining Technology and Telecoms
Manufacturing Distribution
Pharmaceuticals Industrial
Insurance Medical Aid
Higher Education Financial institution
Tables 5 and 6 and Figures 2 and 3 are based on the Department‟s maturity scores for the IT
governance focus areas and King III Chapter 5 IT governance principles, mapped against our
benchmarked averages for the corresponding areas. Focus areas where the Department have scored
higher than the overall benchmarked average have been highlighted in green and where the
Department has scored lower that the overall benchmarked average have been highlighted in red.
IT governance focus area The Department Benchmark
averages
DOJ&CD ICT Governance Roadmap
Page 11 of 46
IT strategy and business & IT alignment 3.75 3.76
IT value delivery & performance management 2.17 3.14
Information security and management 2.90 3.09
IT governance framework 1.75 2.79
Roles and responsibilities 3.92 3.42
IT compliance to laws and regulations 3.33 3.00
Business continuity / disaster recovery 3.00 3.41
IT project management & benefit realisation 3.00 2.98
IT sustainability 2.50 3.25
IT risk management 4.00 4.02
Third Party management 4.00 3.25
Acquisitions and disposals 3.50 4.01
IT cost management 3.33 3.81
Table 5 : DOJ&CD King III assessment results (ICT governance focus area view)
Figure 2: DOJ&CD King III assessment results (ICT governance focus area view)
IT Governance Focus Area Graph
0
1
2
3
4
5
IT Strategy and Alignment
Value Delivery andPerformance
Information Security
IT Governance Framework
Roles and Responsibilities
Compliance
BCP/DRPIT Project Management
IT Sustainability
IT Risk Management
3rd Parties
Acquisitions and Disposals
IT Cost Management
Benchmark
DOJCD
DOJ&CD ICT Governance Roadmap
Page 12 of 46
Applicability to the public sector Requirements for national and provincial
government
The
Department
Benchmark
averages
Principle 5.1 The Board should be responsible for IT Governance
Chapter 5 (1) (B) of the Public Service Regulations places an
obligation on the head of institution to ensure that the acquisition,
management and use of information technology by the institution
improves:
direct or indirect service delivery to the public, including, but
not limited to, equal access by the public to services
delivered by the
institution;
the productivity of the institution; and
the cost-efficiency of the institution.
The information technology planning guidelines published and
adopted by the Government Information and Technology Officers
Committee in 2002, applies across government institutions and
provides guidance to public sector organisations on how to align IT
objectives to the overall organizational strategy.
The guidelines also refer to the internationally recognised COBIT.
Responsibility of the accounting officer, set out in
Treasury regulation 5.2 and to be reported on in the
annual report as well as the quarterly report to the
executive authority in terms of Treasury Regulation
5.3.1.
2.00 2.70
Table 6 : DOJ&CD King III assessment results (King III principles view – P1)
DOJ&CD ICT Governance Roadmap
Page 13 of 46
Applicability to the public sector Requirements for national and provincial
government
The
Department
Benchmark
averages
Principle 5.2 IT should be aligned with the performance and sustainability objectives of the company
The vision of Government is to become an entity driven by service
excellence through providing quality and sustainable services in an
effective and economic manner through equitable resource
distribution and also through the creation of sustainable growth
where all communities live in harmony and prosperity.
The Public Service Regulations acknowledge the important role that
IT has to play in achieving government‟s vision, through the
establishment of a requirement, for all institutions and governmental
institutions to manage IT effectively and efficiently. The regulations
stipulate that the acquisition, management and use of information
technology shall be informed by the Batho Pele principle of offering
equal access to services, increases in productivity and the lowering
of costs.
Section 38 1(a) of the PFMA prescribes the duty of
the accounting officer to ensure that the institution
has and maintains effective, efficient and
transparent systems of financial and risk
management and internal control. This can be read
to include IT systems. This interpretation is
supported by Treasury Regulation 5.2.2, which
states that the strategic plan of the institution
should make reference to its proposed IT
acquisitions or expansion with reference to an IT
plan.
Chapter 5 of the Public Service Regulations further
supports the underlying value of electronic
government (through acquisition and management)
as discussed in the adjacent column including IT
security and interoperability.
2.86 3.35
Table 7 : DOJ&CD King III assessment results (King III principles view – P2)
DOJ&CD ICT Governance Roadmap
Page 14 of 46
Applicability to the public sector Requirements for national and provincial
government
The
Department
Benchmark
averages
Principle 5.3 The Board should delegate to management the responsibility for the implementation of an IT governance framework
The Minimum Information Security Standards stipulate that the head
of every institution bears overall responsibility for the provision and
maintenance of security in his or her institution. This is, however, to
be delegated to the head of the security component within the
organisation.
The accounting officer assigns the responsibility to
the CIO, who in turn reports to the accounting
officer.
4.00 3.72
Table 8 : DOJ&CD King III assessment results (King III principles view – P3)
Applicability to the public sector Requirements for national and provincial
government
The
Department
Benchmark
averages
Principle 5.4 The Board should monitor and evaluate significant IT investment and expenditure
See comments above. The responsibility as set out in the PFMA (as noted
above) would be delegated to the CIO whilst
Treasury Regulation 3.2.11 requires the internal
audit function to evaluate the controls in the
information systems (allowing for the assessment of
effective utilisation of the investment).
The PFMA does not require independent assurance
on information systems. However, assurance over
other matters that may be prescribed (section 40(3)
(b)) might include such assurance.
3.36 3.45
Table 9 : DOJ&CD King III assessment results (King III principles view – P4)
DOJ&CD ICT Governance Roadmap
Page 15 of 46
Applicability to the public sector Requirements for national and provincial
government
The
Department
Benchmark
averages
Principle 5.5 IT should form an integral part of the company‟s risk management
The National Treasury Risk Management Framework encourages
institutions to adhere to the principles espoused in King II, given its
promotion of an advanced level of institutional conduct. Since King II
has been superseded by King III, it can be reasonably assumed that
the principles embodied in King III will be endorsed in future
revisions of the Framework. The Framework is applicable to all public
sector institutions and comprehensively articulates IT risk
management processes in the public sector.
This is the responsibility of the accounting officer,
although IT risk management may be performed by
the ICT committee.
3.29 3.42
Table 10 : DOJ&CD King III assessment results (King III principles view – P5)
DOJ&CD ICT Governance Roadmap
Page 16 of 46
Applicability to the public sector Requirements for national and provincial
government
The
Department
Benchmark
averages
Principle 5.6 The Board should ensure that information assets are managed effectively
The right to privacy is enshrined in the Constitution and gives effect
to this right by way of mandatory procedures and mechanisms for
the handling and processing of personal information, in line with
current international trends and laws on privacy.
The Protection of Personal Information (PPI) Bill, applying to both
public and private sector institutions, will regulate the processing of
„personal information‟, including its collection, recording, and
storage.
The Promotion of Access to Information Act (PAIA) provides public
access to records of institutions, including those of national,
provincial and local government.
The PFMA does not expressly deal with the
management of information, except for the
requirement that the accounting officer must
ensure that the institution has and maintains
effective, efficient and transparent systems of
financial and risk management and internal control.
However, institutions are required to comply with
the requirements of the PAIA, which includes the
preparation of a manual of functions and records
held by the institution in at least three official
languages. Public sector institutions can refer to the
Minimum Information Security Standards (MISS),
which were written by the National Intelligence
Agency and published by the Department, in
conjunction with standards such as International
Organisations for Standardisation (ISO) 27001 and
27002 for guidance on how to implement policies,
procedures, controls and safeguards that will
facilitate compliance with the requirements of the
PPI bill.
3.00 3.30
Table 11 : DOJ&CD King III assessment results (King III principles view – P6)
DOJ&CD ICT Governance Roadmap
Page 17 of 46
Applicability to the public sector Requirements for national and provincial
government
The
Department
Benchmark
averages
Principle 5.7 A risk committee and audit committee should assist the Board in carrying out its IT responsibilities
See comments above. As discussed above, the accounting officer must
ensure that the institution has and maintains
effective, efficient and transparent systems of
financial and risk management and internal control
(section 38(1)(a) of the PFMA). In so doing, the Risk
Management Framework developed by National
Treasury should be followed. This prescribes the
enablers of risk management to be:
risk management policy;
risk management strategy;
basic requirements for ERM
implementation; and
funding of ERM.
The management of IT risk might include the State
Information Technology Agency (SITA) as its
mandate provides for the provision of such services
(section 7 of the SITA Act).
4.20 3.90
Table 12 : DOJ&CD King III assessment results (King III principles view – P7)
DOJ&CD ICT Governance Roadmap
Page 18 of 46
Figure 3: DOJ&CD King III assessment results (King III principles view)
Application of King Principles
0
1
2
3
4
5
Principle 5.1
Principle 5.2
Principle 5.3
Principle 5.4Principle 5.5
Principle 5.6
Principle 5.7
DOJCD
Benchmark
DOJ&CD ICT Governance Roadmap
Page 19 of 46
5 COBIT assessment results
5.1 Introduction to COBIT 4.1
COBIT is published by the Information Systems Audit and Control Association (ISACA). COBIT is
currently the framework of choice for ICT internal controls and is favoured by the DPSA, the Auditor-
General and the Government Information Technology Officer (GITO) Council. COBIT 4.1 consists of 34
“Processes”, in turn grouped into four "Domains".
Figure 4: COBIT 4.1 framework
DOJ&CD ICT Governance Roadmap
Page 20 of 46
In January 2013, PwC facilitated an assessment against the COBIT 4.1 standard in a series of
workshops with ISM management. The main objective of the assessment was to assist ISM
management in assessing the maturity of each of the COBIT framework‟s 34 processes, taking into
account the relative importance of each process, and to identify areas for improvement based on the
desired levels of maturity.
The following section provides a summary of the assessment results, including the agreed actions to
address the identified areas for improvement.
3 and higher
Green indicates ICT processes where maturity is 3 or higher. It is likely that no gap exists
between the actual and desired maturity levels. IT management do not believe that it
would make business sense or add value to improve the maturity of the specific process.
1.5 and higher,
less than 3
Yellow indicates an ICT process where maturity is less than 3, but equal or more than 1.5.
In this case, there is usually a gap between the actual and desired maturity levels. ICT
management are of the view that the process should be improved.
Less than 1.5
Red indicates a process maturity of less than 1.5 and that there is a significant gap
between the actual and desired maturity levels. ICT management have identified this as a
process that must be improved.
Table 13 : COBIT 4.1 assessment colour scheme
DOJ&CD ICT Governance Roadmap
Page 21 of 46
5.2 COBIT assessment maturity rating (current and desired)
COBIT 4.1 offers maturity modelling for management and control over IT processes. The maturity
levels range between non-existent (0) to optimised (5), as explained below:
Maturity
rating Description
0 Non-existent There is a complete lack of any recognisable processes. The enterprise has not
even recognised that there is an issue to be addressed.
1 Initial/Ad
Hoc
There is evidence that the enterprise has recognised that the issues exist and
need to be addressed. There are, however, no standardised processes;
instead, there are ad hoc approaches that tend to be applied on an individual
or case-by-case basis. The overall approach to management is disorganised.
2 Repeatable
but Intuitive
Processes have developed to the stage where similar procedures are followed
by different people undertaking the same task. There is no formal training or
communication of standard procedures, and responsibility is left to the
individual. There is a high degree of reliance on the knowledge of individuals
and, therefore, errors are likely.
3 Defined
Process
Procedures have been standardised and documented, and communicated
through training. It is mandated that these processes should be followed;
however, it is unlikely that deviations will be detected. The procedures
themselves are not sophisticated but are the formalisation of existing
practices.
4
Managed
and
Measurable
Management monitors and measures compliance with procedures and takes
action where processes appear not to be working effectively. Processes are
under constant improvement and provide good practice. Automation and tools
are used in a limited or fragmented way.
5 Optimised
Processes have been refined to a level of good practice, based on the results
of continuous improvement and maturity modelling with other enterprises. IT is
used in an integrated way to automate the workflow, providing tools to improve
quality and effectiveness, making the enterprise quick to adapt.
Table 14 : COBIT 4.1 maturity rating scale
The maturity assessment is conducted with respect to six dimensions as shown on the next page.
DOJ&CD ICT Governance Roadmap
Page 22 of 46
Table 15 : COBIT 4.1 maturity levels across the 6 dimensions assessed
Table 16 below is based on the Department‟s current and target maturity scores for each of the COBIT processes as per the COBIT 4.1 standard.
DOJ&CD ICT Governance Roadmap
Page 23 of 46
Table 16 : DOJ&CD COBIT 4.1 assessement
ActualAwareness and
Communication
Policies,
Standards and
Procedures
Tools and
Automation
Skills and
expertise
Responsibility &
Accountability
Goal Setting &
MeasurementTarget
Awareness and
Communication
Policies,
Standards and
Procedures
Tools and
Automation
Skills and
expertise
Responsibility &
Accountability
Goal Setting &
MeasurementGap
PO1 Define a strategic IT Plan 1.50 1 2 1 1.5 1.5 2 3.00 2.00 3.00 1.00 3.00 3.00 3.00 1.5
PO2 Define the information architecture 1.00 1 1 1 1 1 2 1.50 1.00 1.00 1.00 1.00 2.00 2.00 0.5
PO3 Determine technological direction 2.00 2 2 2 2 2.5 2 3.00 3.00 3.00 2.00 3.00 3.00 3.00 1.0
PO4 Define the IT processes, organisation and relationships 2.00 2 2 2 2 2 2 3.00 3.00 3.00 3.00 3.00 3.00 3.00 1.0
PO5 Manage the IT investment 2.75 3 3 3 3 3 2 3.00 3.00 3.00 3.00 3.00 3.00 2.50 0.3
PO6 Communicate management aims and direction 1.58 1 2 1 2 1.5 2 2.25 2.00 2.50 1.50 2.50 3.00 2.00 0.7
PO7 Manage IT Human resources 3.00 3 3 3 3 3 3 3.00 3.00 3.00 3.00 3.00 3.00 3.00
PO8 Manage quality 1.00 1 1 1 1 1 1 1.00 1.00 1.00 1.00 1.00 1.00 1.00
PO9 Assess and manage IT risks 3.00 3 3 3 3 3 3 3.00 3.00 3.00 3.00 3.00 3.00 3.00
PO10 Manage projects 2.25 3 2 2 2 2 3 3.00 3.00 3.00 2.00 3.00 3.00 3.00 0.8
AI1 Identify automated solutions 2.50 2 2 1 2 2 2.5 3.00 2.50 2.50 1.00 2.00 3.00 3.00 0.5
AI2 Acquire and maintain application software 2.50 2.5 2.5 2 2 2.5 2.5 3.00 3.00 3.00 2.50 3.00 3.00 3.00 0.5
AI3 Acquire and maintain technology infrastructure 2.50 3 3 2.5 2.5 1.5 3 3.00 3.00 3.00 3.00 3.00 3.00 3.00 0.5
AI4 Enable operation and use 1.25 1.5 1.5 1 1 1.5 1 2.25 3.00 2.50 1.50 2.50 2.00 2.00 1.0
AI5 Procure IT resources 3.00 3 3 3 3 3 3 3.00 3.00 3.00 3.00 3.00 3.00 3.00
AI6 Manage changes 1.50 1.5 1 1 2 2 2 3.00 3.00 3.00 1.00 3.00 3.00 3.00 1.5
AI7 Install and accredit solutions and changes 1.50 1.5 1 1 2 2 2 3.25 3.00 3.00 1.00 3.00 3.00 3.00 1.8
DS1 Define and manage service levels 1.00 2 2 1 1 1 2 2.00 3.00 3.00 1.00 2.00 2.00 2.00 1.0
DS2 Manage third-party services 2.00 1.5 2 2.5 2 2 2 3.00 2.00 2.00 3.00 3.00 3.00 2.50 1.0
DS3 Manage performance and capacity 1.00 1.5 2 2 1 1 1 2.00 3.00 2.00 3.00 2.00 2.00 2.00 1.0
DS4 Ensure continuous service 2.00 1.5 1 1.5 1.5 1 1.5 2.50 3.00 2.00 2.00 1.50 2.00 2.50 0.5
DS5 Ensure systems security 1.50 1.5 2 2 1.5 1 1.5 2.50 2.00 2.00 3.00 3.00 2.00 2.50 1.0
DS6 Identify and allocate costs 2.75 3 2.5 3 2 3 3 3.00 3.00 3.00 3.00 2.00 3.00 3.00 0.3
DS7 Educate and train users 1.00 1.5 1 1 1 1 1 1.75 2.00 1.50 1.50 1.50 2.00 2.00 0.8
DS8 Manage service desk and incidents 3.50 3 2 3 2.5 2.5 2 4.00 3.00 3.00 3.00 3.00 3.00 3.00 0.5
DS9 Manage the configuration 1.00 1 1 1 1 1 1.5 3.00 3.00 3.00 3.00 3.00 3.00 3.00 2.0
DS10 Manage problems 1.75 2 1.5 2 2 1.5 1.5 3.00 3.00 3.00 3.00 3.00 3.00 2.50 1.3
DS11 Manage data 1.50 2 1.5 1.5 1.5 1 1 2.00 2.00 2.00 2.00 2.00 2.00 2.50 0.5
DS12 Manage the physical environment 2.00 2 2 2 1 1.5 1.5 3.00 2.00 2.00 2.00 2.00 3.00 3.00 1.0
DS13 Manage operations 1.50 2 1 1.5 1.5 2 2 3.00 3.00 2.50 3.00 3.00 3.00 3.00 1.5
ME1 Monitor and evaluate IT performance 2.25 2 2 2 3 3 2 2.50 3.00 3.00 3.00 3.00 3.00 2.50 0.3
ME2 Monitor and evaluate internal control 2.25 3 3 2 2 2 2 3.00 3.00 3.00 2.00 2.00 2.00 2.00 0.8
ME3 Ensure regulatory compliance 2.25 3 2 1 2 3 2 3.00 3.00 3.00 1.00 2.00 3.00 3.00 0.8
ME4 Provide IT Governance 1.75 2 2 1 2 2 2 3.00 3.00 3.00 2.00 3.00 3.00 3.00 1.3
CobiT Process
Dimension Level Actuals Dimension Level Target
DOJ&CD ICT Governance Roadmap
Page 24 of 46
5.3 Areas of improvement aligned to the high level ICT governance roadmap
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
PO1 Define a Strategic IT Plan
1.5 3 Actions identified in the COBIT 4.1 workshop
1. Formulate an ICT strategic planning framework and consult on a more
regular basis with the business during this process.
2. Formalise the responsibility of IT managers for ICT strategic planning.
Consider overall ICT strategic alignment with the business.
Related actions identified in the King III workshop
3. Review and update the existing ICT Strategy.
4. Ensure all business units provide input into the strategy process.
5. Define the service catalogue in conjunction with the business.
Related DPSA framework requirement
6. Ensure that the ICT strategy is incorporated into the Departments'
strategic plan that will enable the achievement of the Department‟s
objectives (To be implemented in a phased approach).
7. Ensure that the ICT Management Framework comprising management
processes, organisational structures, roles and responsibilities, activities
and required skills and competencies are defined, approved and
implemented, (To be implemented in a phased approach).
8. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, both the 'APO02 Manage Strategy' and 'APO05 Manage
Portfolio' in COBIT 5 are priority processes and should be implemented.
Responsible officials Line item
Director (D):IT Strategy 1, 3 - 8 (To be implemented in a phased
approach)
Chief Director (CD):IT
Strategy and Risk
2 (To be implemented in a phased
approach)
25. ICT Strategy
26. ICT Service
Catalogue
Further guidance
In order to achieve alignment between the business and ICT, ICT planning should be performed in parallel with
strategic planning frameworks published by the Department of National Treasury (e.g. Strategic Plans, Medium-term
Expenditure Framework, Risk Management, Annual Performance Plans etc.). Refer to these frameworks for more
information on the overall process. Strategic alignment can be planned, amongst others, with the assistance of an
enterprise architecture methodology as prescribed in the Government-wide Enterprise Architecture (GWEA)
DOJ&CD ICT Governance Roadmap
Page 25 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Framework).
ITIL v3 SD 4.1 provides guidelines for the establishment of a service catalogue.
PO2 Define the information architecture
1 1.5 Actions identified in the COBIT 4.1 workshop
1. Establish the value proposition for Enterprise Architecture (EA) and
define the EA strategy. The ISM Function should consider initially
training existing staff that have been identified. Once identified staff
have been trained, embed EA within the Department aligned to the
DPSA requirements (refer to points 3 and 4 below).
Related actions identified in the King III workshop
2. Develop and implement EA within the Department (cover all domains e.g.
information, technology, applications, business needs etc.).
Related DPSA framework requirement
3. The Department should consider creating capacity to fulfil the role of an
EA (To be implemented in a phased approach).
4. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, the 'APO03 Manage Enterprise Architecture' in COBIT 5 is a
priority process and should be implemented.
Responsible officials Line item
CD:IT Strategy 1 (To be implemented in a phased
approach)
Head of ISM 2 - 4 (To be implemented in a phased
approach)
27. EA Strategy
28. Enterprise
Architecture
Further guidance
Refer to GWEA Framework (and by implication the TOGAF framework).
PO3 Determine technological direction
2 3 Actions identified in the COBIT 4.1 workshop
1. Conclude and finalise the technology infrastructure strategy, plan and
roadmap.
2. Integrate the infrastructure strategy into the overall ICT strategy.
3. Solidify the technology plans and strategies.
Related actions identified in the King III workshop
21. Technology
Strategy (plans and
roadmap)
22. Sustainability
DOJ&CD ICT Governance Roadmap
Page 26 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
4. Develop a green ICT strategy and plan aligned to the Department's overall
sustainability objectives. Align the strategy and plans to the DPSA's green
ICT policy as well as applicable environmental acts.
Related DPSA framework requirement
5. ICT strategies incorporated into the Departments' strategic plan that will
enable the achievement of the Department’s objectives (To be
implemented in a phased approach).
Responsible officials Line item
D:IT Infrastructure 1 (To be implemented in a phased
approach)
D:IT Strategy Officer 2 (To be implemented in a phased
approach)
D:IT Strategy 3, 4, 5 (To be implemented in a phased
approach)
Further guidance
Refer to the Government-wide Enterprise Architecture (GWEA) Framework (and by implication the TOGAF framework).
PO4 Define the IT processes, organisation and relationships
2 3 Actions identified in the COBIT 4.1 workshop
1. Increase awareness of the ICT organisation as well as the services
offered by ISM.
2. Finalise ICT roles and responsibilities. Finalise the organisational
structure and align the job descriptions. Fill vacant positions. Upgrade
positions that need to be upgraded to ensure market related
compensation.
3. Finalise the ICT governance framework and its associated committees.
4. Develop KPI‟s aligned to the ICT organisation structure.
Related actions identified in the King III workshop
5. Revisit the ICT organisation structure aligned with the strategic direction
of the Department.
Related DPSA framework requirement
6. Approved and implemented ICT Management Framework that defines
management processes, organisational structures, roles and
1. Corporate
Governance of
Information and
Communication
Technology (CGICT)
Policy Framework &
Charter
3. ICT Management
Framework
7. ISM KPIs
8. ICT Governance
Awareness including
ICT organisation
structure and ICT
services.
DOJ&CD ICT Governance Roadmap
Page 27 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
responsibilities, KPIs, activities as well as required skills and
competencies (To be implemented in a phased approach).
7. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, the 'APO01 Manage the IT Management Framework' in
COBIT 5 is a priority process and should be implemented.
Responsible officials Line item
CD:IT Strategy and
Risk
1 - 7 (To be implemented in a phased
approach)
Further guidance
COBIT 5 establishes 'Organisational Structures' as an important enabler and should consider the following at a
minimum:
Operating principles (The practical arrangements regarding how the structure will operate, such as frequency of
meetings, documentation and housekeeping rules);
Composition (Structures have members, who are internal or external stakeholders);
Span of control (The boundaries of the organisational structure‟s decision rights);
Level of authority/decision rights (The decisions that the structure is authorised to take);
Delegation of authority (The structure can delegate (a subset of) its decision rights to other structures reporting
to it); and
Escalation procedures (The escalation path for a structure describes the required actions in case of problems in
making decisions).
PO5 Manage the IT investment
2.75 3 Actions identified in the COBIT 4.1 workshop
1. Formalise benefits realisation on projects. Consideration should be
given to updating the existing Project Management Framework.
Related actions identified in the King III workshop
2. Report on Return on Investment (ROI) from ICT investments and projects
as part of the ExCo / Director General (ExCo / (DG) reporting process.
3. Ensure management has a clear view on the ownership of IT costs
across the Department.
4. Measure the value received from ICT.
Related DPSA framework requirement
5. Approved and implemented Departmental Portfolio Management
Framework that includes ICT portfolio/programme and project
12. Value Delivery
24. ICT Portfolio
Management
Framework
DOJ&CD ICT Governance Roadmap
Page 28 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
management (To be implemented in a phased approach).
6. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, the 'APO05 Manage Portfolio' in COBIT 5 is a priority process
and should be implemented.
Responsible officials Line item
D:IT Strategy 1, 5, 6 (To be implemented in a phased
approach)
CD:IT Strategy 2, 3, 4 (To be implemented in a phased
approach)
Further guidance
The Information Technology Infrastructure Library (ITIL) SS 5.1 process has guidance on ICT financial management and
ROI. The ValIT Framework from ISACA deals exclusively with ICT value management practices.
PO6 Communicate management aims and direction
1.5 2.25 Actions identified in the COBIT 4.1 workshop
1. Define a communication strategy for ICT aims and direction.
2. Establish ICT co-coordinators meetings.
3. Establish regional heads forum.
4. Formalise the interaction at the ICT Steering Committee and ensure that
business form part of the ICT Steering Committee. Consideration should
be given to promoting ICT presence at ExCo level.
Related actions identified in the King III workshop
5. Develop an ICT policy framework.
6. Ensure ICT governance is a standing item on the ExCo agenda and
discussed at every ExCo meeting.
7. Provide regular feedback on implementation of ICT governance across
the Department.
8. The ICT Steering Committee terms of reference should be reviewed on a
periodic basis to ensure that it is up-to-date, relevant and effective.
9. Develop and rollout ICT governance awareness training across the
Department.
Related DPSA framework requirement
10. Approved and implemented Corporate Governance of ICT Policy
Framework and ICT Charter (To be implemented in a phased approach).
11. Governance of ICT Framework approved and implemented (COBIT
1. CGICT Policy
Framework & Charter
2. Governance of ICT
Framework
6. ICT Policies
8. ICT Governance
Awareness
11. Monitoring
DOJ&CD ICT Governance Roadmap
Page 29 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
5) (To be implemented in a phased approach).
12. A Governance Champion designated and responsibilities allocated
(To be implemented in a phased approach).
Responsible officials Line item
D:IT Strategy 1, 3 (To be implemented in a phased
approach)
D:Business
Relationship
Management
2 (To be implemented in a phased
approach)
D:ICT Governance and
Compliance
4 - 12 (To be implemented in a phased
approach)
Further guidance
ICT policies can be communicated in a number of ways including through the human resources induction process,
signing of policies, clicking a logon-screen, e-mail communication, publishing on an intranet, or formal awareness
campaigns.
PO7 Manage IT Human resources
3 3 Actions identified in the COBIT 4.1 workshop
1. Continuous team communication to promote transparency / trust (“tone
at the top”). Discuss the staff motivation challenge at Management
Committee level.
Responsible officials Line item
All ICT Directors/Chief
Directors
1 (To be implemented in a phased
approach)
N/A
Further guidance
N/A
PO8 Manage quality
1 1 Actions identified in the COBIT 4.1 workshop
1. None
Responsible officials Line item
CD:ICT Optimisation
and QA
Director: Quality
None (information only)
N/A
DOJ&CD ICT Governance Roadmap
Page 30 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Assurance
PO9 Assess and manage IT risks
3 3 Actions identified in the COBIT 4.1 workshop
1. ISM Management should consider delving further into the ICT risks i.e.
generic risks vs. risks that apply to individual environments.
Related DPSA framework requirement
2. Approved and implemented Risk Management Policy that includes the
management of business-related ICT risks (To be implemented in a
phased approach).
3. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, 'APO12 Manage Risk' in COBIT 5 is a priority process and
should be implemented.
Responsible officials Line item
D:ICT Governance and
Compliance
1 - 3 (To be implemented in a phased
approach)
4. Risk Management
Policy
Further guidance
None.
PO10 Manage projects
2.25 3 Actions identified in the COBIT 4.1 workshop
1. Review and formalise the existing project management methodology.
Related actions identified in the King III workshop
2. Ensure that the documentation and retention of lessons learnt for all ICT
projects are stored centrally for future use.
3. Ensure that post implementation reviews are conducted and reported on
to the relevant stakeholders.
4. Ensure project management standards and principles are applied to all
ICT projects.
5. Report on ROI from ICT investments and projects as part of the ExCo /
DG reporting process.
Related DPSA framework requirement
6. Approved and implemented Departmental Portfolio Management
12. Value Delivery
24. ICT Portfolio
Management
Framework
29. ICT Project
Practices (e.g. lessons
learnt and post
implementation
reviews)
DOJ&CD ICT Governance Roadmap
Page 31 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Framework that includes ICT portfolio/programme and project
management (To be implemented in a phased approach).
7. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, 'BAI01 Manage Programmes and Projects' in COBIT 5 is a
priority process and should be implemented.
Responsible officials Line item
D:ICT Project Portfolio
Management,
1 , 6, 7 (To be implemented in a phased
approach)
D:ICT Project Portfolio
Management & D:ICT
Governance and
Compliance
2, 3, 4, 5 (To be implemented in a phased
approach)
Further guidance
PMBOK and Prince II are industry standards that provide project management good practices. COBIT 4.1/5 also
includes key ICT project controls. Consideration should be given to using automated project and portfolio management
tools.
AI1 Identify automated solutions
2.5 3 Actions identified in the COBIT 4.1 workshop
1. Raise awareness of the need to approve ICT projects based on business
benefits.
2. Define responsibilities and accountability for identifying automated
solutions.
3. Formalise existing practices into a Systems Development Lifecycle
(SDLC) framework document.
Responsible officials Line item
D:ICT Project Portfolio
Management &
D:Business Analysis
1 - 3 (To be implemented in a phased
approach)
8. ICT Governance
Awareness
11. Monitoring
3. ICT Management
Framework
20. ITSM Processes
37. ITSM Tools and
Processes
Further guidance
Consideration should be given to the following when developing or updating the SDLC framework:
COBIT 4.1/5, ITIL v3, ISO 27002, CMMi and OpenSAMM (focuses on the risks and controls of web development)
AI2 Acquire and maintain application software
2.5 3 Actions identified in the COBIT 4.1 workshop 3. ICT Management
DOJ&CD ICT Governance Roadmap
Page 32 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
1. Ensure vacant positions in testing have been filled and software
development services are acquired
2. Formalise existing practices into the SDLC framework document.
3. Acquire business analysis and testing tools.
Responsible officials Line item
D: Business Analysis &
CD:ICT Optimisation
and Quality Assurance
1 - 3 (To be implemented in a phased
approach)
Framework
20. ITSM Processes
37. ITSM Tools and
Processes
AI3 Acquire and maintain technology infrastructure
2.5 3 Actions identified in the COBIT 4.1 workshop
1. Ensure roles and responsibilities for the technology infrastructure have
been defined in the ICT Management framework and embedded into the
day to day operations of ISM.
2. ISM should build a suitable lab environment for testing tools. Security
requirements should be considered e.g. segregation of duties.
Responsible officials Line item
D:IT Infrastructure 1, 2 (To be implemented in a phased
approach)
3. ICT Management
Framework
20. ITSM Processes
21. Technology
Strategy
37. ITSM Tools and
Processes
Further guidance
The ITIL ST 4.4 process provides guidance on establishing a testing environment.
AI4 Enable operation and use
1.25 2.25 Actions identified in the COBIT 4.1 workshop
1. Define the framework for deploying ICT solutions to end-users.
2. Embed responsibilities into performance agreements between the
business and ISM e.g. business system ownership.
3. Improve the process to transfer knowledge from development to
operations teams.
Responsible officials Line item
D:Business Systems 1, 3 (To be implemented in a phased
approach)
D:Business
Relationship
2 (To be implemented in a phased
approach)
20. ITSM Processes
37. ITSM Tools and
Processes
DOJ&CD ICT Governance Roadmap
Page 33 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Management
Further guidance
The ITIL ST 4.4 process provides guidance on deployment of solutions, as well as knowledge transfer.
AI5 Procure IT resources
3 3 N/A N/A
AI6 Manage changes and AI7 Install and accredit solutions and changes
1.5 3 Actions identified in the COBIT 4.1 workshop
1. Review the Change Control Board (CCB) terms of reference to ensure
that it is up-to-date, effective and relevant including the membership of
the CCB.
2. Ensure that the change and release management process and
procedures are defined accurately to ensure efficiencies and
effectiveness. ISM Management should enforce the process and
procedures rigorously within the Department.
Responsible officials Line item
D:Business Systems,
D:Quality Assurance &
CD:ICT Optimisations
and Quality Assurance
1, 2 (To be implemented in a phased
approach)
20. ITSM Processes
30. ICT Service
Providers
37. ITSM Tools and
Processes
Further guidance
The ITIL ST 4.2 and ST 4.4 processes provide guidance on Change and Release Management. Change Management is
also a primary focus of COBIT and ISO 27002.
DS1 Define and manage service levels
1 2 Actions identified in the COBIT 4.1 workshop
1. Set up the Service Level Agreement (SLA‟s) with the business as it
relates to infrastructure support and business applications.
2. Ensure that the existing EOH, SITA, SITA VPN contracts become the
responsibility of the ISM function. Translate these responsibilities into
the business and ISM responsibilities/roles.
20. ITSM Processes
31. OLAs with the
business
32. SLAs with the
business
DOJ&CD ICT Governance Roadmap
Page 34 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Related actions identified in the King III workshop
3. Develop and implement SLAs / Operational-Level Agreements (OLA)
within the Department.
4. Monitor and report on outcomes of SLAs / OLAs to ExCo.
5. Define a service catalogue in conjunction with the business.
Responsible officials Line item
CD:ICT Service
Delivery and
Stakeholder
Management &
D: Service Delivery
1 - 5 (To be implemented in a phased
approach)
37. ITSM Tools and
Processes
Further guidance
Service catalogues should be reviewed on a periodic basis to ensure that these are up-to-date and relevant.
DS2 Manage third-party services
2 3 Actions identified in the COBIT 4.1 workshop
1. Establish formal interaction with service providers i.e. Engagement
Model.
2. Strengthen the relationships between the service delivery management,
and other teams (specifically ICT infrastructure and business systems).
Related actions identified in the King III workshop
3. Report on effectiveness of ICT governance and service delivery by third
party service providers relating to IT goods/services being outsourced.
4. Relook at SLA / contract management as well as enforcement of
penalties for non-performance.
Related DPSA framework requirement
5. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, 'APO10 Manage Suppliers' in COBIT 5 is a priority process
and should be implemented.
Responsible officials Line item
CD:ICT Service
Delivery and
Stakeholder
Management &
1, 2 (To be implemented in a phased
approach)
20. ITSM Processes
30. ICT Service
Providers
37. ITSM Tools and
Processes
38. Supplier Audits
DOJ&CD ICT Governance Roadmap
Page 35 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
D:Service Delivery
D:IT Sourcing 3 - 5 (To be implemented in a phased
approach)
Further guidance
The ITIL v3 SD 4.2 process provides guidance on Service Level Management and SD 4.7 on Supplier Management.
Management should consider performing ISA3402 audits. The ISA3402 standard is an international standard for
auditing supplier environments.
DS3 Manage performance and capacity
1 2 Actions identified in the COBIT 4.1 workshop
1. Clearly define the technology capacity targets of IT resources, as well as
the measurement approach and the responsibility to collect the
measurement data and produce meaningful reporting. The
responsibility to action the report outcomes must also be defined and
implemented.
Responsible officials Line item
D:IT Infrastructure 1 (To be implemented in a phased
approach)
20. ITSM Processes
37. ITSM Tools and
Process
Further guidance
The ITIL v3 SD 4.3 process provides guidance on Capacity Management.
DS4 Ensure continuous service
2.0 2.5 Actions identified in the COBIT 4.1 workshop
1. Ensure that the ICT continuity strategy, policy, plan and conceptual
architecture is aligned to the DPSA framework as well as to the
Departmental business continuity plan.
2. Commence with technology solution implementation, subject to
availability of funding.
Related actions identified in the King III workshop
3. Align the ICT continuity capability to the overall business continuity
program.
4. Ensure that business impact assessments are performed on a periodic
basis and kept up-to-date.
5. Formalise the business continuity programme - develop formal business
33. Business Impact
Assessment
34. ICT Continuity
Strategy
35. ICT Continuity
Implementation
DOJ&CD ICT Governance Roadmap
Page 36 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
continuity plans (BCP) for all branches.
6. Ensure that these plans are tested on a regular basis.
7. Perform end-to-end ICT continuity testing.
Related DPSA framework requirement
8. Approved ICT Continuity Plan informed by Departmental Business
Continuity Plan and Strategy.
9. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, 'DSS04 Manage continuity' in COBIT 5 is a priority process
and should be implemented.
Responsible officials Line item
D:IT Infrastructure 1 - 9 (To be implemented in a phased
approach)
Further guidance
The ITIL v3 SD 4.4 and 4.5 processes provide guidance on ICT Continuity Management.
Management should also consider standards such as ISO 27031, BS25999 and the Uptime Institute Tier classification
for data centres for further information and guidance.
DS5 Ensure systems security
1.5 2.5 Actions identified in the COBIT 4.1 workshop
1. Develop the information security strategy based on business
requirements for information security. Develop the information security
plan, based on the information security strategy.
2. Review and update/develop the information security policy landscape
accordingly.
Related actions identified in the King III workshop
3. Formalise an information security strategy. Once approved, the
information security strategy should be implemented and monitored.
4. Identify all sensitive and personal information across the Department
and classify these according to the Information Security Policy.
5. Assign appropriate handling criteria to all information including
electronic form (with guidance and direction from the business).
6. Focus on ensuring security awareness is bedded down in the
Department. Develop a security awareness plan and rollout awareness
across the Department (consideration should be given to use of
technology for user training).
14. Information
Security Strategy
15. Information
Security Policy
16. Information
Handling
17. Implement Security
18. Security Awareness
19. Security Reporting
20. ITSM Processes
37. ITSM Tools and
DOJ&CD ICT Governance Roadmap
Page 37 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Related DPSA framework requirement
7. Approved and implemented ICT Security Policy (To be implemented in a
phased approach).
8. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, 'APO13 Manage Security' in COBIT 5 is a priority process
and should be implemented.
Responsible officials Line item
D:IT Infrastructure &
D:ICT Governance and
Compliance
1 - 8 (To be implemented in a phased
approach)
Process
Further guidance
Information Security is usually deployed using the Information Security Management System (ISMS) lifecycle approach
(refer ISO 27001). The key generic activities related to ISMS include:
Obtaining senior management commitment for information security;
Understanding the Department;
Identifying key risks and vulnerabilities;
Identifying key laws and regulations;
Developing action plans to address risks and vulnerabilities;
Developing security governance including structures, process and roles and responsibilities;
Developing information security policies;
Developing an implementation strategy;
Providing sufficient information security resources;
Operating information security;
Providing training and awareness;
Detecting and responding to information security incidents;
Conducting audits of information security controls; and
Improving information security controls (the lifecycle process repeats).
Further guidance can be obtained from the ISO 27000 series, COBIT 4.1/5, Minimum Information Security Standards,
Information Security Forum, OpenSAMM etc.
DS6 Identify and allocate costs
2.75 3 Actions identified in the COBIT 4.1 workshop
1. Formally document the ICT cost allocation process and entrench the
roles and responsibilities within ISM.
2. Perform a skills assessment on staff to understand level of financial
3. ICT Management
Framework
20. ITSM Processes
DOJ&CD ICT Governance Roadmap
Page 38 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
management skills.
Related actions identified in the King III workshop
3. Ensure management has a clear view on the ownership of IT costs
across the Department.
Responsible officials Line item
All CD‟s and D‟s 1 - 3 (To be implemented in a phased
approach)
Further guidance
ITIL v3 SS 5.1 provides guidance on ICT Financial Management.
DS7 Educate and train users
1 1.75 Actions identified in the COBIT 4.1 workshop
1. Work in collaboration with Justice College to formalise an ICT training
plan (especially basic computer literacy and business applications
training).
2. Work in collaboration with Justice College to ensure implementation of
training required.
Responsible officials Line item
D:ICT Project Portfolio
Management &
D:Business Systems
1, 2 (To be implemented in a phased
approach)
23. Justice College
DS8 Manage service desk and incidents
3.5 4 Actions identified in the COBIT 4.1 workshop
1. Finalise the processes as they relate to Service Desk and Incident
Management. Implement the processes on the tool of choice (ITSM7
and CMDB project).
2. Implement the internal operating model.
Responsible officials Line item
CD:IT Service
Management and
Stakeholder
Management &
D:ICT Service Delivery
1 (To be implemented in a phased
approach)
20. ITSM Processes
37. ITSM Tools and
Process
DOJ&CD ICT Governance Roadmap
Page 39 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Head of ISM 2 (To be implemented in a phased
approach)
Further guidance
The ITIL v3 SD 4.1, 4.2, 4.3 and 6.2 processes provide guidance on Service Desk and Incident Management.
DS9 Manage the configuration
1 3 Actions identified in the COBIT 4.1 workshop
1. Implement the full Configuration Management Database (CMDB). Once
implemented, ISM Management should ensure that the CMDB is
sustained.
Responsible officials Line item
D:IT Infrastructure
D:ICT Service Delivery
& CD:IT Service
Management and
Stakeholder
Management
1 (To be implemented in a phased
approach)
20. ITSM Processes
37. ITSM Tools and
Process
Further guidance
The ITIL v3 ST 4.3 process provides guidance on Service Asset and Configuration Management.
DS10 Manage problems
1.75 3 Actions identified in the COBIT 4.1 workshop
1. Finalise the Problem Management process.
2. Clearly define roles and responsibilities for Problem Management.
Responsible officials Line item
CD:IT Service
Management and
Stakeholder
Management
1, 2 (To be implemented in a phased
approach)
3. ICT Management
Framework
20. ITSM Processes
37. ITSM Tools and
Process
Further guidance
The ITIL v3 SO 4.4 provides guidance on Problem Management.
DS11 Manage data
1.5 2 Actions identified in the COBIT 4.1 workshop
1. Ensure that IT disposal forms parts of the Supply Chain Management
(SCM) policy.
3. ICT Management
Framework
DOJ&CD ICT Governance Roadmap
Page 40 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
2. Finalise the storage and retention requirements for both paper based
and electronic files as well as electronic mail.
3. Define and implement a media library for the Department.
4. Review and update the Backup and Restoration Policy and related
processes e.g. DCRS (Digital Court Recording System).
5. Ensure that full responsibility is assigned to the relevant staff.
Responsible officials Line item
D:IT Sourcing 1 (To be implemented in a phased
approach)
D:IT Infrastructure and
D:ICT Governance and
Compliance
2 - 5 (To be implemented in a phased
approach)
6. ICT Policies
20. ITSM Processes
37. ITSM Tools and
Process
DS12 Manage the physical environment
2 3 Actions identified in the COBIT 4.1 workshop
1. Take over control of air conditioners and consolidate the physical
equipment in the data centres.
Related DPSA framework requirement
2. Approved and implemented ICT Security Policy (To be implemented in a
phased approach).
3. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
Framework, 'DSS01 Manage Operations' in COBIT 5 is a priority process
and should be implemented.
Responsible officials Line item
D:IT Infrastructure 1 – 3 (To be implemented in a phased
approach)
36. Data Centres
37. ITSM Tools and
Process
Further guidance
None.
DS13 Manage operations
1.5 3 Actions identified in the COBIT 4.1 workshop
1. Finalise and implement ICT operational processes.
Related DPSA framework requirement
2. As per the DPSA‟s Public Service Corporate Governance of ICT Policy
20. ITSM Processes
37. ITSM Tools and
Process
DOJ&CD ICT Governance Roadmap
Page 41 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Framework, 'DSS01 Manage Operations' in COBIT 5 is a priority process
and should be implemented.
Responsible officials Line item
D:IT Infrastructure 1, 2 (To be implemented in a phased
approach)
Further guidance
The ITIL v3 SO section 4.3 , 5 and 6 provides guidance on ICT operations.
ME1 Monitor and evaluate IT performance
2.25 2.5 Actions identified in the COBIT 4.1 workshop
1. Once performance measurement results are known, ISM Management
should take relevant action.
2. Integrate the ISM performance report into the performance agreements
of ISM staff.
Related actions identified in the King III workshop
3. Define the service catalogue in conjunction with business.
4. Develop a formal ICT value proposition. Maintain and review the ICT
value proposition on a periodic basis.
5. Align performance metrics to the value proposition.
6. Measure the value received from ICT including from ICT strategic
projects and investments.
7. Report on value delivery to ExCo.
8. Report on ROI from IT investments and projects as part of the ExCo /DG
reporting process.
Related DPSA framework requirement
9. Approved ICT Annual Performance Plan for 2015 to 2016 with a
description of how it will be monitored (To be implemented in a phased
approach).
10. Improve Corporate Governance of ICT (Continuous Improvement
Roadmap) (To be implemented in a phased approach).
11. As per the DPSA‟s Public Service Corporate Governance of ICT
Policy Framework, 'MEA01 Monitor, Evaluate and Assess Performance
and Conformance' in COBIT 5 is a priority process and should be
implemented.
7. ISM KPIs
12. Value Delivery
13. Optimisation
26. ICT Service
Catalogue
DOJ&CD ICT Governance Roadmap
Page 42 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Responsible officials Line item
D:IT Strategy &
CD:IT Strategy
1 – 6, 10,
11
(To be implemented in a phased
approach)
Head of ISM 7 – 9 (To be implemented in a phased
approach)
Further guidance
ISM Management should consider the following when evaluating ICT value:
aligning the ICT function‟s performance with the business performance objectives;
embedding Return on Investment thinking when considering the ICT budget and projects;
monitoring Return on Investment post-implementation of projects;
developing an ICT balanced scorecard;
developing service level agreements between ICT and the business; and
conducting user satisfaction surveys.
ITIL v3 SD 4.1 provides guidelines for the establishment of a service catalogue.
ME2 Monitor and evaluate internal control
2.25 3 Actions identified in the COBIT 4.1 workshop
1. ISM Management to agree the ICT audit approach with the internal audit
function.
Related actions identified in the King III workshop
2. Develop, implement and monitor an ICT internal control framework and
report outcomes to ExCo / DG on progress.
3. ISM Management should regularly monitor adherence to internal
policies, processes, standards and procedures.
4. Non-compliance to internal policies, processes, standards and
procedures should be dealt with in a consistent manner aligned to an
approved non-compliance process.
5. Management should consider ways in which ICT can be used for the
purposes or risk management and compliance to relevant laws,
regulations and standards.
Related DPSA framework requirement
6. Governance of ICT Framework approved and implemented (COBIT 5) (To
2. Governance of ICT
Framework
5. Compliance
9. ICT Audits
10. ICT Audit Action
Plan
11. Monitoring
DOJ&CD ICT Governance Roadmap
Page 43 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
be implemented in a phased approach).
7. Approved and implemented Internal Audit Plan that includes ICT audits
(To be implemented in a phased approach).
Responsible officials Line item
D:ICT Governance and
Compliance
1 - 7 (To be implemented in a phased
approach)
Further guidance
ISM Management should implement controls that are relevant to their environment based on the ICT risks and risk
profile.
ME3 Ensure regulatory compliance
2.25 3 Actions identified in the COBIT 4.1 workshop
1. Deliver on the IT audit requirements defined by the Compliance Unit in
relation to ensuring regulatory compliance.
Related actions identified in the King III workshop
2. Identify all ICT related laws, regulations, codes and standards that the
Department needs to comply with.
3. Based on point 2, develop a checklist and perform period reviews
against these.
4. Identify areas of improvement and remediation actions.
5. Report the outcomes of these ICT compliance reviews to the ExCo / DG.
Related DPSA framework requirement
6. Approved ICT Continuity Plan informed by Departmental Business
Continuity Plan and Strategy.
Responsible officials Line item
D:ICT Governance and
Compliance
1 - 6 (To be implemented in a phased
approach)
5. Compliance
9. ICT Audits
10. ICT Audit Action
Plan
11. Monitoring
Further guidance
None.
ME4 Provide IT Governance
1.75 3 Actions identified in the COBIT 4.1 workshop 1. CGICT Policy
DOJ&CD ICT Governance Roadmap
Page 44 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
1. Finalise the ICT governance framework (achieving Phase 1 of the DPSA
framework) (To be implemented in a phased approach).
2. Obtain buy-in from the business.
Related actions identified in the King III workshop
3. Integrate the ICT governance framework into the overall corporate
governance framework.
4. Ensure ICT governance is a standing item on the ExCo agenda and
discussed at every EXCO meeting.
5. Provide regular feedback on implementation of ICT governance across
the Department.
6. Develop and rollout ICT governance awareness training across the
Department.
7. Develop metrics to monitor effectiveness of IT governance awareness
training.
13. The ICT Steering Committee terms of reference should be reviewed
on a periodic basis to ensure that it is up-to-date, relevant and effective.
8. Ensure continuous improvement of the ICT governance framework and
charter.
Related DPSA framework requirement
9. Approved and implemented Corporate Governance of ICT Policy
Framework and ICT Charter (To be implemented in a phased approach).
10. Governance of ICT Framework approved and implemented (COBIT
5) (To be implemented in a phased approach).
11. A Governance Champion designated and responsibilities allocated
(To be implemented in a phased approach).
12. Improve Corporate Governance of ICT (Continuous Improvement
Roadmap) (To be implemented in a phased approach).
13. As per the DPSA‟s Public Service Corporate Governance of ICT
Policy Framework, 'EDM01 Governance framework setting and
maintenance' in COBIT 5 is a priority process and should be
implemented.
Responsible officials Line item
D:ICT Governance and
Compliance
1 - 13 (To be implemented in a phased
approach)
Framework & Charter
2. Governance of ICT
Framework
3. ICT Management
Framework
8. ICT Governance
Awareness
13. Optimisation
DOJ&CD ICT Governance Roadmap
Page 45 of 46
COBIT 4.1 process Reference to roadmap
Current
Maturity
Target
Maturity
Actions
Further guidance
Refer to the DPSA CGICT Policy Framework for more information
Table 17 : Detail underpinning the roadmap
DOJ&CD ICT Governance Roadmap
Page 46 of 46