Subscribe

Govt to finally plug ICT holes

A long-awaited ICT governance framework is being implemented, and is expected to tighten IT security and improve service delivery.

Nicola Mawson
By Nicola Mawson, Contributor.
Johannesburg, 10 May 2013
ICT is a key government asset, but has previously not received the required level of attention, says public service and administration minister Lindiwe Sisulu.
ICT is a key government asset, but has previously not received the required level of attention, says public service and administration minister Lindiwe Sisulu.

The state has unveiled an ambitious plan that will see it roll out a government-wide ICT governance framework, with the first phase of a complicated process set to be complete at 150 national and provincial structures by the end of next March.

ITWeb understands the framework is the first such policy that has such a broad scope. Initially, it will be rolled out at national and provincial level, in accordance with the framework's deadlines, before other structures are looked at.

Failure to comply with the framework has serious consequences for government officials in terms of the Public Service Act, as immediate disciplinary steps will be taken. In addition, progress of implementation against timelines will be monitored by the auditor-general (AG).

However, government may have to rely on private sector consultants to meet the timelines, says a commentator. Once implemented, the framework is expected to improve overall service delivery, as the quality of information will be better and fraud will decrease.

Much needed

Recent scathing AG reports have found a widespread lack of IT security and governance among government departments. IT governance and security are vital to protect information and eliminate corruption.

Yet, according to the 2011 report, of the 38 national departments audited, 81% did not have full security management systems in place, and 79% did not have a complete IT governance framework.

The root cause of the lack of IT governance and IT security was the Department of Public Service and Administration's (DPSA's) delay in rolling out frameworks, the AG found. Public sector departments and public entities are "heavily reliant on IT systems to perform their statutory financial management, reporting and administrative functions".

Now that the framework is out, the AG will use the implementation phases as a time-line for auditing purposes.

Mammoth task

The "public service corporate governance of information and communication technology policy framework", signed by public services and administration minister Lindiwe Sisulu, applies to government departments, entities, municipalities and state-owned entities across the board.

Entities will have to develop their own systems based on the framework, which is constructed on international governance standards such as King III and Cobit.

AG's findings:

* A government-wide ICT governance framework must be put in place to address ICT risks.
* Governance of ICT roles and responsibilities should be defined and implemented.
* Government IT officers, a position created more than a decade ago, were not fulfilling their strategic responsibilities.
* Only 21% of departments had adequate ICT governance controls in 2010/11.

In the preface, Sisulu writes that ICT is a fundamental government asset, but has never received the same level of attention as people, money and organisations. She notes that ICT governance rests with senior leadership, and must not be delegated to ICT management.

In 1998, the Presidential Review Commission found that "all-important" ICT decisions should be made by senior leaders, and not delegated, and there should be a common, enabling framework. Yet, since this report some 15 years ago, "little has changed" around ICT governance within the public sector.

However, with the framework, several benefits should be reaped, including improved delivery in aspects such as education, job creation and economic growth. The state also expected improved return on ICT investments and management of information.

The policy was developed internally by the DPSA, and the department expects to handle implementation internally, although there may be opportunities for private sector involvement.

Private sector boon

Professor Basie von Solms, director of the University of Johannesburg's Centre for Cyber Security, says the "world-class" framework will improve service delivery, as it should cut down on fraud and improve ICT security.

Von Solms says government has its work cut out for it with the broad plan, tight timeframes and its lack of capacity. He says there will be "a lot" of consultancy work available, as long as it does not get stuck "somewhere".

The plan requires regular audits from the auditor-general and reports to be made back to Cabinet, says Von Solms. He personally does not think government has the capacity.

Von Solms points out that the framework requires that several roadmaps be created, such as information plans and information security. He says the private sector should get in as quickly as possible, as the first deadline is approaching.

The complicated framework could cost government billions to implement, says Von Solms. A recent AG report found R102 billion was spent on consultants between the 2008/9 and 2010/11 financial years, and more than a billion of this amount went to IT projects that were overpaid, or never completed.

It says the audit shows consultants are often employed to provide competencies for which departments should have internal staff. "However, since these skills were not available internally or departments were not successful in recruiting suitable staff, they relied on consultants to perform these functions. While this issue is concerning, it is not new."

Bart Henderson, president of the South African Institute of Corporate Fraud Management, has noted there are a myriad challenges facing government, including an aging and shrinking skills base, jobs not being filled by government, and lack of continuity and loss of institutional memory as a result of a highly mobile workforce.

Phased approach

By April 2014:
(i) Corporate Governance of ICT Policy Framework and Governance of ICT Framework approved and implemented;
(ii) Governance of ICT Charter approved and implemented;
(iii) Capacities created at DPSA:
* Governance Champion designated and responsibilities allocated;
* Capacity created to file the role of the enterprise architect;
* GITO appointed and functioning at strategic level; and
* A proficient ICT manager appointed.
(iv) Approved and implemented Risk Management Policy, including management of business-related ICT risks;
(v) Approved and implemented Internal Audit Plan that includes ICT audits;
(vi) Approved and implemented ICT Management Framework;
(vii) Approved and implemented departmental Portfolio Management Framework including ICT portfolio/programme and project management;
(viii) Approved and implemented ICT Security Policy; and
(ix) Approved ICT Continuity Plan informed by Departmental Business Continuity Plan and Strategy.

Phase two (April 2015):
(i) Approved ICT Strategic Plan;
(ii) Approved first iteration of Enterprise Architecture informing the ICT Architecture;
(iii) Approved ICT Migration Plan with annual milestones linked to an enabling budget;
(iv) Approved ICT Procurement Strategy for adhering to the ICT House of Value, taking into consideration the SITA Regulations of 2005; and
(v) Approved ICT Annual Performance Plan for 2015 to 2016 with a description of how it will be monitored.

Phase three: April 2015 onwards:
(i) All aspects of the framework must demonstrate measurable improvement from the initial implementation phase in 2012-14.

Share