Public Service Corporate Governance of Information and Communication T - PDF document

1 Public Service Corporate Governance of I
Public Service Corporate Governance of Information and Communication Technology Policy Framework December EXECUTIVE SUMMARY Government transformation is, a strategic level, informed by governmentwide key priority areasat have beentranslated into 12 strategic outcomesguided by the Batho Pele principles of equal access to services, increased productivity and lowering of costs. The purpose of information and communication technology (ICT) is to enable the Public Servicein its quest service delivery. The ICT House of Valuedepicts the values and key focus areas of ICT service delivery. These strategic outcomes, principles, values and key focus areas inform the acquisition, To determine whether ICT in the Public Service delivers an enabling serviceinvestigations have been done to establish the shortcomings of ICT service delivery. The first of thesewas the 1998Presidential Review Commission (PRC) report, which stated that alldecisions should come from senior political and managerial leadership of the state and not be delegated to the technolog, and that the management of ICT should be onthe same level as the

2 management of other resources. It furth
management of other resources. It furthermore advocatea common enabling n 2000approved the creation of the Government Information Officer (GITO) position, with the requirementthat the GITO in each department should be responsible for aligning the respective departmentÕs ICT strategic planstrategic direction and management plans. Furthermore, the GITOto the Head of the Department (HoD) and be part of the Executive Managementteam.Since the publication of the PRC report, little has changed with respect to the governance of ICT in the Public Service. This was confirmed the Auditor Generalinformation systems review of governance of ICT in government conducted in wide Governance of ICT Framework be put in place implement a national IT strategy to address IT risks based on defined he Governance of ICT roles and responsibilities hould bedefined and Government Policy 2002 as amended The AG further found that the GITOs not fulfiltheir strategic responsibilitdue to inadequate accountability structures resulting in the GITO not beingmanagement level.n 2010/11, the AG found that little progress had beenmade as 2

3 1% of implemented adequate governance co
1% of implemented adequate governance controlsbut even governance controls sustainable because y had not beenformally rolled The view that ICT should be governed and managed at a Political Leadership and Executive Management level is supported by international accepted good practice and standards inthe form of King III Code of Good GovernanceISO 38500 for the Corporate Governance of ICT and a cCT Process Frameworkalso places accountability for governance ICT fully in the hands of Political Land Executive Management (equivalent This accountability enables the department to align the delivery of ICT services with The executive authority and management of departments need to extend corporate rnance as a good management practice to ICT (Corporate Governance of ICT). In the execution of the Corporate Governanceof ICTthey should provide the necessary strategies, architectures, plans, frameworks, policies, structures, procedures, processes, mechanisms and controls, and ethical culture. To strengthen the Corporate Governance of ICTshould be an integral part of the The Corporate Governance of ICT is a continuous fu

4 nction that should be emin all operation
nction that should be emin all operations of a department, from Executive Authority and To address the above mentioned, the Department of Public Service and Administration (DPSA) in collaboration with the Government Information Technology The purpose of the CGICTPF project is to institutionalise the Corporate Governance of and Governance of ICT as an integral part of corporate governance within nts. This CGICTPF provides the Political andExecutive Leadership with a set of principles and practices that must be complied together withimplementation approach to be utilised for Corporate Governance of ICT within is applicable all spheres of government, organs of state and public The implementation of thisCGICTPF will be supported by implementation guidelineto be issued by the DPSA, which could form the basis for theto perform enable a department to implement this CGICTPFa threephase approach will be Phase 1:rate Governance of ICT enviroment will be established in Phase 2:Departments will plan and implement business and ICT strategic Phase 3:Departments will enter into an iterative process to achieve TAB

5 LE OF CONTENTSPagePrefaceError! Bookmark
LE OF CONTENTSPagePrefaceError! Bookmark not defined.EXECUTIVE SUMMARYTABLE OF CONTENTSLIST OF ILLUSTRATIONSviiGLOSSARY OFTERMS AND DEFINITIONSviiiPURPOSE OF FRAMEWORKLEGISLATIVE FRAMEWORSCOPEAPPOSITENESSBACKGROUNDINTRODUCTIOGOVERNMENT SERVICE DELIVERY ENABLED THROUGH ICTBENEFITS OF CORPORATE GOVERNANCE OF ICTCORPORATE GOVERNANCEOF AND GOVERNANCE OFICT GOOD PRACTICE AND STANDARLAYERED APPROACH TO CORPORATE GOVERNANCEOF ICTCORPORATE GOVERNANCEIN THE PUBLIC SERVICCORPORATE GOVERNANCEOF ICT IN THE PUBLICSERVICEOBJECTIVES OF THE CORPORATE GOVERNANCE OF ICTTHE PRINCIPLES FOR THE CORPORATE GOVERNANCE OF ICTTHE CORPORATE GOVERNANCE OF ICT PRACTICESICT ENABLING STRUCTURES IN THE PUBLIC SERVICEGOVERNANCE OF ICT OVERSIGHT STRUCTURE IN THE PUBLIC SERVICINTRODUCTIONCOBIT AS THE PROCESSFRAMEWORK FOR THE GOVERNANCE OF ICTIMPLEMENTATION OF A GOVERNANCE OF ICT SYSTEMREFERENCESANNEXURE A: Full description of Public Service ICT Governance Principles as per ISO/IEC 38500 and KING III viiLIST OF ILLUSTRATIONSList of TablesList of Figures viiiGLOSSARY OF TERMSAND DEFINITIONS AG AuditorGeneral of South Africa Business Th

6 e businessof the departmentrefers to the
e businessof the departmentrefers to the departmentÕs service deliveryand internal supportactivities CMMI Capability Maturity Model Integrationis a process improvement approach whose goal is to help organisations improve their performance. CMMI can be used to guide process improvement across a project, a division, or an entire organiation CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University CIO Chief Information Officer CGICTPF Corporate Governance of ICT Policy Framework COBIT Control Objectives for Information Technology Corporate Public Servicewide level:A group of related departments that enables the Public Service to achieve its strategic mandateDepartment level:A group of related components that enables a department to achieve its strategic mandateFor the purpose of this FrameworkCorporate means the same as Enterprise Corporate Governance The set of responsibilities and practices exercised by the board and executive management with the goalof providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and

7 verifying that the enterpriseÕs resour
verifying that the enterpriseÕs resources are used responsibly.Ó (IT Governance Institute: ISACA [CGEIT] Glossary: 5 as amended)Procedures and processes according to which an organisation is directed and controlled. (Glossary of Statistical Terms Organisation of Economic and Cooperation Development www.oecd.org Corporate Governance of ICT he system by which the current and future use of IT is directed and controlledCorporate governance of IT involves evaluating and directing the use of IT to support the organiationand monitoring this use to achieve plans. It includes the strategy and policies for using Iwithin an organiation(ISO/IEC 38500: 2008: 3) Department national department, a national government component, the Office of a Premier, a provincial department or a provincial government component (Public Service Act 103 of 1994, as amended) (PSA)For the purpose of the CGICTPF reference to department includes public administrationin all spheres of government, organs of state ix and public enterprises as per Section 195 of the ConstitutionAct No 108 of 1996, as amended DPSA epartment of Public Ser

8 vice and Administration Electronic Gove
vice and Administration Electronic Government he use of information and communication technologies in the Public Service to improve its internal functioning and to render services to the public EXCO Executive Committee (consists of Executive Management members of a department) Executive Authority n relation to(a)the Presidency or a national government component within the President's portfolio, means the President; (b)a national department or national government component withinCabinet portfolio, means the Minister responsible for such portfolio; (c)the Office of the Commission, means the Chairperson of the Commission; (d)the Office of a Premier or a provincial government component within a Premier's portfolio, means the Premier of that province; (e)a provincial department or a provincial government component within an Executive Council portfolio, means the member of the Executive Council responsible for such portfolio;(PSA 103 of 1994, as amended)or the purpose of the CGICTPFthe Executive Authorityas defined in (a) above will referto the Ministers in the Presidency. Executive Management he Executive Mana

9 gement of the Department and could inclu
gement of the Department and could include the Head of Department, Deputy DirectorsGeneral (DDGs) /Executive Management of the Department. This normally constitutes the Executive Committee of the Department and should include the GITO. GICT Governance of ICT GITO Government Information Technology Officer (Cabinet Memorandum 38(a) of 2000) GITOC Government Information Technology OfficerÕs Council (Cabinet Memorandum 38(a) of 2000) Governance Champion The Senior Manager in the department who is responsible to drive Corporate Governance ofand Governance of ICT. Governance of ICT The effective and efficient management of IT resources to facilitate the achievement of company strategic objectives. (King III Code: 2009: 52)Is the responsibility of executives and the board of directors, and consists of the leadership, organiational structures and processes that ensure that the enterpriseÕs IT sustains and extends the x organisationÕs strategy and objectives (ITGI 2005)The system by which the current and future use of IT is directed and controlled. Governance Principles The vehicle to translate the des

10 ired behaviour into practical guidance f
ired behaviour into practical guidance for dayday management (COBIT 5 Framework Exposure Draft: 29) GWEA Governmentwide Enterprise Architecture HoD Head of Departmentor Organisational Componentas per the ICT Information and Communications Technology, also referred to as IT ISACA Information Systems Audit and Control Association ISO/IEC International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) ISO/IEC 38500 International Standard on Corporate Governance of ICT (ISO/IEC WD 38500: 2008: 1) IT Information Technology , also referred to as I ITGIª IT Governance Institute ITIL The Information Technology Infrastructure Library is a set of good practices for T service managementthat focuses on aligning I services with theneeds of business King III The King III Report and Code on Governance for South AfricaSAIGR: Wetgewinghandboek 2010/2011: Volume 3 M&E Monitoring and Evaluation MPSA Minister of Public Service and Administration MTEF Medium Term Expenditure Framework Policy Framework he Corporate Governance of ICT Policy Framework (CGICTPF) PSA Public Service A

11 ct 103 of 1994, as amended PSICTM Public
ct 103 of 1994, as amended PSICTM Public Service ICT Management Branch the DPSA PSR Public Service Regulations of 2001, as amended Responsible Refers to the person who must ensure that activities are completed successfully Risk Appetite The amount of residual risk that the Department is willing to accept. (PSRMF 2010:15) Risk Management A systematic and formalised process to identify, assess, manage amonitor risks. (PSRMF 2010:16) SANS 38500 South African National Standard 38500 adopted from ISO/IEC 38500 SITA State IT Agency OF FRAMEWORKThe purpose of this Framework is to institutionalise the Corporate Governance of and Governance of ICT as an integral part of corporate governance within Framework provides a set of principles and practices with whichSections 3(1)(g) and 3(2) of the Public Service Act 103 of 1994which empower the Minister for Public Service and Administration (MPSA) to prescribe uniform norms and standards for electronic government, regulations, determinations and directives, and perform any other acts provided in terms of this ActSection 7(3)(b) of the PSA provides that responsible f

12 or the efficient management and administ
or the efficient management and administration of Chapter 1, Part III B of the Public Service Regulations of 2001, as amended, prescribes that the executive authority is accountable for the strategic plan and the creation of the organisational Chapter 1, Part III E of the, which stipulates thatthe relevant informationrelated plans for the LEGISLATIVE FRAMEWORmust be aware of and comply with the legislative landscape This Policy Framework for the Corporate Governance of ICT administration in every sphere of government, organs of state and APPOSITENESSPolicy Frameworkrecognises that departments are diverse. It is thus not possible to produce a blueprint of an enabling environment applicable to all departments. This Policy Frameworkadopts the approach of elucidating principles and practices to support and sustain effective Corporate develop their own system of Corporate Governance Governance of ICT by adopting the principles and practices put forward in this Policy Frameworkpting thegovernance systemto be in line with the departmental context, while keeping the intent of this Policy FrameworkFigure : Custo

13 mised Contextual Governance SystemSECTIO
mised Contextual Governance SystemSECTION 1: STRATEGIC CONTEXTcontains findings and recommendations in relation to the operation, transformation and development of the South African Public Service and in particular the creation of a new culture of good governance.hapter 6, ll ICT of importanceshould come from Senior Pnot be delegated to technologhe management of be carried out on the same level as the management of other resources such as people, finance and In 2000Cabinet (Cabinet Memorandum 38a of 2000) approved that the GITO in each department should be responsible s ICT strategy with strategic direction and management plans. the GITO should report to the and be part of the Management team.In 2002 and again in November 2010, the GITO Council adopted COBIT as the process framework for the Governance ICT for implementation in the Since the publication of the PRC report, little has changed with respect to the of ICT in the Public Service. information systems review of of ICTin government conducted in 2008/09 and again wide Governance of ICT Policy Frameworkbe put in place for the implementation of a nat

14 ional IT strategy to address IPolicies,
ional IT strategy to address IPolicies, standards and guidelines should be adopteddeveloped to address processrelated risks. These policies, standards and guidelines would have to apply across government departments to allow consistency Performance measures should be implemented to ensure adequate The AG further found that the GITOs were notas strategic Following theAG recommendations, the communicated these findings and recommendationsto all departments in August 2010, stressing the Report of the Presidential Review Commission as presented to the President of South Africa27 February 1998AuditorGeneral of South Africa: Status of the governance of Information Technology in government, May 2010 importance of the of ICT. Departments were requested to provide in 2010/11he AG found that little progress had beenmade with the implementation of the 2008/09 and 2009/10 findings regarding the 79% of no Governance of ICT Policy Frameworkdid not mplemented adequatebut unsustainablegovernance controlsthey had not beenformally rolled out by management, they wereThe aforementionedindicates a lack of governmentwide and

15 departmental of ICT. The guidance and d
departmental of ICT. The guidance and decisions for the of ICT should come from senior political and managerial leadershipand should be To address the above mentionedproblems, the DPSAin collaboration with the Government Information Technology Officer Council (GITOC)and the AGINTRODUCTIONGovernment transformation is, a strategic level, informed by gwide key priority areas translated into 12 strategic outcomesguided by the Batho Pele principles of equal access to services, increased productivity and lowering of costs. At a departmental level, specific departmental strategic goals are formulated, aligned with the 12 strategic outcomes. These strategic goals are translated into implementation and execution plans for each department. The Executive Authority of a department is accountable to The purpose of ICT is to serve as an enabler of public sinter alia,focus areas (ICT House of Valuethe Public Service to achieve these 12 strategic Electronic Government a Digital Future February 2001, as amended In recent yearsthere has been a growing realisation of the importance of Corporate Governance of IT, as emph

16 asised by King III Code, the Executive M
asised by King III Code, the Executive Management leadership of departments need to Corporate Govas a good management practice. This should be done by evaluating the current business strategic goals and future use of ICT, directing the preparation and implementation of plans to ensure use of ICT meets business needs which,when implemented, must be monitored for performance and conformance purposes toensure that the There are international and national mechanisms available that provide guidance and frameworks for the implementation of of ICT, The Executive Leadership and Management should understand the strategic importance of ICT and assume responsibility for the of ICT and place the of ICT on the strategic agenda. In order to achieve thisit is necessary for the Public Service and departments Layer 1:Layer 2:GOVERNMENT SERVICE DELIVERY ENABLED THROUGH ICT In support of the achievement of the 12 strategic outcomes,the Public adopted certain ICT values and key focus areas be achieved King III Reportand Code on Governance for South Africa:Chapter 5: The Governance of Information TechnologyPresidential Review

17 Commission report 1998 Figure : ICT o
Commission report 1998 Figure : ICT ouse of ValueTable 1 depicts the mapping the 12 strategic outcomesthe key focus Table Mapping of 12 Strategic Outcomes to the ICT House of Value Strategic outcome Related strategic goals in ICT House of Value Value Primary influencing goals Secondary influencing goals Outcome 1: Basic Education Government ArchitectureInteroperabilityDigital inclusionEconomies of scaleReduced duplication Security Lower costCitizen convenienceIncreased productivity Outcome 2: long and healthy life for all South Africans Government ArchitectureSecurityInteroperabilityeduced duplicationDigital inclusion Economies of scale Lower costCitizen convenienceIncreased productivity Outcome 3:ll people in SA are and feel safe Government ArchitectureSecurityDigital inclusion InteroperabilityReduced duplicationEconomies f scale Lower costCitizen convenienceIncreased productivity 7 Strategic outcome Related strategic goals in ICT House of Value Value Primary influencing goals Secondary influencing goals Outcome 4:ecent employment through inclusive economic growth InteroperabilityDigi

18 tal inclusionEconomies of scaleReduced d
tal inclusionEconomies of scaleReduced duplicationSecurity Government Architecture Lower costCitizen convenienceIncreased productivity Outcome 5:kills and capable workforce to support an inclusive growth path Government ArchitectureInteroperabilityDigital inclusion Economies of scaleSecurityReduced duplication Lower costCitizen convenienceIncreasedproductivity Outcome 6:n efficient, competitive and responsive economic infrastructure network Government ArchitectureInteroperabilityDigital inclusionEconomies of scaleSecurityReduced duplication Lower costCitizen convenienceIncreased productivity Outcome 7:ibrant, equitable, sustainable rural communities contributing towards food security for all Government ArchitectureDigital inclusionSecurity Reduced duplicationEconomies of scale Lower costCitizen convenienceIncreased productivity utcome 8:ustainable human settlement and improved quality household life Government ArchitectureDigital inclusion InteroperabilityEconomies of scaleSecurityReduced duplication Lower costCitizen convenienceIncreased productivity Outcome 9:esponsive, accountable, effective and effic

19 ient local government system Government
ient local government system Government ArchitectureInteroperabilityDigital inclusionEconomies of scaleSecurityReduced duplication Lower costCitizen convenienceIncreased productivity Outcome 10:rotect and enhance our environmental assets and natural resources Government ArchitectureEconomies of scaleReduced duplication InteroperabilitySecurityDigital inclusion Lower costCitizen convenienceIncreased productivity Outcome 11:reate a better SA, a better Africa and a better world Government ArchitectureSecurityDigital inclusion InteroperabilityEconomies of scaleReduced duplication Lower costCitizen convenienceIncreased productivity Outcome 12:n efficienteffective and developmentoriented Public Service and Government ArchitectureInteroperabilityDigital inclusion Lower costCitizen convenienceIncreased productivity 8 Strategic outcome Related strategic goals in ICT House of Value Value Primary influencing goals Secondary influencing goals empowered, fair and inclusive citizenship Economies of scaleSecurityReduced duplication n efficient, effective and developmentoriented Public Service and empower

20 ed, fair and inclusive citizenshipÓ,is
ed, fair and inclusive citizenshipÓ,is the main driver of BENEFITS OF CORPORATE GOVERNANCE OF ICThen the Corporate Governance of ICT is effectively implemented and maintainedPublic Service to improve delivery on the 12 strategic Improved achievement of Public Servicewide and departmentalImproved effective public slivery through ICTenabled access to ICT risks managed in line with the priorities and appetite of the Public ppropriate security measures to protect the departmental and employee Improved management of information as it is managed on the same level as other resources such as people, finance and material in the Public ICT proactively recognises opportunities and guideImproved ICT to learn and agility to adaptCORPORATE GOVERNANCEOF AND GOVERNANCE OF ICGOOD PRACTICE AND STANDARDSIn recognition of the importance of the of ICT, a number ofinternationally recognised frameworks and standards, such as King III Code, ISO/IEC 38500 and COBIT, have beendeveloped to provide context for King III Codehe most commonly accepted Corporate Governance ramework in South Africa isalso valid for the Public Service.

21 It was used to inform the Corporate Gov
It was used to inform the Corporate Governance of ICT principles and practices in this document and to establish the relationship between ISO/IEC 38500y accepted as the standard for Corporate n internationally accepted process framework for of ICT. COBIT fully supports the principles of the KingCode and theISO/IEC 38500 standard Corporate Governance Figure 3 depicts the different layers of governance and the interrelationship Adopted for South Africa as SANS 38500 Figure : Interrelationshipof the ifferent Frameworks and StandardsLAYERED APPROACH TO CORPORATE GOVERNANCEOF ICTCorporate Governance of ICT two levels of decisionthe achievement of a departmentÕs strategic goals (Corporate efficient and effective management of ICT service delivery The implementation of Corporate Governance of ICT in the Public Service This CGICTPF, which addresses the Corporate Governance of ICT, whichwill be adapted and implemented as the GICTF on the Governance Figure 4 demonstrates the different governance layers with Figure : Governance LayersCORPORATE GOVERNANCEIN THE PUBLIC SERVICThe purpose of corporate governance

22 is to create value for the It consists o
is to create value for the It consists of a governance system that affects the way Public Service departments are managed and controlled. It also defines the relationships between stakeholdersthe strategic goals of the Public Service Corporate governance is a vehicle through which value is created withdepartmental context. Value creation means realising benefits whilresources and risks. This value creation takes place within a governance system that is established by this Policy Framework. A governance system refers to all the means and mechanisms that enable the Executive Authority, and Executive Management to have a structured Evaluatinternal and external context, strategic direction and risk to conceptualise the departmentÕs strategic goals and how they will be the department in the execution of strategic goals to ensure the execution of the strategic goals within a department Corporate governance is also concerned with individual accountability and responsibilities within a department. It describes how the department is the organisational structures and mechanisms (such as steering forums) establis

23 hed within the department the individual
hed within the department the individual roles and responsibilities established to the frameworks established for making decisions together with Figure 5 depicts how thegovernance system. The exeis accountable, provides the strategic direction of the department. The strategic direction, together with the external and internal context, determines the strategic goals. Corporate Governanceand the Governance of ICT are exeExecutive Management level through the function of evaluation, direction and monitoring.The management of business execution is done through the organisational structure and utilisation of the Figure Corporate Governance SystemThe Executive Leadership and Management of a department are accountable CORPORATE GOVERNANCEOF ICT IN THE PUBLICSERVICECorporate Governance of ICT is a subset ofCorporate Governance and is Executive AuthorityHead of Departmentprovides the strategic leadership and is accountable for the implementation of the Corporate Governance of ICT; Executive Managementis responsible that the Corporate Governance of ICT involves evaluating and directing the achievement of strategi

24 c goalsand usICT to enable the departmen
c goalsand usICT to enable the departmental the monitoring of ICT service delivery to ensure service improvement. It includes goals and plans, and and Executive Management are respectively accountable and Corporate Governance of ICT in the department. Effective Corporate Governance of ICT is achieved in a a Corporate Governance of ICTPolicy Framework that is that optimum business value is realised from ICTthat business and ICTrelated risks do not exceed the that ICTrelated resource needs are met in an optimal manner by that the communication with stakeholders transparent, relevant transparency of performance and conformance and drivThe implementation of the of ICT can be achieved through the following means and mechanisms, and decision making Means and mechanisms:Structures such as ICT Strategic Committee Management level, ICT Steering Committee Senior Management level and ICT Architecture and Operational Committat amaking mechanisms: The guidelinefor implementPolicy Frameworkwill provide further Depending on the size and complexity of their ICT operations, departments may also elect to adapt and/or a

25 dopt related standards and frameworks. T
dopt related standards and frameworks. The OBJECTIVES OF THE CORPORATE GOVERNANCE OF ICT In order to give effect to the Corporate Governanceof ICT in the Public Identify, establish and prescribe a uniform Governance of ICT Framework Embed the Corporate Governance of ICT as a subset Create business value through ICT enablement by ensuring business and relevant ICT resources, organisational structure, capacity and Achieve and monitor ICT servicedelivery performance and conformance to relevant internal and external policies, frameworks, laws, regulations, Implement the governance of ICT in the departmentbased on the COBIT THE PRINCIPLES FOR THE CORPORATE GOVERNANCE OF ICT This CGICTPF is based on principles as explained in the international practice and standard for IT governance,King IIICOBIT (ee Annexure A). Table 2 belowcontains the adopted Table Corporate Governance of ICT Principles Principle 1Political Mandate The Corporate Governance of ICT must enable the departmentÕs politicalmandate. The Executive Authority must ensure that Corporate Governance of ICT achievethe political mandate of the departme

26 nt. Principle 2: Strategic Mandate The C
nt. Principle 2: Strategic Mandate The Corporate Governance of ICT must enable the departmentÕs strategic mandate. The HoD must ensure that Corporate Governance of ICT achievethe departmentÕs strategic plans. Principle 3:Corporate Governance of ICT The HoD is responsible for the Corporate Governance of ICT The HoD must create an enabling environment in respect of the Corporate Governance of ICTwithin the applicable legislative and regulatory landscapeinformation security context. Principle 4:ICT Strategic Alignment ICT service delivery must be aligned with the strategic goals of the department Executive Management must ensure that ICT service delivery is aligned with the departmental strategic goals and that business accounts for current and future capabilities of ICT. It must ensure that ICT is fit for purpose at the correct service levels and quality for both current and future business needs. Principle 5:Significant ICT Expenditure Executive Management must monitor and evaluate significant ICT expenditure Executive Management must monitor and evaluate major ICT expenditure, ensure that ICT expenditure

27 is made for valid business enabling rea
is made for valid business enabling reasons and monitor and manage the benefits, opportunities, costs and risks resulting from this expenditure, whilensuring that information assets are adequately managed. Principle 6:Risk Management and Assurance Executive Management must ensure that ICT isks aremanaged and that the ICT function is audited Executive Management must ensure that ICT risks are managed within the departmental risk management practice. It must also ensure that the ICT function is audited as part of the departmental audit plan. Principle 7:Organisational Behaviour Executive Management must ensure that ICT service delivery is sensitive to organisational behaviour/culture. Executive Management must ensure that the use of ICT demonstrates the understanding of and respect for organisational behaviour/culture. THE CORPORATE GOVERNANCE OF ICT PRACTICECorporate Governanceof ICT practices will be used to cascade the Table Corporate Governance of ICT Practices Practice No. Practice Description 1. Executive Authority must:(a)rovide political leadership and strategic direction, determine policy

28 and provide oversight;(b)ensure that ICT
and provide oversight;(b)ensure that ICT service delivery enables the attainment of the strategic plan;(c)takeinterest in the Corporate Governance of ICT to the extent necessary to ensure that a properly established and functioning Corporate Governance of ICT system is in placethedepartment to leverage ICTas a business enabler;(d)assist the HoD to deal with intergovernmental, political and other ICTrelated business issues beyond their direct control and influence; and(e)ensure that the departmentÕs organisational structure makeprovision for the Corporate Governance of ICT. 2. Vertical Sector MandateThe Executive Authority of national departments that have a sectorfunctional area specific responsibilityor sphere of influence must ensure that the necessary cross sector/functional area Corporate Governance of ICT arrangements are in place. 3. Head of Departmentmust:(a)rovide strategic leadership and management;(b)nsure alignment of the ICT strategic plan with the departmentaland business strategic plans;(c)nsure that the Corporate Governance of ICT is placed on the departmentstrategic agenda;(d)nsure tha

29 t the Corporate Governance of ICT Policy
t the Corporate Governance of ICT Policy Framework, charter and related policies for the institutionalisation of the Corporate Governance of ICT are developed and implemented by Executive Management;(e)etermine the delegation of authority, personal responsibility and accountability to the Executive Management with regards to the Corporate Governance of ICT;(f)nsure the realisation of departmentwide value through ICT service delivery and management of business and ICTrelated risks;(g)nsure that appropriate Corporate Governance of Governance 18 Practice No. Practice Description of ICTcapability and capacity are provided and a suitably qualified and experienced Governance Championis designated, who must function Executive Management level(h)nsure that appropriate ICT capacity capability are provided and a suitably qualified and experienced GITO, who must function Executive Management level, is appointed; and(i)nsure the monitoring and evaluation of the effectivenessof the Corporate Governance of ICT system. 4. Risk and Audit Committeemust assist the HoD in carrying out his/her Corporate Governance

30 of ICT accountabilities and responsibili
of ICT accountabilities and responsibilities. 5. Executive Management must ensure:(a)ICT strategic goals are aligned with the departmentbusiness strategic goals and support strategic business processes; and (b)BusinessrelatedICT strategic goals are cascaded throughout the department for implementation and are reported on.(c)Means and Mechanisms(i)Advice is provided to the HoD regarding all aspects of the Corporate Governance of Governanceof ICT; (ii)The Corporate GovernanceGovernanof ICT is implemented and managed;(iii)The necessary strategies, architectures, plans, frameworks, policies, structures (including outsourcing), procedures,processes, mechanisms and controls, and culture regarding all aspects of ICT use (business and ICT) are clearly defined, implemented, enforced and assured through independent audits; (iv)The responsibility for the implementation of the Corporate GovernanceGovernanceof ICT is delegated and communicated to the relevant management (senior business and ICT management); (v)Everyone in the department understands the link between business and ICT strategic goals and accepts their r

31 esponsibilities with respectto the suppl
esponsibilities with respectto the supply and demand for ICT;(vi)Significant ICT expenditure informed by the departmentÕs Service Delivery Plan, Enterprise Architecture and ICT Architecture, motivated by business cases, monitored and evaluated; (vii)The planning and execution of ICT adheres to relevant judicial requirements; and(viii)ICTrelated risks are managed. 19 Practice No. Practice Description (d)ICT Security(i)An information security strategy is approved;(ii)Intellectual property in information systems is appropriately protected; and(iii)ICT assets, privacy, security and the personal information of employees are effectively managed.(e)Organisational Behaviour/CultureThe use of ICT demonstrates the understanding of and respect for organisational behaviour/culture, which should include human behaviour. ICT ENABLING STRUCTURES IN THE PUBLIC SERVICETo give effect to the PRC recommendations to improve the delivery of ICT service in the Public Service, different structures/entities have beenGITOfunction was established in each department to align and execute ICT service delivery with the strateg

32 ic goals and management plans of the dep
ic goals and management plans of the department. The GITO must be represented the strategic management level (GITO Councilwas established as the principal interforum to improve ICT practices of departments on such matters as the design, modernisation, use, sharing, and performance of information and State IT Agency(SITA) was created as the Prime Systems Integrator of Transversal Information and Communication Systems for In the Public Service ICT Managementis responsible that ICT execution enables the Public Service to improve These structures/entitiesdo not negate the accountability and/or responsibility of the Executive AuthorityExecutive Managemendirect, evaluate and monitorICT service delivery Cabinet Memorandum 38(a) of 2000Public Service Act 1994 as amendedSITA Act of 1998 as AmendedSITA Act of 1998 as Amended GOVERNANCE OF ICT OVERSIGHT STRUCTURE INTHE PUBLIC SERVICEfound that ICT effectively managedthe development ofThis CGICTPF creates a Public Servicewide oversight structure to foster an integrated approach to the Corporate Governance of ICT and ensure proper The Ministerial Cluster for Governa

33 nce and Administrationan integrated appr
nce and Administrationan integrated approach to governance and The Minister for Public Service and Admis responsible for information and communication technologies in the Public Service. In relation to this Policy Frameworkthe Minister may establish ICT norms and minimum standards, make regulations, determinations and directives to improve the internal functioning of the Public Service and to render The Department of Public Service and Administrationsupports the MPSA in leading Public Service transformation and provides professional advice and support to ensuPublic Service excellence and good governance. The department also has a monitoring function to monitor The Public Service ICT Management Branchwithin the DPSAresponsible for the development, oversight and compliance monitoring of the Corporate Governance of ICT in accordance with The Department of PerformanceMonitoring and Evaluationand improves the overall performance of all government spheremonitoring and evaluating the performance of government, and assisting government to focus on the prioritised strategic outcomes. This department will monitor an

34 d evaluate management performance agains
d evaluate management performance against The GITO Councilis the principaldepartmental forum to coordinate, advise and facilitate the adoption and implementation of the Corporate The Auditorconducts auditsand reports on Corporate Governanceof ICT to the a sustained enabling environment for directing the implementation of the Corporate Governance that the Corporate Governance of ICT is evaluateded in such a way to achieve continuous improvement of on ICT performance, conformance and risk management Figure 6the oversight structures relevant for the implementation of the Figure Public Service Corporate Governance of ICT Oversight Structure SECTION 2: TACTICAL CONTEXTINTRODUCTIONThis CGICTPF will direct the implementation of the of ICT, whicCOBIT, as a process framework for the of ICT, was adopted by The implementation of COBIT will establish a common knowledge and The AG also adopted the use of, inter alia, COBIT to independently audit COBIT AS PROCESS FRAMEWORK FOR THE GOVERNANCE OF ICT COBIT was developed by ISACA andthat has been implemented widelythroughout the world and in COBIT enables departments

35 to achieve their strategic goals by deri
to achieve their strategic goals by deriving optimal value from ICT through the realisation of benefits and optimising COBIT is not a standardt is a process framework within which a department flexibility according to its specific environmental As a set of of ICT and management processes, COBIT provides cation of the accountability and responsibilities of business and ICT Principle 1of the five COBIT principles provides an Integrator Frameworkseamless integration with other relevant standards and frameworks such as ITIL (Service Management), ISO/IEC 15504 (Maturity Principle 4, Governance Enablers, provides for the implementation of a governance and management system for corporate ICT. There are seven SECTION 3: IMPLEMENTATION APPROACHIMPLEMENTATION OF A GOVERNANCE OF ICT SYCorporate Governance of ICT of decisionthe achievement of a departmentÕs strategic goals (Corporate efficient and effective management of ICT service delivery Corporate Governance of ICT layerdepartment has a unique internal and external contextual environment, which meansa common but flexible approach to the Corporate Governance of

36 ICT is required. This adopts principles
ICT is required. This adopts principles and practices in support of a flexible and sustainable approach to Corporate Governance of ICTsystem within Governance of ICT layer, as process framework, will be used to To enable a department to implement Policy Frameworkand COBIT, a phased approach will be followedas shown below and detailed in the Establish a rporate Governanceof ICT improve Corporate GovernancePhase 1: Establish the Corporate Governanced Governance of ICTenvironmentsThese environments are established through the development and implementation of strategies, architectures, plans, frameworks, policies, structures, procedures, processes, mechanisms and controls, and ethical . A nimum enabling environmentmust be created through the Corporate Governance of ICT Policy FrameworkThe principles and practices of this Policy Frameworkmust be complied but the system of Corporate Governance of ICT should be adapted for the unique enabling environment (external and internal) of Governance of ICT frameworkThe Implementation Guideline, to be published by the DPSA, will provide guidance on the implementation

37 of COBIT as process framework for Depar
of COBIT as process framework for Departmental Corporate Governance of ICT Charter department should analyse and articulate its requirements for the Corporate Governance of ICT and develop, implement and maintain a related charter. This should enablethe creation and maintenance of effective enabling governance structures, processes and practices. It should also clarify the governance of ICTrelated roles and responsibilities towards achieving the departmentÕs strategic goals. This ter should be approved a strategic level in the department and How the ICT strategic goals and related service delivery will be aligned with departmental strategic goals, monitored and reported on How ICT service delivery will be guided a strategic level to create Which structures will be created to effect the Corporate Governance of ICT,management of ICT functions, the members of these structures and the roles, responsibilities and How the necessary capacity and capability (resources/skills) to Governance Championan experienced person knowledgeable in the business of the department, who will be responsible implementation, ch

38 ange management and maintenance of Corpo
ange management and maintenance of Corporate Governance of ICT in the department. a senior manager at least on the levelof a Chief Director reports to Executive Management. He/she must be an tative and articulate person with strong decisionabilities and the mandate to decisions and escalate be actively involved in the oversight of the formal acilitate the alignment process between business and ICT be r, implement, maintainthe necessary Corporate Governance of ICT policies, structures, processes, procedures, mechanisms, that the of ICT system, as a subset of Corporate Governance of ICT, is developed, implemented and maintained; andbe supported by a crosfunctional team, which must include Enterprise Architecta person knowledgeable in the business of the department, who will be responsible for structured planning to articulate the business and related processes of the department in an Government Information Technology Officershould perform Executive Management level, and ICT strategic goals with business strategic goals,ICT ManagerCorporate Governance of ICT The effective implementation of the Corporate Go

39 vernance of ICT mube supported by enabli
vernance of ICT mube supported by enabling frameworks, plans and ntal Enterprise Architectureto articulatestakeholder/ business needs. The DPSAÕs Service Delivery Planning Framework and Methodology and GWEA should informthe ICT it does not fall within the scope of this ICT Architectureused to translate the departmental business strategic plan (5year) and Enterprise Architecture into an enabling ICT service. This should contain a migration plan from the Departmental Risk Management Policymust include how related ICT risks will be managed and how capacity will be in the Risk Management Function to address ICTInternal Audit Planshould include ICT audits. It should also indicate how the Internal Audit Function will be ICT Management Frameworkmust ensure a consistent management approach for the ICT function in line with the corporate governance requirements and strategic goals. This should include management processes, organisational structures, roles and ICT Portfolio Management Frameworkshould be embedded in the departmental Portfolio/ProgramManagement Structures. It must include how the department will c

40 reate the necessary capacity to manage I
reate the necessary capacity to manage IDepartmental Information Security Strategymust ensure that classified information, intellectual property and personnel information Information Security Plan be informed by the Information ICT Security Policybe informed by the Information Departmental Business Continuity Planshould be informed by the operational, information and data requirements of the business. Phase 2: Business and ICT StrategicAlignmentIt is important that the alignment of business and ICT strategies done in line with approved South African Government planning frameworks such as the National Treasury Framework for Strategic Plans and Annual Performance Plans, Service Delivery Framework and Methodology of the and the Governmentwide Enterprise Architecture (GWEA). The architectural planning process articulates the business strategic goals that ICT service delivery must respond to in order to support the business in Figure 7 depicts the cascading of the departmental strategic plan and its Figure Business and ICT Strategic AlignmentPhase 3: Continuous improvement of Corporate GovernanceGovernance T

41 he successful implementation of a Corpor
he successful implementation of a Corporate Governance of ICT system leads to continuous improvement in the creation of business value. ICT service delivery must be assessed to identify gaps between expected and Corporate Governance of ICT (ICT contribution to realisation of business Governance of ICT (continuous improvement of the management of ICT The implementation phase will be conducted in according to The AG will use these implementation as a timeline for auditing Figure Corporate Governance of ICT Implementation Phasesdeliverables per financial yearCorporate Governance of ICT Policy Framework and Governance of tment:Approved and implemented Risk Management Policythat includes Approved and implemented Internal Audit Planthat includes ICT Approved and implemented departmental Portfolio Management Frameworkthat includes ICT portfolio/programand project management;ICT Security PolicyICT Continuity Planinformed by Departmental Business Approved first iteration of the Enterprise ArchitectureICT Migration Planwith annual milestones linked to an ICT Procurement Strategyfor adhering to the ICT House IC

42 T Annual Performance Planfor 2015 to 201
T Annual Performance Planfor 2015 to 2016 All aspects of the Corporate GovernanceGovernanceof ICTdemonstrate measurable improvement from the initial for the implementation of CGICTPF and GICTF will be issued by REFERENCESMeasuring IT Costs and Value. Maximising the ffectiveness of IT investment 2 IT Governance Institute. 2005: CobiT 4.1 Website: www.isaca.org/Knowledge- Center/cobit/Pages/Downloads.aspx The Framework. Exposure DraftInformation TechnologyFramework and Model Information of IT Implementation Guide Governance of information tech IT Governance implementation article&id=71&Itemid=89 local governmentPublic Finance Management Actas amended c Sector Risk Management FrameworkFramework for Strategic plans and Annual Performance Plan.Service Act 103 of 1994, as amendedGovernment Regulations as amendedtment of Strategic Planning Workshop of the Government Information Minutes of the GITO Council meetingGITO Council Report on the Policy, Audit and Gateway s for Information Technology (COBIT) WorkshopGovernment Strategythe governance of information technology in government Delivery Planning Fra

43 mework and Methodology.Council Annual Ge
mework and Methodology.Council Annual General Meeting ReportGovernment CIO Summit. Towards a Governmentwide ICT StrategyGovernment CIO Summit Report. Towards a Governmentwide ICT Strategyof Public Administration and Financial Management Delegations.Outcome 12: South Africa. Act No 108 of 1996, as amendedr 6: Information Management, Systems and TechnologyIntergovernmental Relations Framework Act No. 13 of 2005Policy Framework for the Governmentwide Monitoring and EvaluationGuide to the Outcomes Approach. Version: 27 May 2010 Information Technology Governance Framework: Information Systems Audit: Governance of Information Technology in Government at the Department of Public Service and Administrationinformation technology in government ANNEXUREA: Full description of Public Service ICT Governance Principles er ISO/IEC 38500 KING III ISO/IEC 38500 Principles Related King III Code principle Principle 1: All withinthe organisation have to understand and accept the responsibility in respect of both supply of, and demand for IT Principle 1Board Responsibility:The board should be responsible for information te

44 chnology (IT) governanceThe board should
chnology (IT) governanceThe board should assume the responsibility for the governance of IT and place it on the board agenda.The board should ensure that an IT charter and policies are established and implemented.The board should ensure promotion of an ethical IT governance culture and awareness and of a common IT language. The board should ensure that an IT internal control framework is adopted and implemented. The board should receive independent assurance on the effectiveness of the IT internal controls. Principle 3 IT Governance Framework:The board should delegate to management the responsibility for the implementation of an IT governance FrameworkManagement should be responsible for the implementation of the structures, processes and mechanisms for the IT governance Framework.The board may appoint an IT steering committee or similar function to assist with its governance of IT.The CEO should appoint a Chief Information Officer responsible for the management of IT.The CIO should be a suitably qualified and experienced person who should have access and interact regularly on strategic IT matters with the

45 board and/or appropriate board committe
board and/or appropriate board committee and Executive Management. Principle 2:The organisationÕs business strategy takes into account the current and future capabilities of IT Principle 2 Performance and Sustainability:IT should be aligned with the performance and sustainability objectives of the companyThe board should ensure that the IT strategy is integrated with the companyÕs strategic and business processes. The board should ensure that there is a process in place to identify and exploitopportunities to improve the performance and sustainability of the company throughthe use of IT 36 ISO/IEC 38500 Principles Related King III Code principle Principle 3:All IT acquisitions are made for valid reasons on the basis of the appropriate and going analysis with clear and transparent decision making Principle 4 IT Investments: The board should monitor and evaluate significant IT investment and expenditureThe board should oversee the value delivery of IT and monitor the return on investmentfrom significant IT projects.The board should ensure that intellectual property contained in information systems

46 is protected.The board should obtain in
is protected.The board should obtain independent assurance on the IT governance and controls supporting outsourced IT services Principle 4IT is fit for purpose in supporting the organisation, providing the services, levels of service and service quality required to meet current and future business requirements Same as Principle 2 above Principle 5: Compliance should form an integral partof the risk management process. The risk of noncompliance should be identified, assessed and responded to in the risk management process. Principle 5 Risk Management: IT should form an integral part of the companyÕs risk managementManagement should regularly demonstrate to the board that the company has adequate business resilience arrangements in place for disaster recovery.The board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered. Principle 6: IT Policies, practices and decisions demonstrate respect for Human Behaviour, including the current and evolving needs of all the Òpeople in the processÓ Principle 6 Information Security:The board should e

47 nsure that information assets are manage
nsure that information assets are managed effectivelyThe board should ensure that there are systems in place for the management of information which should include information security, IT and information privacyThe board should ensure that all personal information is treated by the company as an important business asset and is identified.The board should ensure that an Information Security Management System is developed and implemented.The board should approve the information security strategy and delegate and empower management toimplement the strategy. 37 ISO/IEC 38500 Principles Related King III Code principle Principle 7 Governance Structures: A risk committee and audit committee should assist the board in carrying out its IT responsibilitiesThe risk committee should ensure that IT risks are adequately addressed. The risk committee should obtain appropriate assurance that controls are in place and effective in addressing IT risks.The audit committee should consider IT as it relates to financial reporting and the going concern of the company.The audit committee should consider theuse of technol