Presentation on theme: "No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03."— Presentation transcript:
no 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03
no 2 How to become excellent IT users and at the same time how to guarantee safety in the use of information and IT- services? Experiences and conclusions from 15 IT audit projects during 2002 - 2007
no 3 The Cabinet expresses A strong need for government agencies to become excellent IT users. One important area is the development of electronic government services (e-services). A strong need for secure IT services. (The protection of the confidentiality, integrity, availability and traceability of data and also the protection of IT systems).
no 5 Develop proposals. Agencies: did not elicit good ideas as to how their operations could be developed using IT had difficulties in making business development strategies sufficiently specific to support change proposals rarely undertook systematic reviews of their business activities
no 6 Assess proposals: The investment ideas did not link in well enough to their operational strategies, increased risk for the ideas not leading to the business benefits sought by each agency. proposals setting out the comparative costs, risks and effects of alternative approaches were not adequately dealt with, nor were proposals clearly linked to other IT investment and development projects.
no 7 Select proposals for implementation: investment decisions were not always based on clear descriptions of a proposals expected business benefits and implementation risks. decision-makers were prevented from obtaining a clear and comprehensive understanding of an investment proposal.
no 8 Manage/control implementation Governance of the IT projects was exercised at too low a management level. IT projects were also inadequately integrated into other development projects and the evolution of the environments in which the IT systems were intended to operate or which they were intended to support.
no 9 Manage/control implementation Shortcomings as to change working methods, to staff and organisation development. The management and control of individual business projects was more geared to reacting to problems that arise than to systematic risk assessment Well-established methods and models for managing and undertaking development work were not used consistently.
no 10 Knowledge management: Experiences and knowledge of different components of the INVIT- process were not utilised in a systematic way, An area for improvement. Difficult to obtain an overview of the knowledge that exists, and to gain access to it when it was needed.
no 11 Create and maintain the INVIT-process: The agencies, despite their large experience of IT investment, had considerable shortcomings in their direction and governance of investment processes. Only one of the agencies had developed some procedures to use experiences from investment projects already carried out.
no 12 Initially we thought that the five chosen agencies were rather good in IT governance. The audit showed that even though they were very experienced IT users and heavily dependant on IT there were some serious obstacles. To sum up, there was a large potential for development of the entire IT investment process.
no 13 Auditing the development of electronic government In the years 2002 – 2003: How well are government web sites adapted to the needs and prerequisites of the individual user? In the years 2003 – 2004: How effective is the direction of the Cabinet in transforming the public government into an electronic government?
no 14 2002. The agencies websites and the e services offered did not promote an efficient dialogue, and also failed to meet certain accessibility requirements. 2004. Government agencies had difficulty in developing good e services. 2004. A great risk for deficiencies in the electronic communication 2004. Problems in producing good e services based on inter-agency collaboration
no 15 2004. The Cabinets direction was very limited as regards the types of e services to which the agencies should give priority. The Cabinet had chosen to direct the development of the support provided to public administration The Cabinets follow-up was inadequately developed, The Cabinets reports to the Swedish Parliament contained no information about the effects of the e government efforts. The Cabinet has constantly maintained that Sweden is well to the fore internationally.
no 17 What is Information security Management (ISM)? Protecting information assets against manipulation and destruction preserving availability preserving confidentiality and audit trail
no 18 Our choice The two avenues: 1. Substantive audit of actual security 2. Internal control: ISM
no 19 What do we want to establish? If internal control of information security work is carried out according to the material parts of ISO 17799 + swedish regulations. Focus: management
no 20 If government is taking responsibility for it´s agencies´information security
no 21 Reports To the auditees: 10 individual reports on problems found and suggested remedies To Cabinet and parliament: is there sufficient control, support and guidance for the agencies? Our annual report 2007
no 22 Some results Important parts of ISMS missing or defective: control environment (leadership attitudes, IS-objectives), risk analysis (methods, responsibilities, comprehensiveness), reporting upwards, follow-up, IS education….
no 23 More results Priority to tech measures rather than attitudes, skills and behavior Leadership interest, attitudes and competence as to ISM
no 24 Leadership´s role in ISM What it isn´t: being hostage in tech decisions Formulate security requirements coupled to agency´s goals Define the agency´s appitite for risk Checking the residual risk
no 25 More on role Decide on reporting routines to management Decide on resources for IS Check how they are used: relate cost to age structure of IT-systems etc
no 26 Conclusion: The ISMS does not - in most cases - form a comprehensive system (follow-up, reporting, responsibilities)
no 27 More conclusions Conclusion: tools for leadership is missing, making it hard for top management to lead IS work Conclusion: the potential of investment in IS is not well exploited. The amount of resources invested and the costs are not even known!
no 28 Key lessons and conclusions We have chosen agencies that are heavily dependant on IT and with many years of experiences in governing the use of IT Still significant lack of capability in leadership at all levels Urgent need for stronger IT governance at both top management and the Cabinet level to ensure that the right IT services will be conceived, developed and implemented, and that these services will meet all important requirements of information security This is extremely important in the transition to electronic government.