No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03.

Slides:



Advertisements
Similar presentations
Learning from Events 12th June 2013 The Tata Steel Approach
Advertisements

Benchmarks and work plans
Why Students Struggle: Perception vs. Reality
Requirements Engineering Processes – 2
Advanced Piloting Cruise Plot.
Chapter 1 The Study of Body Function Image PowerPoint
Science Subject Leader Training
2 Session Objectives Increase participant understanding of effective financial monitoring based upon risk assessments of sub-grantees Increase participant.
ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
1 The Academic Profession and the Managerial University: An International Comparative Study from Japan Akira Arimoto Research Institute for Higher Education.
ActionDescription 1Decisions about planning and managing the coast are governed by general legal instruments. 2Sectoral stakeholders meet on an ad hoc.
What is valorisation ? Growth €
The Managing Authority –Keystone of the Control System
Module N° 7 – Introduction to SMS
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Addition Facts
Chapter 1 Review __________________ is the study of how people seek to satisfy their needs and wants by making choices. A physical object such as a shirt,
Faculty of Health & Social Care Improving Safeguarding Practice: Study of Serious Case Reviews Wendy Rose and Julie Barnes.
ZMQS ZMQS
IAEA Training in Emergency Preparedness and Response Module L-051 General Concepts of Exercises to Test Preparedness Lecture.
1 European benchmarking with the CAF ROME 17-18th of November 2003.
Gaining Senior Leadership Support for Continuity of Operations
1 Implementing Internet Web Sites in Counseling and Career Development James P. Sampson, Jr. Florida State University Copyright 2003 by James P. Sampson,
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Presenter: Beresford Riley, Government of
EMS Checklist (ISO model)
Draft Change Management Strategy Framework and Toolkit An Overview TAU Workshop: Vulindlela Academy (DBSA) 12 April 2012 Presenter: Dr Patrick Sokhela.
Effectively applying ISO9001:2000 clauses 6 and 7.
1 Quality Indicators for Device Demonstrations April 21, 2009 Lisa Kosh Diana Carl.
ABC Technology Project
Creating and Capturing Customer Value
VOORBLAD.
1 Breadth First Search s s Undiscovered Discovered Finished Queue: s Top of queue 2 1 Shortest path from s.
What is Pay & Performance?
Promoting Regulatory Excellence Self Assessment & Physiotherapy: the Ontario Model Jan Robinson, Registrar & CEO, College of Physiotherapists of Ontario.
Core Curriculum for Clinical Coaching Intro - VNIP Model
Core Curriculum for Clinical Coaching Intro - VNIP Model
CARMEN Policy Observatory and Dialogue Proposal Presentation to the CARMEN Directing Board Meeting San Juan, Puerto Rico 30 June 2003.
1 Vince Galotti Chief/ATMICAO 27 March 2007 REGULATING THROUGH SAFETY PERFORMANCE TARGETS.
© 2012 National Heart Foundation of Australia. Slide 2.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 27 Slide 1 Quality Management.
Chapter 5 Test Review Sections 5-1 through 5-4.
The Rubric Reality Cobb Keys Classroom Teacher Evaluation System.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Addition 1’s to 20.
25 seconds left…...
“How will the new Primary Curriculum affect my school
Delivering training at work. Housekeeping › mobile phones › break times › toilets › emergencies © smallprint 2.
Copyright ©2004 Pearson Education, Inc. All rights reserved. Chapter 1 Overview of a Financial Plan.
RTI Implementer Webinar Series: Establishing a Screening Process
H to shape fully developed personality to shape fully developed personality for successful application in life for successful.
Week 1.
© 2004 Dechert LLP FORM N-CSR, CERTIFICATIONS AND DISCLOSURE CONTROLS AND PROCEDURES James F. DesMarais, Esq. MFS Investment Management Brian S. Vargo,
Internal Control and Control Risk
We will resume in: 25 Minutes.
Module 12 WSP quality assurance tool 1. Module 12 WSP quality assurance tool Session structure Introduction About the tool Using the tool Supporting materials.
Chapter 12 Analyzing Semistructured Decision Support Systems Systems Analysis and Design Kendall and Kendall Fifth Edition.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
A SMALL TRUTH TO MAKE LIFE 100%
PSSA Preparation.
MIS (Management Information System)
Presentation transcript:

no 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman

no 2 How to become excellent IT users and at the same time how to guarantee safety in the use of information and IT- services? Experiences and conclusions from 15 IT audit projects during

no 3 The Cabinet expresses A strong need for government agencies to become excellent IT users. One important area is the development of electronic government services (e-services). A strong need for secure IT services. (The protection of the confidentiality, integrity, availability and traceability of data and also the protection of IT systems).

no 4

no 5 Develop proposals. Agencies: did not elicit good ideas as to how their operations could be developed using IT had difficulties in making business development strategies sufficiently specific to support change proposals rarely undertook systematic reviews of their business activities

no 6 Assess proposals: The investment ideas did not link in well enough to their operational strategies, increased risk for the ideas not leading to the business benefits sought by each agency. proposals setting out the comparative costs, risks and effects of alternative approaches were not adequately dealt with, nor were proposals clearly linked to other IT investment and development projects.

no 7 Select proposals for implementation: investment decisions were not always based on clear descriptions of a proposals expected business benefits and implementation risks. decision-makers were prevented from obtaining a clear and comprehensive understanding of an investment proposal.

no 8 Manage/control implementation Governance of the IT projects was exercised at too low a management level. IT projects were also inadequately integrated into other development projects and the evolution of the environments in which the IT systems were intended to operate or which they were intended to support.

no 9 Manage/control implementation Shortcomings as to change working methods, to staff and organisation development. The management and control of individual business projects was more geared to reacting to problems that arise than to systematic risk assessment Well-established methods and models for managing and undertaking development work were not used consistently.

no 10 Knowledge management: Experiences and knowledge of different components of the INVIT- process were not utilised in a systematic way, An area for improvement. Difficult to obtain an overview of the knowledge that exists, and to gain access to it when it was needed.

no 11 Create and maintain the INVIT-process: The agencies, despite their large experience of IT investment, had considerable shortcomings in their direction and governance of investment processes. Only one of the agencies had developed some procedures to use experiences from investment projects already carried out.

no 12 Initially we thought that the five chosen agencies were rather good in IT governance. The audit showed that even though they were very experienced IT users and heavily dependant on IT there were some serious obstacles. To sum up, there was a large potential for development of the entire IT investment process.

no 13 Auditing the development of electronic government In the years 2002 – 2003: How well are government web sites adapted to the needs and prerequisites of the individual user? In the years 2003 – 2004: How effective is the direction of the Cabinet in transforming the public government into an electronic government?

no The agencies websites and the e services offered did not promote an efficient dialogue, and also failed to meet certain accessibility requirements Government agencies had difficulty in developing good e services A great risk for deficiencies in the electronic communication Problems in producing good e services based on inter-agency collaboration

no The Cabinets direction was very limited as regards the types of e services to which the agencies should give priority. The Cabinet had chosen to direct the development of the support provided to public administration The Cabinets follow-up was inadequately developed, The Cabinets reports to the Swedish Parliament contained no information about the effects of the e government efforts. The Cabinet has constantly maintained that Sweden is well to the fore internationally.

no 16 Information Security audits

no 17 What is Information security Management (ISM)? Protecting information assets against manipulation and destruction preserving availability preserving confidentiality and audit trail

no 18 Our choice The two avenues: 1. Substantive audit of actual security 2. Internal control: ISM

no 19 What do we want to establish? If internal control of information security work is carried out according to the material parts of ISO swedish regulations. Focus: management

no 20 If government is taking responsibility for it´s agencies´information security

no 21 Reports To the auditees: 10 individual reports on problems found and suggested remedies To Cabinet and parliament: is there sufficient control, support and guidance for the agencies? Our annual report 2007

no 22 Some results Important parts of ISMS missing or defective: control environment (leadership attitudes, IS-objectives), risk analysis (methods, responsibilities, comprehensiveness), reporting upwards, follow-up, IS education….

no 23 More results Priority to tech measures rather than attitudes, skills and behavior Leadership interest, attitudes and competence as to ISM

no 24 Leadership´s role in ISM What it isn´t: being hostage in tech decisions Formulate security requirements coupled to agency´s goals Define the agency´s appitite for risk Checking the residual risk

no 25 More on role Decide on reporting routines to management Decide on resources for IS Check how they are used: relate cost to age structure of IT-systems etc

no 26 Conclusion: The ISMS does not - in most cases - form a comprehensive system (follow-up, reporting, responsibilities)

no 27 More conclusions Conclusion: tools for leadership is missing, making it hard for top management to lead IS work Conclusion: the potential of investment in IS is not well exploited. The amount of resources invested and the costs are not even known!

no 28 Key lessons and conclusions We have chosen agencies that are heavily dependant on IT and with many years of experiences in governing the use of IT Still significant lack of capability in leadership at all levels Urgent need for stronger IT governance at both top management and the Cabinet level to ensure that the right IT services will be conceived, developed and implemented, and that these services will meet all important requirements of information security This is extremely important in the transition to electronic government.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.