no 1 it governance – how to get the right and secured it services bjorn undall and bengt e w...
TRANSCRIPT
![Page 1: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/1.jpg)
no 1
IT Governance
– how to get the right and secured IT services
Bjorn Undall and Bengt E W Andersson
The Swedish National Audit Office
Oman
2007-03-03
![Page 2: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/2.jpg)
no 2
How to become excellent IT users and at the same time how to guarantee safety in the use of information and IT-services?
Experiences and conclusions from 15 IT audit projects during 2002 - 2007
![Page 3: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/3.jpg)
no 3
The Cabinet expresses • A strong need for government
agencies to become excellent IT users. One important area is the development of electronic government services (e-services).
• A strong need for secure IT services. (The protection of the confidentiality, integrity, availability and traceability of data and also the protection of IT systems).
![Page 4: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/4.jpg)
no 4
Identify anddevelop
investmentproposal
Assess theinvestmentproposal
Select andapprove
Manage theimplement-
ation
Knowledgemanage-
ment
Develop andmaintain
INVITprocesses.
The essential components of an efficient INVIT process
![Page 5: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/5.jpg)
no 5
Develop proposals. Agencies:
• did not elicit good ideas as to how their operations could be developed using IT
• had difficulties in making business development strategies sufficiently specific to support change proposals
• rarely undertook systematic reviews of their business activities
![Page 6: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/6.jpg)
no 6
• Assess proposals: • The investment ideas did not link in
well enough to their operational strategies,
• increased risk for the ideas not leading to the business benefits sought by each agency.
• proposals setting out the comparative costs, risks and effects of alternative approaches were not adequately dealt with,
• nor were proposals clearly linked to other IT investment and development projects.
![Page 7: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/7.jpg)
no 7
Select proposals for implementation:• investment decisions were not
always based on clear descriptions of a proposal’s expected business benefits and implementation risks.
• decision-makers were prevented from obtaining a clear and comprehensive understanding of an investment proposal.
![Page 8: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/8.jpg)
no 8
Manage/control implementation • Governance of the IT projects was
exercised at too low a management level.
• IT projects were also inadequately integrated into other development projects and the evolution of the environments in which the IT systems were intended to operate or which they were intended to support.
![Page 9: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/9.jpg)
no 9
Manage/control implementation• Shortcomings as to change working
methods, to staff and organisation development.
• The management and control of individual business projects was more geared to reacting to problems that arise than to systematic risk assessment
• Well-established methods and models for managing and undertaking development work were not used consistently.
![Page 10: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/10.jpg)
no 10
Knowledge management: • Experiences and knowledge of
different components of the INVIT-process were not utilised in a systematic way,
• An area for improvement.• Difficult to obtain an overview
of the knowledge that exists, and to gain access to it when it was needed.
![Page 11: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/11.jpg)
no 11
Create and maintain the INVIT-process: • The agencies, despite their large
experience of IT investment, had considerable shortcomings in their direction and governance of investment processes.
• Only one of the agencies had developed some procedures to use experiences from investment projects already carried out.
![Page 12: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/12.jpg)
no 12
Initially we thought that the five chosen agencies were rather good in IT governance. The audit showed that even though they were very experienced IT users and heavily dependant on IT there were some serious obstacles. To sum up, there was a large potential for development of the entire IT investment process.
![Page 13: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/13.jpg)
no 13
Auditing the development of electronic government
In the years 2002 – 2003: How well are government web sites adapted to the needs and prerequisites of the individual user?
In the years 2003 – 2004: How effective is the direction of the Cabinet in transforming the public government into an electronic government?
![Page 14: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/14.jpg)
no 14
• 2002. The agencies’ websites and the e‑services offered did not promote an efficient dialogue, and also failed to meet certain accessibility requirements. • 2004. Government agencies had difficulty in developing good e‑services. •2004. A great risk for deficiencies in the electronic communication •2004. Problems in producing good e‑services based on inter-agency collaboration
![Page 15: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/15.jpg)
no 15
• 2004. The Cabinet’s direction was very limited as regards the types of e‑services to which the agencies should give priority.
• The Cabinet had chosen to direct the development of the support provided to public administration
• The Cabinet’s follow-up was inadequately developed,
• The Cabinet’s reports to the Swedish Parliament contained no information about the effects of the e‑government efforts.
• The Cabinet has constantly maintained that Sweden is well to the fore internationally.
![Page 16: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/16.jpg)
no 16
Information Security audits
![Page 17: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/17.jpg)
no 17
What is Information security Management (ISM)? Protecting information assets• against manipulation and
destruction
• preserving availability
• preserving confidentiality
• and audit trail
![Page 18: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/18.jpg)
no 18
Our choice
• The two avenues:
• 1. Substantive audit of actual security
• 2. Internal control: ISM
![Page 19: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/19.jpg)
no 19
What do we want to establish?• If internal control of information
security work is carried out according to the material parts of ISO 17799 + swedish regulations. Focus: management
![Page 20: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/20.jpg)
no 20
• If government is taking responsibility for it´s agencies´information security
![Page 21: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/21.jpg)
no 21
Reports
• To the auditees: 10 individual reports on problems found and suggested remedies
• To Cabinet and parliament: is there sufficient control, support and guidance for the agencies?
• Our annual report 2007
![Page 22: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/22.jpg)
no 22
Some results
• Important parts of ISMS missing or defective: control environment (leadership attitudes, IS-objectives), risk analysis (methods, responsibilities, comprehensiveness), reporting upwards, follow-up, IS education….
![Page 23: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/23.jpg)
no 23
More results
• Priority to tech measures rather than attitudes, skills and behavior
• Leadership interest, attitudes and competence as to ISM
![Page 24: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/24.jpg)
no 24
Leadership´s role in ISM
• What it isn´t: being hostage in tech decisions
• Formulate security requirements coupled to agency´s goals
• Define the agency´s appitite for risk
• Checking the residual risk
![Page 25: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/25.jpg)
no 25
More on role
• Decide on reporting routines to management
• Decide on resources for IS
• Check how they are used: relate cost to age structure of IT-systems etc
![Page 26: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/26.jpg)
no 26
• Conclusion: The ISMS does not - in most cases - form a comprehensive system (follow-up, reporting, responsibilities)
![Page 27: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/27.jpg)
no 27
More conclusions
• Conclusion: tools for leadership is missing, making it hard for top management to lead IS work
• Conclusion: the potential of investment in IS is not well exploited. The amount of resources invested and the costs are not even known!
![Page 28: No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03](https://reader036.vdocuments.net/reader036/viewer/2022062511/5514a34d550346b2598b5be1/html5/thumbnails/28.jpg)
no 28
Key lessons and conclusions We have chosen agencies that are heavily
dependant on IT and with many years of experiences in governing the use of IT
Still significant lack of capability in leadership at all levels
Urgent need for stronger IT governance at both top management and the Cabinet level to ensure that the right IT services will be conceived, developed and implemented, and that these services will meet all important requirements of information security
This is extremely important in the transition to electronic government.