government ict standards - ict authorityicta.go.ke/pdf/tenders/standards/it governance standard...
TRANSCRIPT
IT Governance Standard
GOVERNMENT ICT STANDARDS
The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke
First Edition 2016
© ICTA 2016— All rights reserved
2
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
3
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
CONTENTS
FOREWORD ....................................................................................................................................................................... 8
1. Introduction ................................................................................................................................................................. 9
1.1 Description of standard ......................................................................................................................................... 10
2. Scope .............................................................................................................................................................................. 10
3. Application .................................................................................................................................................................... 10
4. Normative references ................................................................................................................................................ 11
5. Definitions ..................................................................................................................................................................... 11
6. Abbreviations ............................................................................................................................................................... 11
7 Sub- domains ................................................................................................................................................................ 12
7.1 IT service management .......................................................................................................................................... 12
7.2 Project Management .............................................................................................................................................. 12
7.3 Legal and regulatory ............................................................................................................................................... 12
7.4 Performance measurement to support IT governance .............................................................................. 12
7.5 Risk management .................................................................................................................................................... 12
7. 6 Resource management ........................................................................................................................................ 12
8 Requirements ................................................................................................................................................................ 13
ANNEX ................................................................................................................................................................................. 14
Annex A: IT Service Management ............................................................................................................................. 14
Annex B: IT Project Management .............................................................................................................................. 16
Annex C: Legal and Regulatory .................................................................................................................................. 17
Annex D: Performance management ...................................................................................................................... 18
Annex E: Risk management ......................................................................................................................................... 18
Annex F: IT Resource management .......................................................................................................................... 19
Appendix 1: Compliance Checklist for IT Service Management .................................................................... 20
Appendix 2: Compliance Checklist for IT Project Management ..................................................................... 23
Appendix 3: Compliance Checklist for IT Legal and regulatory ..................................................................... 24
Appendix 4: Compliance Checklist for Performance management ............................................................. 25
Appendix 5: Compliance checklist for Risk management ................................................................................ 26
Appendix 6: Compliance Checklist for IT Resource management ................................................................. 27
Appendix 7: GoK Project Management Governance Structure ...................................................................... 28
4
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 8: Sample Project governance roles ....................................................................................................... 28
Appendix 9: Project management documentation ............................................................................................... 35
Appendix 10: Project management stages and activities ................................................................................... 35
Appendix 11: Project documentation development ............................................................................................ 36
Appendix 12: A generic project governance model for larger, more complex projects .......................... 37
Appendix 13: Sample Outcome Realisation data for the Project Business Plan .......................................... 38
Appendix 14: Stakeholder engagement process .................................................................................................... 38
Appendix 15: Stakeholder engagement process ................................................................................................... 39
Appendix 16: Elements of the risk management process ................................................................................... 40
Appendix 17:Risk matrix for grading risks ................................................................................................................. 41
Appendix 18:Recommended actions for grades of risk ........................................................................................ 41
Appendix 19: Issue management flowchart ............................................................................................................. 42
Appendix 20 Example of a Project Issues Register ................................................................................................. 43
Appendix 21: Project closure .......................................................................................................................................... 44
Appendix 22:Sample Service Management structure (ITIL) for Small organizations ................................ 45
Appendix 23: Sample Service Management structure (ITIL) for Large organizations ............................... 46
Appendix 24: Service desk 1st, level, 2nd level and 3rd level support definitions ..................................... 47
APPENDIX 25: Sample ICT Strategy Format .............................................................................................................. 48
APPENDIX 26: Who needs to be involved in Legal contracts ............................................................................. 54
Appendix 27: Risk management process .................................................................................................................. 55
Appendix 28: Accreditation of Contractors and Suppliers .................................................................................. 56
Appendix 29: Accreditation of IT Professionals ....................................................................................................... 58
Appendix 30: Government ICT Project Governance Structures ........................................................................ 59
Appendix 31: Audit for Outsourced Applications ................................................................................................... 61
Appendix 32: Related Documents ................................................................................................................................ 63
5
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
ICTA STANDARDS DESCRIPTION
S/No
Thematic Area Standards Brief Description
1 Infrastructure ICTA-2.001:2016Network Standard
Provides compliant requirements for design, installations and management of all categories of IT Networks to be deployed in government.
ICTA-2.001:2016Data Center Standard
Provides compliant requirements for design, installations and management of government data centers
ICTA-2.001:2016Cloud Computing Standard
Provides compliant requirements for design, installations and management of cloud computing infrastructures for government
ICTA-2.001:2016End-User Equipment Standard
Provides the minimum specifications for all computing devices being deployed in government
2 Systems & Applications
ICTA-6.001:2016Systems & Applications Standard
Provides compliant requirements for design, installations and management of all government Software and applications Systems.
3 IT Security ICTA-3.001:2016Information Security Standard
Provides compliant requirements for design, installations and management of Information Technology Security in government.
4 Electronic records management
ICTA-4.001: 2016Electronic records and Data Management Standard
Provides compliant requirements for management of government electronic records and data
5 IT Governance ICTA. 5.001: 2016IT Governance Standard
Provides compliant requirements for IT Governance in government. This includes compliance requirements for government IT service providers and Professional Staff.
6 ICT Human Capacity
ICTA.7.001:2016ICT Human Capital and Work force Development Standard
Provides compliant requirements for development of Human Capital capacity for deployment and support for government ICT infrastructure and services.
6
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
REVISION OF ICT STANDARDS
In order to keep abreast of progress in industry, ICTA Standards shall be regularly reviewed. Suggestions for improvements to published standards, addressed to the Chief Executive Officer, ICT Authority, are
welcome. The Standard Review Board will consider the requestsduring their quarterly meetings and if appropriate recommend them to be incorporated during
annual review of the Standard.
©ICT Authority 2016
Copyright. Users are reminded that by virtue of Section 25 of the Copyright Act, Cap. 12 of 2001 of the Laws of Kenya, copyright subsists in all ICTA Standards and except as provided under Section 26 of this Act, no Standard produced by ICTA may be reproduced, stored in a retrieval system in any form or transmitted by any means without prior permission in writing from the Chief Executive Officer.
7
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
DOCUMENT CONTROL
Document Name: IT Governance Standard
Prepared by: IT Governance Standard Technical Committee
Edition: First Edition
Approved by: Board of Directors
Date Approved: 11th August 2016
Date of Operationalization: 1st January 2017
Next Review Date: After 3 years
8
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
FOREWORD
The ICT Authority has express mandate to, among others, set and enforce ICT standards and guidelines across all aspects of information and communication technology including systems, infrastructure, processes, human resources and technology for the public service. The overall purpose of this specific mandate is to ensure coherence and unified approach to acquisition, deployment, management and operation of ICTs across the public service, including state agencies, in order to promote service integration, adaptability and cost savings through economies of scales in ICT investments.
In pursuit of achievement of this mandate, the Authority established a Standards Committee to identify the critical standards domain areas as well as oversee the standards development process. A total of Nine Standards falling under six different domain areas were identified by the committee to be relevant for government ICT Standards. The development of all the identified standards was done through a process which took into consideration international requirements, government requirements, stakeholder participation as well as industry/sector best practices. In order to conform to the format of other existing national standards, the committee adopted the Kenya Bureau of Standards (KEBS) format and procedure for standards development. In addition, through Memoranda of Understanding, KEBS has made invaluable contribution to the development of ICT Authority standards.
The ICTA IT Governance Standard, which falls under the overall Government Enterprise Architecture (GEA), has therefore been prepared in accordance with KEBS standards development guidelines.
The Authority has the oversight role and responsibility for management and enforcement of this standard. The review and approval of the standard is done by the ICTA Board upon recommendation of Standard Review Board. The Authority shall be carrying out quarterly audits in all the Ministries, Counties, and Agencies (MCA) to determine their compliance to this Standard.
The Authority will issue a certificate of compliance to agency upon completion of the audit assessment. For non-compliant agencies, a report detailing the extent of the deviation and the prevailing circumstances shall be tabled before the Standards Review Board who will advise on action to take.
All government agencies are required to ensure full compliance to this standard for effective and efficient service delivery to the citizen. The compliance period is six months from the effective date.
\Kiprono Rono P., Director, Programmes and Standards,
9
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
1. Introduction
IT Governance is part of the wider Corporate Governance activity but with a specific focus to IT. IT Governance covers the culture, organization, policies and practices that provide oversight and transparency of IT. For organizational investment in IT to deliver full value, IT has to be fully aligned to business strategies. The benefits of good IT risk management, oversight and clear communication not only reduce the cost and damage caused by IT failures – but also engenders greater trust, teamwork and confidence in the use of IT itself and the people trusted with IT services.
The biggest risk and concern to government today is failing to align IT to real business needs, and a failure to deliver, or be seen to be delivering, value to the business. Since IT can have such a dramatic effect on MCA performance and competitiveness, a failure to manage IT effectively can have a very serious impact on the organization as a whole.
The current climate of cost reduction and budget restriction has resulted in new norm – there is an expectation that IT resources should always be used as efficiently as possible and that steps are taken to organize these IT resources ready for the next cycle of growth and new IT developments. A key aspect of these factors is the increasing use of third party service providers and the need to manage these suppliers properly to avoid costly and damaging service failures.
In addition it recognized the critical role IT functions play in organization and the need to place it at bar with other core functions in terms of reporting lines.
IT governance shall assist MCAs to:
• Be sure that that they are aware of all IT related risks likely to have an impact on the irorganization;• Know how to improve the management processes within IT to manage these risks;• Ensure there are manageable relationships with suppliers, service providers and with the business (customers);• Contract and managed IT suppliers with expect level of performance • Ensure there is a transparent and understandable communication of these IT activities and management processes to satisfy interested stakeholders.• Ensure IT function report directly to the Chief executive officer• Recruit and maintain IT Professionals who are competent and regulated
IT Governance is not a one-time exercise or something achieved by a mandate or setting of rules. It requires a commitment from top management of the organization to instill a better way of dealing with the management and control of IT. IT Governance is an ongoing activity that requires a continuous improvement mentality and responsiveness to the fast changing IT environment.
IT governance shall result in:
a. Transparency and accountability
- Improved transparency of IT costs, IT process, IT portfolio (projects and services).
- Clarified decision-making accountabilities and definition of user and provider relationships.
b. Return on investment
- Improved understanding of overall IT costs and their input to ROI cases.
- Combining focused cost-cutting with an ability to reason for investment.
- Stakeholders allowed seeing IT risk/returns.
c. Opportunities and Partnerships
- Provide route to realize opportunities that might not receive attention or sponsorship.
10
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
- Positioning of IT as a business partner (and clarifying what sort of business partner IT is).
- Facilitate joint ventures with other organizations.
- Facilitate more business like relationships with key IT partners (vendors and suppliers).
- Achieve a consistent approach to taking risks.
- Enables IT participation in business strategy (which is then reflected in IT strategy) and vice versa.
- Improve responsiveness to challenges and opportunities.
d. External Compliance
- Enables an integrated approach to meeting government legal and regulatory requirements.
1.1 Description of standard
IT governance is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.
2. Scope
IT Governance spans the culture, organization, policy and practices that provide for IT management and control across five key areas:
• Alignment – Provide for strategic direction of IT and the alignment of IT and the business with respect to services and projects.• Value delivery – Confirm that the IT/Business organization is designed to drive maximum business value from IT. Oversee the delivery of value by IT to the business, and assess ROI.• Risk Management– Ascertain that processes are in place to ensure that risks have been adequately managed. Include assessment of the risk aspects of IT investments.• Resource management – Provide high-level direction for sourcing and use of IT resources. Oversee the aggregate funding of IT at enterprise level. Ensure there is an adequate IT capability and infrastructure to support current and expected future business requirements. Ensure competent human resource with desired ethical behaviors and norms.• Performance – Verify strategic compliance, i.e. achievement of strategic IT objectives. Review the measurement of IT performance and the contribution of IT to the business (i.e. delivery of promised business value). Ensure that IT service providers are regulated and managed so as to maintain expected level of performance in delivery of their services to government.
3. Application
This standard applies to: • Central Government of Kenya• County Governments• Constitutional Commissions• State Corporations• Government Institutions
4. Normative references
The following standards contain provisions which, through reference in this text, constitute provisions of this standard.
11
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
All standards are subject to revision and, since any reference to a standard is deemed to be a reference to the latest edition of that standard, parties to agreements based on this standard are encouraged to take steps to ensure the use of the most recent editions of the standards indicated below. Information on currently valid national and international standards can be obtained from Kenya Bureau of Standards.
• COBIT 5• PRINCE2• ITILManagers of projects dealing with software products or software-intensive systems may find the contents of the PMBOK®1 Guide and ISO 10006:2003 helpful, in managing their projects to a successful conclusion.
5. Definitions
5.1 Entreprise Architecture
An enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of an organization. The intent of anenterprise architecture is to determine how an organization can most effectively achieve its current and future objectives.
5.2 Service desk
A Service Desk is a primary IT function within the discipline of IT service management. It is intended to provide a Single Point of Contact to meet the communication needs of both users and IT staff.
6. Abbreviations
EA Entreprise Architecture
WAN Wide area Network
LAN Local Area Network
SLA Service Level Agreement
MCA Ministry, County and agency
ICTA ICT Authority
ROI Return on Investment
NEMA National Environment Management Authority
CIO Chief Information Officer
QOS Quality of Service
COBIT Control Objectives for IT
PMBOK Project Management Book
SWOT Strength Weakness Opportunity and Threat
12
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
7. Sub- domains
7.1 IT service management
- IT service strategy- IT service design- IT service transition- IT service operations- IT continuous service improvement
7.2 Project Management
- Project governance- Project initiation- Project planning- Analysis and design- Project building and testing- Project implementation- Project completion and commissioning
7.3 Legal and regulatory
- Kenya laws on ICT- Responsibilities and Authorities- ICTA Legal Notice No. 183
7.4 Performance measurement to support IT governance
- IT service management- Project management- Legal and regulatory- Risk and resource management
7.5 Risk management
- Develop a framework
- Identify risk
- Indentify risk owners
- Evaluate the risk
- Identify and enforce possible response to the risk
7. 6 Resource management
- Management of IT resources
- Capacity building
- Tools
- Change management
- Innovation
13
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
8 Requirements
Sub domain Description Requirement
IT service management
IT shall be governed to ensure alignment and support to business goals. MCAs shall ensure that IT function report directly to the accounting officer.
Annex A
IT Project management
IT projects shall be governed to ensure value delivery. MCAs shall ensure established Project Steering Committee and Project Technical Committees to manage IT Projects.
Annex B
Legal and regulatory
Every MCA shall identify the specific regulations affecting them and respond accordingly, and ensure that the roles and responsibilities for understanding legal and regulatory matters are properly defined for each group of stakeholder so that each group can apply its specific expertise effectively.
Annex C
Performance measurement to support IT governance
Performance measurement shall be conducted to verify the achievement of strategic IT objectives and provide for a review of IT performance and the contribution of IT to the business (i.e. delivery of promised business value).MCAs shall ensure that suppliers of IT services to government have a valid certificate from ICT Authority
Annex D
Risk management MCAs shall put processes in place to ensure that risks have been adequately managed.
Annex E
Resource Management
MCAs shall provide high-level direction for sourcing and use of ITresources. They shall oversee the aggregate funding of IT at enterprise level and ensure there isan adequate IT capability and infrastructure to support current and expected futurebusiness requirements. They shall ensure that staff working in IT function has a valid license from ICT Authority.
Annex F
14
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ANNEX
Annex A: IT Service Management
Subject Requirement
IT Service Strategy
IT strategy management
MCAs shall ensure that IT function report directly to accounting officer and have an approved ICT strategy.
MCAs shall establish their Enterprise Architecture [EA] framework which gives detail of all the IT services and their integrations.
IT shall be a strategic objective in the overall strategic plan of the MCAs
The strategy shall have IT vision and mission
The strategy shall define how the MCA plans to improve internal services, services to business and citizens
The strategy shall be developed with input from internal and external stakeholders.
The strategy shall include a SWOT assessment
The strategy shall define specific tasks and responsibilities for achieving service improvement
The strategy shall be implemented to create new and improved services
Service portfolio management
MCA shall have a service charter for IT enabled services
The charter shall define the desired outcomes of the services
The charter shall define the assets required to offer the services
MCA shall annually review the usage volume of the IT enabled services and customer satisfaction and ensure they are economically viable
Financial management for IT services
The MCA shall allocate funds for ICT activities through the annual budget. The ratio of ICT to institutional budget shall be at 5%
The budget shall be linked to the ICT strategy
The budget shall be allocated for development and recurrent purposes
The development budget shall cover WAN, LAN, acquisition of end user devices, software acquisition and ICT training
The recurrent budget shall cover ICT infrastructure maintenance and servicing?
Business Relationship Management
MCA shall conduct and document customer satisfaction surveys on IT enabled services annually for internal and external customers
MCAs shall have a system to track customer complaints, compliments and resolution
MCA shall conduct training and awareness programs annually to sensitize internal and external customers on IT enabled services
IT Service Design
Service level management
MCA shall develop and sign service level agreement (SLA) with service providers (internet, systems support, maintenance e.t.c) to ensure availability and reliability of IT enabled services
The SLA shall define service level targets.
15
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Subject Requirement
MCA shall monitor achievement of service levels and compare them with agreed service level targets in the SLA
SLA shall have accountability mechanisms for failure to meet service levels
MCA shall monitor and report on achievement of service levels and compare them with agree service levels
Availability management
MCAs shall develop and implement quarterly preventive maintenance plans for IT equipment
MCAs shall develop and maintain manuals on how to operate and maintain systems and equipment
MCAs shall develop a disaster recovery plan for all services including recovering data
IT infrastructure Capacity management
MCAs shall annually evaluate the capacity of IT infrastructure to understand and document the current environment. The ICT Authority shall assist in this evaluation
MCAs shall establish a framework for IT infrastructure improvement
MCAs shall set realistic targets for IT infrastructure improvement, prioritize gaps and propose achievable solutions
Information security management
MCAs shall establish an information security management framework as guided by the information security standard
Architecture management
MCAs shall define enterprise architecture for the MCA aligned to the Kenya Government Enterprise Architecture. The architecture is the blueprint for future development of the technological landscape in the MCA
Supplier management
All ICT suppliers and contractors providing ICT services to Government shall be registered by ICT Authority as per Appendix 28 of the standard
Preference will be given to local suppliers and contractors in the spirit of buy Kenya build Kenya
Volume licenses/ bulk procurement of ICT services/goods shall be negotiated by ICT Authority
IT Service Transition
IT service change management
MCAs shall develop a policy to ensure that any changes to IT enabled services are conducted with minimal disruption to services
IT project management
IT projects shall be conducted as per the project management standards on Annex B.1
Application development
Application acquisition, development and maintenance shall be done as per the standard on systems and applications
Asset and management
MCAs shall develop and update an inventory of all ICT assets. The inventory system shall be automated to show relationships between these assets
Knowledge management
MCAs shall acquire and utilize an IT service management system that shall contain a database of common IT service problems and how to solve them
IT Service operations
Service desk MCAs shall establish an IT service desk management system to handle all requests from end users
The service desk shall have 1st, 2nd and third level support
The service desk shall develop and document standard operation procedures for IT services
16
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Subject Requirement
IT operations control
MCAs shall designate staff to manage the day to day operational activities in IT e.g back up, routine maintenance, print and output management, installations to ensure they are done in a reliable and timely manner
ITContinuous serviceimprovment
Service and process performance review
MCAs shall conduct annual performance reviews of IT processes and IT enabled services and develop a report. The review shall include suggestions for improvement. MCA s may seek assistance from ICT Authority
MCAs shall conduct benchmarking with the aim of identifying shortcoming and developing plans for improvement
MCAs shall in collaboration with ICT Authority, conduct regular system audits for all systems to ensure compliance with ICTA security standard (ICTA 3.001:2016). For outsourced systems, the audit on Appendix 31 shall be done.
Annex B: IT Project Management
Subject RequirementProject Governance
MCAs shall ensure that governance of all ICT projects comply with the governance structures as per Appendix 7 and Appendix 30The project shall be implemented based on an agreed project methodology
Project initiation The project shall have an objective and documented business case/ project proposal
The proposal shall define expected benefits/outputs and outcomes
The project shall have appropriate approval
Project planning The project shall have a project management plan with activity schedules
The project shall have risk management and communication plan
The project shall have an implementation, testing and training strategy
The Project shall have a stakeholder management plan
Analysis and design
The project shall have user requirements
The project shall have user systems and technical specifications
The project shall have system acceptance test plan
Project Building and testing
There shall be a development and test environment
There shall be operational and training procedures
There shall be detailed test plans
Project Implementation There shall be a system installation and migration plan
There shall be a data conversion plan
There shall be a training and contingency plan
Completion There shall be a post implementation review report
There shall be a documented system support group
There shall be project closure sign off
17
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Annex C: Legal and Regulatory
Subject Requirements
Kenya laws on ICT
MCA shall identify the specific regulations affecting IT in their organizations and respond accordingly. The Kenya laws on ICT include:
i. Data and privacy protection Bill- Information security, E-records management
ii. Intellectual Property, Trademarks and Copyright act- End user devices standard, Systems and applications, cloud computing, information security
iii. Kenya Electronic Communication act 2012- E- records management, Systems and applications
iv. NEMA guidelines on E-waste- End user devices standard
v. Cyber security legislations- Information security
vi. Critical infrastructure legislations- Infrastructure standards
vii. PPOA- End user devices standard, cloud computing, systems and applications, infrastructure
viii. Government contracts act- IT governance, Information security, Systems and applications, Cloud computing
ix. Constitution of Kenya
x. Cyber crime and computer related crimes bill- Information security, systems and applications
xi. Information privacy laws- Information security, Cloud computing
xii. Public officers ethics act- End user devices standard, IT governance, Systems and applications
xiii. Government proceedings act- End user devices, information security, cloud computing
xiv. Official secrets act- Information security
xv. Public archives and documentation service act- E-records management
xvi. Employment and employee liability- End user devices standard, Information security, Systems and applications,
xvii. Evidence act- E-records management
xviii. Records disposal act- E-records management
xix. Physical planning act- Network Standard
xx. Occupiers liability act- Network standard
xxi. Occupational safety and health act- E-records management
Roles and responsibilities
IT in MCAs shall seek advice from HR, Legal, and Audit, and if necessary whenever legal contracts are challenging, risky or complex.
External advice shall also be sought as per Appendix 22.
MCAs shall build in the need for third party testing (ICT Authority) as required.
18
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Annex D: Performance managementTo support IT Governance the following top fifteen areas shall be measured by MCAs.
Area of measurement Requirement IT service management
Business & IT alignment
Overall financial performance (costs v. budgets)
Performance with respect to reliability and availability of critical services
Complaints (QOS) and customer perception
Number of significant reactive fixes to errors
SLA performance by third parties
Relationships with suppliers (quality & value)
Capability e.g. process maturity
Internal and external benchmarks
Business continuity status
Project management Major project delivery performance (objectives, time and budget)
ROI for IT investments (business benefit)
Risk management Status of critical risks
Audit weaknesses
Resource management Human Resource measures for people involved in IT activities
Annex E: Risk managementTo support IT Governance, MCAs shall ensure that new risks are timely identified and handled by doing the following.
Subject RequirementDefine a framework
MCAs shall ensure the following staff are trained in risk management in their specific areas :(e.g CobiT, ISO17799, ITIL, ISO9000,
PMBOK and Prince2)
• IT Auditors• IT Project Managers• IT Risk Managers• Business Analysts• Infrastructure Management• Procurement/Contract Management• IS Strategy – alignment with the business• Quality Management• Business Relationship Management• Programme ManagersMCAs shall conduct benchmarking to compare how risk management is being addressed within the organization inrelation to best practice, industry peer groups and other organizations.
19
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Subject RequirementIdentify risks MCA shall ensure that new risks are identified in a timely manner and provide
adviceThe following risks shall be identified• Business specific risk (e.g. Operational risk of mandate not being delivered)• Generic common IT risk (e.g. IT availability risk)• Specific IT risk (e.g. Denial of service attack on Internet customer request system)
Identify probable risk owners
Auditors shall provide initial momentum by highlighting to senior management inadequate risk management practices orspecific risks that are not being adequately addressed
Responsibility shall be allocated at a senior level for managing key risks
Every risk shall have an owner; there may be separate owners for the actionsto mitigate the risks. Anyone allocated ownership shall have the authority to take on the responsibility and they shall be aware that they are the designated owner
MCAs shall adopt a mechanism for reporting issues – ultimately to the individual who has toretain overall responsibility
Evaluate the risks
MCAs shall set acceptable levels of riskMCAs shall develop a risk register. The risk register shall have a prioritized list of risks which must be subsequently addressed.
Identify suitable response to risk
Dependent on the type of risk and its significance to the business, management and the board may choose to:
• Mitigate, by implementing controls• Transfer, by sharing risk• Accept, by formally acknowledging that the risk exists and monitoring it
Annex F: IT Resource management
To support IT Governance, MCAs shall establish structures to manage IT resources
Subject Requirements
Accreditation of IT professionals
All IT professionals in the public service shall be accredited by ICT Authority as per requirements on Appendix 29
Management of ICT services
The MCAs shall have an ICT department
The ICT department shall have a Chief Information officer (CIO)
The ICT function shall report to the CEO of the institution
The ICT function shall utilize ICT standards to ensure optimal IT resource and service management
20
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Subject Requirements
Capacity building
MCAs shall have an IT staff establishment and scheme of service which shall be fulfilled
The IT establishment shall cover all the relevant IT technical categories i.e Basic support, Network, systems and database administration, IT service management, IT project management, Web administrators, information security officers, other contextual IT roles
Effective recruitment, retention and training programmes shall be established to ensure that the MCA has the skills to utilise IT effectively to achieve the stated objectives
MCAs shall develop and implement ICT training policy in line with ICT human resource development standard
The policy shall define required ICT qualifications for different cadres of staff as per the ICT human capacity standard
IT education, training and development needs shall be fully identified and addressed forall staff regularly
IT staff shall be trained on professional courses, ethics and code of conduct outlined in the ICT Human Capacity Development Standard
Tools ICT personnel shall be issued the relevant software and hardware tools to manage IT resources (e.g for user support, hardware maintenance, IT service and project management, application development)
Change management
Change management shall be handled as per the information security standard Annex A.4MCAs shall establish mentorship programs to ensure transfer of knowledge
Innovation MCAs shall establish a resource centre for IT research and innovation
The resource centre shall manage knowledge through databases and online resources to spur innovation
Appendix 1: Compliance Checklist for IT Service Management
Subject Requirement Compliance
Yes/No Comment
IT Service Strategy
IT strategy management
MCAs has IT function reporting directly to accounting officer and have an approved ICT strategy.
MCAs has Enterprise Architecture [EA] framework which gives detail of all the IT services and their integrations?
IT is a strategic objective in the overall strategic plan of the MCAs?
The strategy has an IT vision and mission?
The strategy defines how the MCA plans to improve internal services, services to business and citizens?
21
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Subject Requirement Compliance
Yes/No Comment
The strategy was developed with input from internal and external stakeholders?
The strategy includes a SWOT assessment?
The strategy defines specific tasks and responsibilities for achieving service improvement?
Service portfolio management
MCA has a service charter for IT enabled services?
The charter defines the desired outcomes of the services?
The charter defines the assets required to offer the services?
MCA annually reviews the usage volume of the IT enabled services and customer satisfaction and ensure they are viable?
Financial management for IT services
The MCA allocates funds for ICT activities through the annual budget? The ratio of ICT to institutional budget is 5%?
The budget is linked to the ICT strategy?
The budget is allocated for development and recurrent purposes?
The development budget covers WAN, LAN, acquisition of end user devices, software acquisition and ICT training?
The recurrent budget covers ICT infrastructure maintenance and servicing?
Business Relationship Management
MCA conducts and documents customer satisfaction surveys on IT enabled services annually for internal and external customers?
MCA has a system to track customer complaints, compliments and resolution?
MCA conduct training and awareness programs annually to sensitize internal and external customers on IT enabled services?
IT Service Design
Service level management
MCA has developed and signed service level agreement (SLA) with service providers (internet, systems support, maintenance e.t.c) to ensure availability and reliability of IT enabled services?
The SLA defines service level targets?
MCA monitors achievement of service levels and compares them with agreed service level targets in the SLA?
SLA has accountability mechanisms for failure to meet service levels?
22
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Subject Requirement Compliance
Yes/No Comment
MCA monitors and reports on achievement of service levels and compare them with agree service levels?
Availability management
MCA has developed and implemented quarterly preventive maintenance plans for IT equipment?
MCA has developed and maintained manuals on how to operate and maintain systems and equipment?
MCA has developed a disaster recovery plan for all services including recovering data?
IT infrastructure Capacity management
MCA annually evaluates the capacity of IT infrastructure to understand and document the current environment
MCA has set realistic targets for IT infrastructure improvement, prioritized gaps and proposed achievable solutions
Information security management
MCA has established an information security management framework as guided by the information security standard
Architecture management
MCA has defined enterprise architecture aligned to the Kenya Government Enterprise Architecture
Supplier management
All ICT suppliers and contractors providing ICT services to Government shall be registered by ICT Authority as per Appendix 28 of the standard
Preference will be given to local suppliers and contractors in the spirit of buy Kenya build Kenya
Volume licenses / bulk procurement of ICT services shall be negotiated by ICT Authority
IT Service Transition
IT service change management
MCA has developed a policy to ensure that any changes to IT enabled services are conducted with minimal disruption to services
IT project management
IT projects are conducted as per the project management standards on Annex B.1
Application development
Application acquisition, development and maintenance is done as per the standard on systems and applications?
Asset and management
MCAs has developed and updated an inventory of all ICT assets? The inventory system is automated to show relationships between these assets?
Knowledge management
MCAs has acquired and utilized an IT service management system that contains a database of common IT service problems and how to solve them?
23
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Subject Requirement Compliance
Yes/No Comment
IT Service operations
Service desk MCAshas establish an IT service desk management system to handle all requests from end users?
The service desk has 1st, 2nd and third level support?
The service desk has developed and documented standard operation procedures for IT services?
IT operations control
MCAs has designated staff to manage the day to day operational activities in IT e.g back up, routine maintenance, print and output management, installations to ensure they are done in a reliable and timely manner?
IT Continuous service improvement
Service and process performance review
MCAs has conducted annual performance reviews of IT processes and IT enabled services and develop a report. The review includes suggestions for improvement?
MCA has conducted benchmarking with the aim of identifying shortcoming and developing plans for improvement?
MCAs conducts regular system audits to ensure compliance with security standards and regulatory requirements
Appendix 2: Compliance Checklist for IT Project Management
Subject Requirement ComplianceYes/No Comments
Project Governance
The Project governance structure complies with Appendix 7 and Appendix 30 of the standard.The project has an implementation methodology
Project initiation
The new project has an objective and documented business case/ project proposal?
The proposal defines expected benefits/outputs and outcomes?
The project has appropriate approval?Project planning
The project has a project management plan with activity schedules?The project has a risk management and communication plan?
The project has an implementation, testing and training strategy?The Project has a stakeholder management plan?
Analysis and design
The project has userrequirements?The project has user systems and technical specifications?The project has system acceptance test plan?
Project Building and testing
There is a development and test environment?There are operational and training procedures?There are detailed test plans?
24
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Subject Requirement ComplianceYes/No Comments
Project Implementation
There is a system installation and migration plan?
There is a data conversion plan?
There is a training and contingency plan?Completion There is a post implementation review report?
There is a documented system support group?There is project closure sign off
Appendix 3: Compliance Checklist for IT Legal and regulatory
Subject Requirements Compliance
Yes/No Comments
Kenya laws on ICT
MCA has identified the specific regulations affecting IT in their organizations and sensitized personnel. The Kenya laws on ICT include:
i. Data and privacy protection Bill- Information security, E-records management
ii. Intellectual Property, Trademarks and Copyright act- End user devices standard, Systems and applications, cloud computing, information security
iii. Kenya Electronic Communication act 2012- E- records management, Systems and applications
iv. NEMA guidelines on E-waste- End user devices standard
v. Cyber security bill- Information security
vi. Critical infrastructure bill- Infrastructure standards
vii. PPOA- End user devices standard, cloud computing, systems and applications, infrastructure
viii. Government contracts act- IT governance, Information security, Systems and applications, Cloud computing
ix. Constitution of Kenya
x. Cyber crime and computer related crimes bill- Information security, systems and applications
xi. Information privacy laws- Information security, Cloud computing
xiii. Public officers ethics act- End user devices standard, IT governance, Systems and applications
xiv. Government proceedings act- End user devices, information security, cloud computing
xv. Official secrets act- Information security xvi. Public archives and documentation service act-
E-records management xvii. Employment and employee liability- End user
devices standard, Information security, Systems and applications,
xviii. Evidence act- E-records management xix. Records disposal act- E-records management xx. Physical planning act- Network Standard xxi. Occupiers liability act- Network standard xxii. Occupational safety and health act- E-records management
25
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Subject Requirements Compliance
Yes/No Comments
Roles and responsi-bilities
IT in MCAs seeks advice from HR, Legal, and Audit, and if necessary whenever legal contracts are challenging, risky or complex?
MCAs have build in the need for third party testing (ICT Authority) as required?
Appendix 4: Compliance Checklist for Performance management
Do you agree with the following statements?
Area of measurement
Requirement Compliance
Yes/No Comments
IT service management
Business & IT are aligned?
Costs are within budget?
Criticalservices are reliability and available?
Customers are satisfied with the quality of services?
Number of significant reactive fixes to IT errors are down?
Third parties adhere to SLAs
There is quality and value in relationships with suppliers
IT process capabilities are mature?
Internal and external benchmarks are done?
Business continuity status is optimal?
Project management
Projects are deliveredwithin objectives, time and budget?
There is ROI for IT investments (business benefit)?
MCA has established Project Steering Committee as per standard?
MCA appoints Project Technical Team to run IT Projects?
Risk management
Critical risks are resolved?
Audit weaknesses are minimized?
Resource management
HR appraisal for people involved in IT activities is positive?
26
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 5: Compliance checklist for Risk management
To support IT Governance, MCAs shall ensure that new risks are timely identified and handled by doing the following.
Subject Requirement Compliance
Yes/No Comments
Define a framework
MCAs has ensured the following staff are trained in risk management in their specific areas :(e.g CobiT, ISO17799, ITIL, ISO9000, PMBOK and Prince 2)
• IT Auditors• IT Project Managers• IT Risk Managers• Business Analysts• Infrastructure Management• Procurement/Contract Management• IS Strategy – alignment with the business• Quality Management• Business Relationship Management• Programme ManagersMCAs shall conduct benchmarking to compare how risk management is being addressed within the organization inrelation to best practice, industry peer groups and other organizations.
Identify risks MCA has ensured that new risks are identified in a timely manner?
The following risksare identified
• Business specific risk (e.g. Operational risk of mandate not being delivered)• Generic common IT risk (e.g. IT availability risk)• Specific IT risk (e.g. Denial of service attack on Internet customer request system)
Identify probable risk owners
Auditors provide initial momentum by highlighting to senior management inadequate risk management practices orspecific risks that are not being adequately addressed?
Responsibility is allocated at a senior level for managing key risks?
Every risk has an owner?
MCAs has adopted a mechanism for reporting issues – ultimately to the individual who has toretain overall responsibility?
Evaluate the risks
MCAs hasset acceptable levels of riskMCA has developed a risk register. The risk register has a prioritized list of risks which must be subsequently addressed?
Identify suitable response to risk
MCA has implemented suitable response to risks
27
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Appendix 6: Compliance Checklist for IT Resource management
Compliance
Subject Requirements Yes/No Comment
Accreditation of IT professionals
IT staff are accredited by ICT Authority as per the standard?
Management of ICT services
The MCA IT function report to Accounting Officer?
The ICT department has a Chief Information officer (CIO)?
The Chief Information Officer (CIO) reports to the CEO of the institution?
The CIO has implemented ICTA standards to ensure optimal IT resource and service management?
Capacity building MCAs has an IT staff establishment and scheme of service which is fulfilled?
The IT establishment covers all the relevant IT technical categories i.e Basic support, Network, systems and database administration, IT service management, IT project management, Web administrators, information security officers, other contextual IT roles?
Effective recruitment, retention and training programmeshave been established to ensure that the MCA has theskills to utilise IT effectively to achieve the stated objectives?
MCA has developed and implemented ICT training policy in line with ICT human resource development standard?
The policy defines required ICT qualifications for different cadres of staff as per the ICT human capacity standard?
IT education, training and development needs are fully identified and addressed forall staff regularly?
IT staff are trained on professional courses, ethics and code of conduct outlined in the ICT Human Capacity Development Standard?
Tools ICT personnel are issued the relevant software and hardware tools to manage IT resources (e.g for user support, hardware maintenance, IT service and project management, application development)?
Change management
Change management is handled as per the information security standard Annex A.4?
MCAs has established mentorship programs to ensure transfer of knowledge?
Innovation MCAs has established a resource centre for IT research and innovation
The resource centre manages knowledge through databases and online resources to spur innovation?
28
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 7: GoK Project Management Governance Structure
Source: ICT master plan
Appendix 8: Sample Project governance roles
Project Role Accountabilities, responsibilities and tasks
Corporate Client - Has ultimate authority in large, complex or politically driven projects. - Is the champion of the project, promotes the benefits of the project to
the community and may be viewed as the ‘public face’ of the project. For example, the Corporate Client may be the Premier, Minister of the State or Head of Agency.
- May also be the Project Funder. In a small, less complex project, there would be no Corporate Client, but the Proj-ect Sponsor would act as the champion of the project, and fulfil the role of the Project Champion.
29
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Project Role Accountabilities, responsibilities and tasks
Project Sponsor - Ultimately accountable and responsible for the project, and is sometimes referred to as the Project Owner.
- Responsible for attainment of the agreed Project Target Outcomes. The Target Outcomes should be secured before the project is closed formally.
- Member of the Steering Committee, and is usually the Committee Chair. For projects where there is no Steering Committee, the Sponsor assumes responsibility for approving the project scope and all subsequent deci-sion-making.
- Oversight of the business management and project management issues that arise outside the formal business of the Steering Committee.
- Provides support by advocacy at senior levels, and ensures that the nec-essary resources (both financial and human) are available to the project.
- May also be the Business Owner for the project and can also be the Funder, but it varies within government, depending on the budgetary arrangements and decisions about whom will be managing the Outputs after the project closes. In the case of large whole-of-government proj-ects, the project funds may be managed by one Agency on behalf of the government, but there may be several Business Owners.
The Corporate Client and Project Sponsor may be the same person for some projects. The Project Sponsor must be identified for all projects, no matter what the size or complexity. Accountable to: Corporate Client (where applicable)
Steering Committee - Responsible and accountable for policy and resourcing decisions es-sential to delivery of project Outputs and the attainment of project’s Target Outcomes.
- Accountable to the Corporate Client and/or Sponsor for providing the Project Manager and Team with effective management and guidance in the development of the project Outputs and implementation of required organisational change, in order to attain the project’s Out-comes.
- Responsible for ensuring appropriate management of the project components outlined in the endorsed Project Business Plan, which usually includes approving the initial Project Proposal or Business Case and then the Project Business Plan.
- Responsible for assessing, approving or rejecting changes to the scope as documented in the Project Business Plan as the project pro-gresses.
- Responsible for monitoring progress (not just activity) and scrutinis-ing the project’s budget.
- Ultimately accountable for ensuring appropriate risk management processes are applied, which may include responsibility for under-taking specific risk management activities.
- Must also consider how (or if( the project’s objective(s(, Outcomes, Target Outcomes and longer-term business benefits align with the organisational strategic agenda and direction, and making the hard decisions to re-scope or terminate the project if there is little or no alignment.
- Should develop an agreed Terms of Reference for how the Steering Committee will operate.
30
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Project Role Accountabilities, responsibilities and tasks
The composition of the Steering Committee may change as the project moves through its various phases or stages, to ensure the best expertise and expe-rience are available when required. Not all projects require a Steering Committee. The need for a Steering Com-mittee is dependent on the complexity and nature of the project and is deter-mined by the Corporate Client and/or Project Sponsor. Accountable to: Corporate Client (where applicable) or Project Sponsor (Refer to Appendix 3 Steering Not Rowing: A Charter for Project Steering Committees and Their Members.)
Business Owner(s) - Responsible for managing the project Outputs for utilisation by the Project Customers.
- Responsible for ongoing maintenance (including costs) of the project Outputs after the project closes.
- Accountable to the Project Sponsor and/or Corporate Client (or their dele-gate(s)) following formal project closure for the achievement of and report-ing against the project’s Target Outcomes and realisation of the longer term business benefits.
- Must be satisfied that the project’s Outcomes (including Target Outcomes( and longer term business benefits are meaningful in the context of the Busi-ness Unit’s operational environment and forward strategic agenda.
- Contracted by the Project Sponsor and/or Steering Committee to implement the change management described in the Outcome Realisation Plan, and thereby achieve the project’s Outcomes, Target Outcomes and realise the business benefits.
- May be required to contribute resources to the project to ensure the change management described in the Outcome Realisation Plan is implemented ef-fectively.
- ‘Owns’ the Project Outcome Realisation Plan, although the Project Manager may assist in its development.
- Must be satisfied that the project scope includes all of the Outputs necessary for the realisation of the project’s Target Outcomes and agreed business benefits.
- May be required to contribute resources to the project to ensure that the Out-puts are developed satisfactorily and ‘fit for purpose’.
- Responsible after project closure for ensuring the project’s Target Outcomes and agreed longer term business benefits are used to revise the Business Unit’s relevant performance measures. Agency or Divisional Corporate or Annual Business Plans should be updated appropriately. Reporting lines and requirements may also need to be updated post-project.
- Responsible after project closure for ongoing ownership and maintenance of the project Outputs, which may require revised budget forecasts to accom-modate maintenance costs and staffing implications.
Project Customers The person or entities that will utilise the project Outputs to undertake their own activity, and therefore unconsciously generate the project Outcomes and business benefits as a by-product of this utilisation. For example, the Tasmanian public, who transacts business with Service Tasmania, would have been classed as Proj-ect Customers when the entity was set up. Project Customers are sometimes de-scribed as Beneficiaries
31
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Project Role Accountabilities, responsibilities and tasks
Project Observer - May be a role in a large, complex or politically driven project, possibly involv-ing whole-of-government or more than one Agency where potential learnings through observation of project processes are possible.
- Usually present at Steering Committee meetings or Project Team meetings to act as an information channel to the Agency/organisation they are representing.
- The Observer’s Agency may not necessarily be represented on the Steering Committee if they are not Business Owners.
- Cannot participate in decision-making while attending meetings. - May raise issues for discussion on the understanding that those issues may
or may not be addressed or resolved as part of the meetings. The issues may be considered outside of the formal meeting structure.
- Accountable to the Agency they are representing. If issues arise that may have implications for the Agency/organisation, they have a responsibility to report these issues back to their Agency/organisation. The Agency/organisation may then wish to raise these issues formally with the Project Sponsor.
Please note: The Project Sponsor and/or Steering Committee Chair should agree to the role of the Project Observer before that role is implemented.
Quality Consultants - Work independently of the Project Team. - Often contracted from outside the Agency/organisation. - May be contracted to undertake formal Quality Review of the project as a
whole in terms of structure, processes and progress toward Outputs. - May be contracted to undertake formal Quality Review of the quality of prod-
ucts or services (Outputs) being produced within a project in a technical field (eg law, IT, construction).
(Refer to Appendix 4 A Charter for Project Management Quality Advisory Consultants and Appendix 5 A Charter for Project Management Quality Review Consultants.) Accountable to: Project Sponsor and/or Steering Committee
Project Director - Usually created to manage a large, complex or politically sensitive project or
program of projects in partnership with one or several Project Manager(s).
- Responsible for the implementation of the Project/Program Business Plan following its approval by the Steering Committee.
- Directs and monitors project/program activity through quality management, detailed plans and schedules, and reports progress to the Steering Commit-tee.
- Provides expert and authoritative advice to various Ministers, Heads of Agency and senior representatives of the public and private sectors and key community stakeholders on a wide range of sensitive issues associated with the project/program.
- Provides highest-level leadership by articulating the project/program vi-sion, and negotiating and defining objectives and developing and nurturing highest-level relationships with stakeholders and end users, to facilitate the effective delivery of a major government initiative.
Accountable to: Project Sponsor and/or Steering Committee
32
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Project Role Accountabilities, responsibilities and tasks
Project Manager - Contracted by the Project Sponsor and/or Steering Committee to deliver the defined project Outputs as articulated in the approved Project Business Plan.
- Works in partnership with and reports to the Project Director to implement the Project Business Plan.
- Responsible for engaging the Project Sponsor, Business Owner(s) and/or Steering Committee in order to clarify the project Objectives, Outcomes, Target Outcomes, required Outputs and stakeholders within agreed time, cost and quality parameters.
- Develops and maintains the Project Business Plan, Project Work/Execution and Implementation Plan(s) and related schedules.
- Responsible for organising the project into one or more sub-projects, man-aging the day-to-day aspects of the project, resolving planning and imple-mentation issues, and monitoring progress and budget.
- Reports to the Project Sponsor and/or Steering Committee at regular intervals.
- Manages (client/provider/stakeholder) expectations through formal spec-ification and agreement of the project objective(s), Outcomes, Target Out-comes, Outputs, quality requirements, resources required, budget, sched-ule, project structure, roles and responsibilities.
- Requires demonstrated high-level project management skills. A Project Manager cannot lead effectively unless they have credibility. For most proj-ects, it means the Project Manager must have knowledge of how the Out-puts will be created, and how the Target Outcomes will be realised from the utilisation of those Outputs as described in the Outcome Realisation Plan.
The Project Manager must be identified for all projects, no matter what the size or complexity. Accountable to: Project Director (where applicable), Project Sponsor and/or Steering Committee
Project Team - Led by the Project Manager or Project Team Leader.
- Responsible for completing tasks and activities required for delivery of the project Outputs, as outlined in the Project Business Plan and elaborated in the Project Execution and/or Implementation Plan(s).
- Usually includes representatives from the Business Unit(s) impacted by the project.
- Must include the requisite skills for each phase of a project to ensure suc-cess. The skills should be explicitly identified as a part of the project plan-ning process.
The composition of the Team may change as the project moves through its various phases.Accountable to: Project Manager and/or Project Team Leader.
Project Team Leader - Usually appointed in large and/or complex projects to work under the direc-tion of the Project Manager.
- May be a representative of a Business Unit impacted by the project.
- Responsible for completing the required tasks and activities as defined in the Project Execution and/or Implementation Plan(s) for delivering the proj-ect Output(s).
Accountable to: Project Manager
33
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Project Role Accountabilities, responsibilities and tasks
Project Officer - Responsible for completing tasks and activities required for delivering proj-ect Outputs, as determined by the Project Manager or Project Team Leader.
- Most common responsibilities are related to project coordination (eg ad-ministration, including development and/or maintenance of project doc-umentation, assisting with status reporting and follow-up), stakeholder liaison (eg secretarial support to the project reference group or project communications) and general administrative support activities (eg sched-uling and meeting preparations).
- May also be directly involved in the development and quality assurance of specific Outputs.
Accountable to: Project Manager or Project Team Leader
Reference Groups - Provide forums to achieve consensus among groups of stakeholders.
- Do not do the work of Output production, but may ratify/endorse Output quality on behalf of the stakeholders they represent.
- The group may already exist, have an indefinite life span or may continue for the life of the project.
- May be a general reference group delegated by the Steering Committee to monitor or modify the Project Business Plan for approval by the Steering Committee.
- May consist of collection of people with like skills to address a particular set of issues.
- May report to the Steering Committee or Project Manager, depending on who has appointed them and what they are requested to achieve.
- Members provide an excellent channel to assist the project communicate information to and from their stakeholder group(s) who may be impacted by, or impact on, the project.
Accountable to: Project Sponsor and/or Steering Committee via the Project Manager or Project Director (where applicable)
Advisory Groups - Forums of stakeholders, usually experts to provide specific advice or tech-nical expertise to the project.
- Do not do the work of Output production, but may advise the Project Man-ager on Output quality (‘fitness-for-purpose’( on behalf of the stakeholders they represent.
- Members provide an excellent channel to assist the project communicate information to and from their stakeholder group(s) who may be impacted by, or impact on, the project.
- Able to advise the project of any emerging issues from a stakeholder per-spective.
- Members may also be willing to play an ongoing role in Output mainte-nance after the project has closed, to ensure the Outputs remain relevant and retain their practical utility.
- May report to the Steering Committee or Project Manager, depending on who has appointed them and what they are requested to achieve.
- The group may already exist, have an indefinite life span or may continue for the life of the project. An information technology advisory group is an example.
Accountable to: Project Sponsor and/or Steering Committee via the Project Man-ager or Project Director (where applicable)
34
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Project Role Accountabilities, responsibilities and tasks
Working Groups - Small specialist work groups, each dedicated to producing a well-defined Output within a specific timeframe, appointed by the Project Manager.
- Report directly to the Project Manager. May also report to the Reference/Advisory Group on Output development progress.
- Membership may be drawn from Reference or Advisory Groups, or the Busi-ness Unit(s) where Output implementation will occur.
- May have no life beyond the delivery of that Output.
- Probably involve one or more members of a Project Team to support activity.
- Members provide an excellent channel to assist the project communicate in-formation to and from their stakeholder group(s) who may be impacted by, or impact on, the project.
- Members may also be willing to play an ongoing role in Output maintenance after the project has closed, to ensure the Outputs remain relevant and retain their practical utility.
Accountable to: Project Manager or Project Director (where applicable)
Consultants - Are employed from outside the organisation to provide independent, high-lev-el specialist expertise or professional advice unavailable from internal re-sources, to assist project decision-making.
- Typically Project Consultants may include:
o Information technology specialists who define and manage the techno-logical aspects of the project
o Representatives employed by stakeholders to ensure their interests are represented and managed
o Legal advisers who assist in the development and review of the contrac-tual documentation
o Auditors who ensure compliance with internal and external audit requirements
May report directly to the Chair of the Steering Committee (or perhaps the Chair of a general Reference Group).
Please note: The Head of Agency or Deputy Secretary (or equivalent) must ap-prove any decision to engage a consultant prior to the Agencyundertaking the appropriate procurement process.
Accountable to: Project Sponsor and/or Steering Committee via the Project Man-ager or Project Director (where applicable)
Contractors Are employed, external to the business area, to provide a specified service in re-lation to the development of project Outputs. Examples include developing guides and/or manuals, business application software, develop and deliver marketing programs, prepare and deliver training to staff in the business area. May be engaged to undertake work as part of the Project Team.
35
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Appendix 9: Project management documentation
PHASE Key documents Other documents Proformas
INITIATE Project Proposal Feasibility Study Report Project Business Case
Business Needs Analysis Project Brief
MANAGE Project Business Plan Project Execution Plan Project Review and Evaluation Report Project Phase Review Report
Risk Management Plan Stakeholder Engagement Plan Organisational Change Management (or Transition) Plan Implementation Plan Project Communication Strategy and Action Plan Marketing Strategy Training Strategy
Project Status Report Project Risk Register Project Issues Register
FINALISE Outcome Realisation Plan Project Closure Report Project Review and Closure Report
Handover Plan Project Output Management Plan
Appendix 10: Project management stages and activities
Key Element INITIATE SET UP MANAGE FINALISE
1. Planning and scoping ü ü ü
2. Governance ü ü ü ü
3. Outcome Realisation ü ü ü ü
4. Stakeholder engagement ü ü ü ü
5. Risk management ü ü ü ü
6. Issues management ü ü ü
7. Resource management ü ü ü ü
8. Quality management ü ü ü
9. Status reporting ü ü ü
10. Project review and evaluation ü ü ü
11. Project closure ü ü
36
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 11: Project documentation development
37
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Appendix 12: A generic project governance model for larger, more complex projects
38
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 13: Sample Outcome Realisation data for the Project Business Plan
Target Outcome
Performance Indicator
Measure Baseline Target Level Target Date Accountability
The measurable benefits that are sought from undertaking a project (ie what we want to achieve)
A description of the type of change that will indicate performance towards the achievement of the Target Outcomes
The actual mechanism for measuring the level of the performance indicator
The current level of the performance indicator as at [date]
The targeted level of performance (ie how success is defined
The date by when the target levels are to be achieved
Who is accountable for the achievement of the targeted outcomes and reports on the progress towards the target?
Appendix 14: Stakeholder engagement process
39
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Appendix 15: Stakeholder engagement process
Verbal Electronic Written Visual
• Presentations/briefing sessions (one-to-one, one-to-many) • Telephone (one-to-one)/Teleconferences (one-to-many) • Forums • Networking facilitation • Staff meetings • Seminars/workshops • Community meetings • Launches • Specific events • Social gatherings • Visitation programs • Radio/television
• Personal email to identified stakeholders (one to one, one to many) • Broadcast email (one to many) • Internet/intranet including online forums, fact sheets, newsletter, Sharepoint – web sharing of ongoing project planning with internal and/or external stakeholders • SMS messaging • Weblog • Facebook, MySpace, YouTube • Twitter • RSS Feed • CD-ROM/DVDs • Fax stream, faxback
• Mailouts of important documentation (letter, memorandum, factsheet, FAQs) • Newsletter • Advertising – newspaper, magazine, web • Pamphlets and brochures (consider shelf life issues) • Information in agency newsletters etc • Media release • Ministerial • Request for Tender (RFT) • Contract • Project planning documentation
• Display – workplace, conference • Transport advertising • ‘Roadshow’ • ‘Parody’ presentation – play, puppet show • 3D presentation
40
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 16: Elements of the risk management process
41
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Appendix 17: Risk matrix for grading risks
Seriousness
Likelihood Low (Insignificant adverse impact, note only)
Medium (Reasonable adverse impact, needs monitoring)
High (Will have significant adverse impact)
Extreme
Low (Unlikely to occur during project)
N D C Extreme
Medium (May occur at some stage in project)
D C B Extreme
High (Probably will occur during project)
C B A Extreme
Appendix 18: Recommended actions for grades of risk
Grade Risk Mitigation Actions Who
A & Extreme Mitigation actions to reduce the likelihood and seriousness to be identified, costed and prioritised for implementation before the project commences or immediately as they arise during project execution.
Project Steering Committee and/or Project Sponsor
B Mitigation actions to reduce the likelihood and seriousness to be identified costed and prioritised. Appropriate actions implemented during project execution,
Project Steering Committee and/or Project Manager
C Mitigation actions to reduce the likelihood and seriousness to be identified and costed for possible action if funds permit.
Project Manager
D & N To be noted; no action is needed unless grading increases over time.
Project Manager
42
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 19: Issue management flowchart
43
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Appendix 20: Example of a Project Issues Register
Issue Number
Description Raised By Date Priority Responsible Officer
Actions & Progress Notes
Status Date Resolved
1.1 Lack of agency representation on Project Working Group
Working Group
1/09/08 High Jane Letter of invitation from Project Sponsor (ie Director) to agencies which are not represented
Open
2.1 Lack of registrants for next forum
Project Manager
1/11/08 High Senior Project Officer
Send out reminder via email to the project management community of practice.
Open
1.3 How to show links between PM documents
Project Team member
10/09/08 Medium Senior Project Officer
Matrix to be developed and published
Closed 30/11/08
44
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 21: Project closure
45
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Appendix 22: Sample Service Management structure (ITIL) for Small organizations
46
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 23: Sample Service Management structure (ITIL) for Large organizations
47
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Appendix 24: Service desk 1st, level, 2nd level and 3rd level support definitions
GENERAL DEFINTIONS
First Level Support•Dedicated and managed Support area/telephone access•Routine call and incident taking, logging and classification•Initial fast resolutions to Routine Incidents – e.g. password resets•Short term support to keep lines open and provide access to IT•Calls within target guidelines before escalation – e.g. 5 - 10 minutes•Generally at least 40% - 50% of calls resolved
Second Level Support•Dedicated and managed Support area •Longer resolution Incidents – e.g. more than 5-10 minutes•Incidents that require greater technical knowledge or system access•Fast Response and Target resolution times – support is highest priority•Task to build Knowledgebase to ensure future response in Incident Management/1st Level•Involvement in the technical analysis and resolution of underlying Problems•Generally 40% - 50% of calls resolved
Third Level Support•Long Term Problem resolution•Incidents/Problems that require high level of technical knowledge or system access•Task to build Knowledgebase to ensure future response in Incident Management/1st or 2nd Level•Generally less than 10% of calls handled
48
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
AP
PEN
DIX 25: SA
MP
LE ICT STRATEG
Y FOR
MAT
49
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Note: All Strategic plan proposals should be accompanied with a ‘Table of Contents’ and should be in the order depicted below.
Executive Summary
Give brief outline of the (Org/Dept).
Environmental Analysis
Internal Environment
[Internal Assessment: Organizational assets, resources, people, culture, systems, partnerships, suppliers, etc]
50
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
External Environment
[External Assessment: Marketplace, competitor’s, social trends, technology, regulatory environment, economic cycles, etc]
Tools for comparison analysis
[It involves specifying the objective of the institution or project and identifying the internal and external factors that are favorable and unfavorable to achieving that objective.]
Examples:
SWOT Analysis; Six Forces Model; VRIO; PEST analysis; Porter’s Four Corners Model
Benchmarking
[Benchmarking is the process of comparing one’s business processes and performance metrics to industry bests and/or from other industries. Dimensions typically measured are quality, time, and cost. Improvements from learning mean doing things better, faster, and cheaper.
Benchmarking involves management identifying the best institutions in their industry, or any other industry where similar processes exist, and comparing the results and processes of those studied (the “targets”) to one’s own results and processes to learn how well the targets perform and, more importantly, how they do it.]
51
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Best practices
[A bestpractice is a technique, method, process, activity, incentive, or reward that is believed to be more effective at delivering a particular outcome than any other technique, method, process, etc. when applied to a particular condition or circumstance. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications. Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people.]
Gap Analysis
[Identify the gap between the optimized allocation and integration of the inputs, and the current level of allocation. This helps provide the institution with insight into areas which could be improved. The gap analysis process involves determining, ‘where you are now’ and ‘where you want to be’.]
Strategic PlanThe strategic plan should be communicated to all relevant individuals, including stakeholders and sponsors. It should include the following:
Vision
[What the org/dept wants to be; it should be compelling, vivid and concise,, challenges everyone to reach for something significant – inspires a compelling future; it is time bound. An organization’sVision sets out its aspirations for the future. The Vision is the ‘dream’ of the future, a picture painted in words, which is intended to inspire people by appealing to the heart as well as the head.]
Mission
[Our purpose of existence; should be brief and to the point; it provides context for major decisions and capable of infinite fulfillment; it is not time bound].
52
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
MISSION FormulationAnswer each of these questions.
What services and/ or products will the organization/department offer?
Who are the people who may use or benefit from this services or products?
What are the reasons for the organization/ department?
Why will the organization/ department exist?
Now combine all the answers into one statement of purpose.
Values
[Values will guide every major decision making; it embodies the spirit of the org/ dept; revisit Vision and Mission statement.]
Strategic Objectives
List specific actionable results needed to support the vision and the mission. Use the mnemonic SMART/ER
S SpecificM MeasurableA AttainableR RelevantT Time boundAnd E EvaluateR Reevaluate
Initiatives
[These are actions that will lead to achievement of your objectives, often taking the form of projects or programs]
53
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Measures (KPI(s), Timeline and Deliverables
[These are objective, quantifiable methods for measuring success. Indicators and monitors of success. It includes; performance measurement, initiatives and projects and action plans.]
[Each Initiative has a supporting Action Plan(s) attached to it. Action Plans are geared toward operations, procedures, and processes They describe who does what, when it will be completed, and how the organization knows when steps are completed Like Initiatives; Action Plans require the monitoring of progress on Objectives, for which measures are needed]
Quick wins
[These are improvement which is expected to provide a Return on Investment in a short period of time with relatively small cost and effort.]
Organization Structure
[Organizational structure allows the expressed allocation of responsibilities for different functions and processes to different entities such as the department, workgroup and individual. Please provide a diagram]
ResourcePersonnel
Finance/ Budget
Facilities/ equipment
Summary (include a 5 by 5 year timeline towards 2030
54
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
APPENDIX 26: Who needs to be involved in Legal contracts
Investors Providers Controllers• The Board• IT Council/Management Team• Senior business unit managers e.g. key customers of IT services• Business Partners• External investors/shareholders – as part of corporate governance
• Project and change managers (IT and Business)• Project and change managers (IT and Business)• Programme managers• Business managers and users• Technical delivery and support teams• Key players e.g. Business sponsors, Projectchampions• Relationship managers and internalcommunications teams• Suppliers (especially outsourced service providers)• Contract and procurement management• Peripheral players/influencers/Policy ownerse.g. HR, Facilities Management, Legal
• Internal audit and external audit (due diligence)• External regulators• Corporate governance coordinator• Risk managers• Compliance – regulatory and internal• Finance/Project Managers/IT and businessmanagers – reviewers of benefits/ROI• Post investment appraisal/Post projectreview teams
Legal and regulatory Responsibilities• Understand requirements (what regulations are to be complied with)• Set the mandate• Set priorities and expectations• Establish and ensure the expected degree of compliance• Based on advice concerning risk and cost:• Assess impact on business• Provide resource and funding to ensure issues are addressed• Define who is accountable• Obtain internal or external assurance as required that issues have been addressed and controls established• Monitor and evaluate complianceprogrammes and significant commercial contracts• Sign off specific compliance programmes• Provide approvals when required forsignificant legal or regulatory decisions
• Advise on IT related technical andcommercial risks that could impact legal and regulatory requirements• Provide proposals and business cases forlegal and regulatory programmes, projects or action plans• Formulate solutions for compliance or commercial contracts• Identify best practices for ongoing good control of legal and regulatory requirements• Exploit technology and tools whereappropriate for ensuring compliance (e.g.asset registers)• Execution of compliance and contractual processes, and operation of elated controls• Provide compliance framework to ensure a sustainable “business as usual” approach to compliance• Provide evidence of compliance• Provide information relating to the cost of compliance and also cost of any incidents• Evaluate impact on business environment together with business units• Ensure vendors, service providers, and subcontractors are involved properly andintegrated within the overall complianceapproach
• Maintain awareness of current and emerging laws, and regulations affecting IT to assess their impact on the organisation’s business• Develop an understanding of their impact onthe organisation and advise accordingly on “what is needed” - not necessarily “how”• Monitor adequacy of controls andcompliance processes• Monitor the business and IT functionsfor performance in meeting legal andregulatory requirements and report back to management with advice regarding any shortcomings• Provide independent assurance tomanagement that adequate controls are in place to deal with legal and regulatoryrequirements
55
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Appendix 27: Risk management process
Appendix 28: Accreditation of Contractors and Suppliers
A. REGISTRATION i. An application for registration as a contract or/ supplier shall be made in the prescribed form
(ICTA/STD/CTR/F001) and shall be accompanied by-
a. Certified copies of certificates and other relevant documents as are necessary to prove qualification for registration:
b. Certified copies of the shareholders’ certificates of the company;
c. in the case of a trust, a copy of trust deed; and
d. Financial statements of the person or firm for the period immediately preceding the application, or proof of existence of a bank account in the name of the systems development company.
ii. ICT Authority may call for further particulars of the person or firm, including but not limited to-
a. certified copies of the identity documents of the principal or principals of the firm;
b. where there are more than twenty principals, certified copies of the identity documents of twenty principals of the firm;
c. in the case of a foreign contractor-
d. proof of current registration status from their country of domicile or origin,
e. Sufficient proof of financial capability of the contractor; (d) .proof of registration with an association of contractors;
56
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
iii. proof of employment of qualified persons by the contractor and
iv. in the case of anapplication relating to specialized software, a certified copy of the current license issued by the relevant statutory regulatory or Authority or organization.
v. If an application in relation to this standard is made electronically, the supporting documents shall be submitted to the Authority by registered mail or by hand delivery.
vi. An application shall not be considered duly completed for purposes of this regulation, unless all documents are received by the Authority.
vii. The Authority shall make adecision on an application by a person or firm within thirty days of receiving such application including rejection if such person does not fully comply with requirements set by the Authority, and shall in form the applicant accordingly giving reasons for such rejection.
viii. An application form for registration may be made in English or Kiswahili.
ix. A register of registered contractors shall be kept.
x. A person who qualifies for registration in a specialized area shall be issued with a Certificate of Registration in the specialized area of ICT by the Authority.
xi. A person or firm shall submit an annual application for renewal of the certificate of registration to the Authority in the prescribed form accompanied by the prescribed fee (See schedule B) and the Authority shall process the application in accordance with the provisions of the standard.
xii. A person who is aggrieved by the decision of the Authority in relation to the category of registration may submit a written petition indicating the reasons of such grievance, sufficient to justify review or the assessment by Authority.
xiii. The Authority shall within thirty days of receiving a petition under notify the person of the Authority’s decision on both applications.
xiv. Registration of contractors under ICTA - I (See schedule B) category shall be open to both local and foreign contractors.
xv. Any registrations that fall between ICTA -5 to ICTA -8 as set out in the standard shall be restricted to local contractors only.
xvi. A contractor may make an application for upgrading to the Authority in a form to be prescribe by the Authority accompanied by the prescribed fee, and the Authority shall process the application in accordance with the provisions of the standard.
xvii. Application for renewal of the license shall be submitted to the Authority in writing at least thirty days before the expiry of such license.
xviii. In each year during which a contractor holds a license, the contractor or, in the case of a firm or company; the partner or director who possesses technical qualifications, skills or experience shall attend atleast one Continuous Professional Development event recognized by the Authority and the Authority shall consider the attendances while determining an application to renew or upgrade the Contractor.
xix. During the vetting and verification of contractor’s documents, the Authority / representative may visit contractor’s premise to ascertain the information provided.
xx. The Authority shall published list of contractors with valid licenses in their websites.
57
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
SCHEDULE B. CLASSIFICATION OF WORKS
CATEGORY POINTS LOCAL CONTRACTOR FOREIGN CONTRACTORREGISTRATION FEE (ksh.)
ANNUAL FEE(ksh.)
REGISTRATION FEE(ksh.)
ANNUAL FEE(ksh.)
ICTA 1 81-100 10,000 5,000 100,000 20,000
ICTA 2 66-80 9,000 4,000 80,000 15,000
ICTA 3 56-65 7,000 3,000 60,000 10,000
ICTA 4 46-55 6,000 2,000 50,000 5,000
ICTA 5 36-45 4,000 1,000
ICTA 6 21-35 2,000 500
ICTA 7 10-20 1,000 500
ICTA 8 Below points 500 200
SCHEDULE C. ENFORCEMENT
i. There shall be payable to the Authority such fees for its services as the Authority may determine from time to time.
ii. The Authority may remove the name or a contractor from the register of contractors if the contractor has been debarred from participating in a procurement process under any legislation or received written complaints from any government agency in regards to the contractors’ performance;
iii. The registration of a contractor shall be suspended after investigations into his conduct have been concluded and it is established that the contractor has engaged in misconduct.
iv. Fails to comply with the provisions in regard to the payment of the fees;
v. The Authority shall conduct an inquiry in to the conduct or the contractor before removing the name of the contractor from the register.
SCHEDULE D. Mandatory Requirements for the various Sections
REFERENCE PARTICULARS MAX POINTS REMARKSA Directors Qualification 15 Technical Directors [10mks], 5 mks for other
directors
B Staff qualification 25 Technical staff in specialized area [20mks], other staff [5mks]
C Financial status 30 Turnover 12 marksLargest projects in area of specialization 12 marksCash flow 6 marks
D Office and service facilities
10 10 mks for adequate office space
E Firms experience 20 Details of development projects undertaken in area of specialization
TOTAL 100
58
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Appendix 29: Accreditation of IT Professionals
Applicant should be compliant with the ICTA-7.001:2016 standard on ICT capacity development, both ethically and in terms of professional qualifications in the area of expertise. ICT Authority shall issue a certificate of accreditation on compliance with the standard;
Schedule A. Procedure of application for IT Technician
Submit:-
1. A duly filled Registration Application form for IT Technician (ICTA/STD/TECH/F001)
2. Diploma certificate in IT/Engineering related field from accredited institution of learning; or
Diploma certificate in any field from accredited institution of learning with proof of two years’ experience practicing IT;
3. A Copy of the individual PIN Certificate
4. Copy of National ID/Passport.
5. 2 colored passport photos of the applicant.
Fees as per (part D below)
Schedule B. Procedure of application for IT Graduate
Submit:-6. A duly filled Registration Application form for IT Graduate (ICTA/STD/GRAD/F002)
7. Graduate certificate in IT/Engineering related field from accredited institution of higher learning
8. A Copy of the individual PIN Certificate
9. Copy of National ID/Passport.
10. 2 colored passport photos of the applicant.
11. Fees as per (part D below)
Schedule C. Procedure of application for IT Practitioner:-
Submit:-1. A duly filled Registration Application form for IT Practitioner (ICTA/STD/PRACT/F003)
2. Graduate Certificate from accredited institution of higher learning
3. Copy of the individual PIN Certificate
4. Proof to show that the applicant has been practicing IT either through employment or private engagement for atleast 2 years..
5. Copy of National ID/Passport
6. 2 colored passport photos of the applicant..
7. Fees as per (part D below)
59
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
Schedule C: Procedure of application for accreditation as an IT Professional
Submit:-1. A duly filled Registration Application form for IT Professional (ICTA/STD/PROF/F004)
2. A Copy of the Registration Certificate for either IT Graduate/Practitioner from ICTA.
3. A Copy of the individual PIN Certificate
4. Professional Certificate in the specific area from accredited institution by ICTA/government body
5. Letters of reference from employer(s) covering the previous two years confirming professional integrity
6. Statements of two referees detailing their knowledge of the applicant.
7. Fees as per (part D below)
Schedule D. SCHEDULE OF FEE PAYMENTS
Thematic REGISTRATION FEE(ksh.) ANNUAL FEE(ksh.)
1 IT TECHNICIAN 600 5002 IT GRADUATE 1000 1,0003 IT PRACTITIONER 2000 1,0004 IT PROFESSIONAL 5000 3,000
Appendix 30: Government ICT Project Governance Structures
A. National ICT Project Governance Structures
Name of Commit.
Membership Terms of Reference
1 The ICT Oversight Committee
1. His Excellency the President – Chair
Members
Cabinet Secretary-;
Ministry of Land Housing & Urban Development Ministry of interior and Coordination Ministry of Education Science and Technology Ministry of ICT
Ministry of Devolution and Planning
Ministry of National Treasury Chief Executive Officer,
ICT Authority-Secretary
1. Review and approve projects for initiation
2. To provide oversight of flagship ICT Projects
3. To receive and consider reports from inter-ministerial Steering Project Committee
4. To resolve inter-ministerial Project challenges.
Appointing Authority: H.E. The President
Meeting: Bi-annual
60
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
Name of Commit.
Membership Terms of Reference
2. Inter-Ministerial Project Steering Committee
Principal Secretary Ministry of ICT – Chair
Members
Permanent Secretary -; Ministry of Lands, Housing and Urban development The National Treasury Ministry of interior and Coordination Ministry of Education Science & Technology Ministry of Devolution and Planning Chief Executive officer , ICTA –Secretary
1.Champion Implementation of Key Projects
2. Monitor and Evaluation Projects and take necessary action for the success of the project.
3. Prepare and report Projects status to oversight Committee
4. Resolve inter-ministerial Project challenges. 5. Receive and review quarterly reports from Project Implementation and Monitoring Committee. 6. Co-opt the ministry that own the key project(s)
Appointing Authority: H.E.The President
Meetings: Quarterly
B: Ministries, Agencies and Counties
1.0 Project Implementation and Monitoring/Steering Committee
Role Person Terms of Reference
Project champion (Chair)
A top-ranking officer from the organ
Ps for Ministry and CEO for Agencies
1. Initiate projects within Ministries, Agencies & Counties
2. Review and approve project concepts and implementation plans
3. Resolve project challenges to ensure smooth implementation
4. Review and approve project budget
5. Monitor and evaluate projects at implementation stage
6. Prepare and present quarterly progress report to inter-ministerial project Steering committee
7. Appoints Project implementing team[s]
8. Co-opt stakeholder’s representatives or other members
Meetings: Regularly
Appointing Authority: Cabinet Secretary/Governor/CEO appropriately
Project owner The user of the system
Chair of Technical committee
This is the person who is responsible for the implementation of the system.
[Head of ICT]
Project Management Office
Project Manager ICT Authority
61
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
2.0 Project Technical CommitteeRole PersonProject owner and Chair The user of the system
Project manager (Secretary) The person who is responsible for the execution of the project
Beneficiaries representative Stakeholder’s representative(s)
PMO Liaison officer An officer from the ICTA PMO
Consultant / Systems integrator Representative(s) of any third party who is involved in the development of the project
Standard Liaison officer A Standard officer from ICTA
Technical liaison Selected technical expert(s) in line with the technical requirements of the project
APPENDIX 31: AUDIT FOR OUTSOURCED APPLICATIONS
SYSTEM LYFECYCLE STAGE/ AUDIT AREAS
Quality Product On Time and On Budget
Project Initiation - Appropriate stakeholders are in-volved.
- Project champion represents the key stakeholders.
- Project is consistent with the organi-zation’s strategic plans.
- Budget was properly determined.
- Timeline is realistic given project magnitude and past organization-al experience.
- Appropriate metrics and reporting schemes are developed.
Business Requirements Definition
- Appropriate stakeholders are repre-sented.
- Security requirements are defined.
- Automated and manual controls are considered.
- Project plan and budget remain real-istic given business requirements.
- Business requirements do not overly rely on new and/or unproven technologies (e.g., a requirement that all transactions will process over the intranet).
Technical Requirements Definition
- Technical requirements support the business requirements.
- Members of all impacted technical units represented.
- Technology assumptions are properly validated through internal experience or external site visits.
- Links to existing applications are defined and controlled (e.g., control totals)
- Project plan and budget remain realistic given technical require-ments.
- Lead times for purchasing, receiving, installing and testing new hardware have been proper-ly reflected in the timeline.
62
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
SYSTEM LYFECYCLE STAGE/ AUDIT AREAS
Quality Product On Time and On Budget
Software Selection/Coding Software Selection/Coding
- RFP and vendor assessments come directly from business and technical requirements.
- Selected vendor has experience in your industry, with companies your size, and with similar setups.
- Vendor is financially stable and will be around for long term support (al-ternatively, the source code could be owned by your organization).
- Proper change management and secu-rity controls are set up for the coding environment.
- Vendor contract terms are favor-able, and include clauses on cost overruns.
- Vendor contract includes re-wards/penalties for project timeliness.
- Project plan appropriately reflects the resources and time necessary to install, code and modify.
Testing - All testing is performed in an appro-priate environment with adequate security.
- All issues noted during testing are communicated to the proper owner within the project.
- Test cases reasonably reflect the envi-ronment as it will appear in production.
- Change management controls are in place as system elements progress through the testing cycle.
- Resolution of test issues is fo-cused on items that are nec-essary to achieve business or technical requirements (not all issues must be solved prior to going live!).
- Project plans are properly up-dated to reflect issues noted in testing that must be resolved.
Data Conversion - Data is accurately mapped from the old system to the new.
- Key data elements are screened using software (or manually in some cases) to ensure anomalies are removed.
- After conversion, sample data reflects accurate transfer.
- Control totals of key data fields/ta-bles show consistency in the old and new data structure.
- Project plans are properly up-dated to reflect issues noted in data conversion that must be resolved.
63
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
SYSTEM LYFECYCLE STAGE/ AUDIT AREAS
Quality Product On Time and On Budget
Training and Documentation
- Training addresses both system usage and business process.
- Training includes all affected parties.
- Training is provided close enough to implementation to allow participants best retention.
- Documentation (online and paper) is organized in a way to be useful to users and operators.
- Training and documentation are properly included in the project plan and budget.
Final Implementation
- Promotion to production environment follows established change manage-ment procedures.
- Parallel processing with old system(s) commences.
- Help desk and “swat teams” are in place.
- System backup procedures are estab-lished.
- Final costs are captured and summarized (watch out for implementation problems being defined as “on-going mainte-nance”).
- Project teams are closed down as the implementation continues.
Appendix 32: Related Documents
Code Number: TitleICTA. 1.001: 2016 Government Enterprise Architecture
ICTA. 2.001: 2016 Infrastructure Standard (Networks, Cloud, End user Computing, Data Centre)
ICTA. 3.001: 2016 Information Security Standard
ICTA. 4.001: 2016 Electronic Records and Data Management Standard
ICTA. 5.001: 2016 IT Governance Standard
ICTA. 6.001: 2016 Systems and Application Standard
ICTA. 7.001:2016 ICT Human Capital and Work force Development Standard
64
IT Governance Standard ICTA. 5.001: 2016
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
65
IT Governance Standard
The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke
ICTA. 5.001: 2016
ICT Authority
Telposta Towers, 12th Floor, Kenyatta Ave
P.O. Box 27150 - 00100 Nairobi, Kenya
t: + 254-020-2211960/62
Email: [email protected] or [email protected] or [email protected]
Visit: www.icta.go.ke
Become a fan: www.facebook.com/ICTAuthorityKE Follow us on twitter: @ICTAuthorityKE