Enterprise Architecture. Government of Liberia

Transcription

1 Enterprise Architecture Government of Liberia

2 DOCUMENT CONTROL Owner: Document Title: Version Number: Ministry of Post & Telecommunications National Enterprise Architecture Framework Draft Version Date: April 2014 Author: Status: Peter Tobbin USAID GEMS Project First Draft AMENDMENT RECORD Version Date Modified By Change Information

3 ABBREVIATIONS Term e-gif EA MAC GoB CIO QAC RFP CMM Definition E-Government Interoperability Framework Enterprise Architecture Ministries Departments and Agencies Government of Liberia Chief Innovation Officer Quality Assurance Committee Request for Proposal Capability Maturity Model

4 Table of Content Contents 1. Executive Summary Introduction e-government Vision & Objectives Enterprise Architecture Frameworks Architecture Scope Document Organization Future Directions Architecture Vision Overview The Vision Benefits of Enterprise Architecture Enterprise Architecture Principles General e-government Principles Architecture Principles Data Architecture Principles Application Architecture Principles The architecture principles apply to all Government MACs and the only way their ICT departments can provide a consistent and measurable level of quality information to decision makers is if all organizations abide by the principles. Without this principle, exclusions, favoritism, and inconsistency would rapidly undermine the management of information. The principles governing the AARM include the following:... Error! Bookmark not defined Technical Architecture Principles Applying Architecture Principles Stakeholder Management Architecture Reference Models Business Reference Model Overview The Benefits of BRM When do you need to refer to BRM? The Structure... 29

5 The Business Areas Services for Citizen Support Delivery of Services Management of Government Resources Data Reference Model Overview Benefits of DRM When do you refer to the DRM? DRM Implementation Data Context standardization area Data Description standardization area Data Sharing standardization area Security & Privacy Application Reference Model Overview Benefits of ARM ARM Structure Customer Services Domain Digital Asset Services Domain Integration Services Domain Back Office Services Domain System Support Services Domain Process Automation Services Domain Business Analytical Services Technical Reference Model Overview Benefits of TRM Structure Service Access Domain Mobile Access Remote Access Architecture Open Web Server

6 Integration Domain Service Oriented Related Functions Business Intelligence (BI) Shared Services and Collaboration Domain Groupware/File Servers/ Mail Servers Domain Multiple Core Services Domain Integrated Directory Platform Domain Overview Servers Storage Operating System Virtualization Cloud Platform Voice Telephony Network Domain Government Wide Area Network (GWAN) GWAN Architecture Local Area Network Wireless LAN Architecture Voice over Internet Protocol (VoIP) Shared PC / Office Printer Enterprise ICT Management Maintenance Environment IT Service Management Process EVENT MANAGEMENT SOFTWARE CONTROL & DISTRIBUTION INCIDENT MANAGEMENT AVAILABILITY MANAGEMENT SERVICE CATALOGUE MANAGEMENT CHANGE MANAGEMENT CONFIGURATION MANAGEMENT

7 CAPACITY MANAGEMENT CONTINGENCY MANAGEMENT PREVENTATIVE MAINTENANCE SECURITY MANAGEMENT SERVICE LEVEL MANAGEMENT REQUEST FULFILMENT PROBLEM MANAGEMENT Technical Policies and Guidelines Policies General Policies Participation in GWAN Guidelines Design Criteria for an e-government Infrastructure Flexibility Scalability Reliability Functionality Performance Availability Developing the Technical Architecture Platform Selection Process Guidelines and Principles Recommendations Example Liberia Government-Wide Network Current State Target Architecture Architecture Best Practices & Guidelines Architecture Roadmap Architecture Governance and Change Management

8 1. Executive Summary

9 2. Introduction 2.1. e-government Vision & Objectives 2.2. Enterprise Architecture Frameworks 2.3. Architecture Scope 2.4. Document Organization 2.5. Future Directions

10 3. Architecture Vision 3.1. Overview To realize the overarching e-government vision and goals described in the Government of Liberia (GoL) e-government Strategy, a government-wide enterprise Architecture Vision needs to be defined to articulate what must be done to serve the ICT strategic needs and directions of the government. The Architecture Vision provides a high-level description of the target architectures in terms of reference models, covering the business, data, application, and technology domains. The objectives of the architecture vision phase are: 1. To articulate a clear vision of the enterprise architecture and its benefits 2. To define and agree on the initial set of key enterprise architecture principles including the business, data, application, technology and governance principles 3. To define the architecture reference model to provide standard views of how business, data, applications and technology functions are organized, and define how it supports the business processes and addresses stakeholder concerns. The reference model will act as the reference point for subsequent baseline and target architecture design. 4. To articulate an Architecture Vision and formalize the value proposition that demonstrates a response to those requirements and constraints 3.2. The Vision To enable better information technology decisions that are driven by the business needs of the state in the delivery of services Benefits of Enterprise Architecture When Enterprise Architecture is effectively defined, implemented and followed, it can provide the following key benefits: Bridge the gap between business strategy and implementation: By defining the target business processes and IT assets required to satisfy the business objectives, and a roadmap for reaching that target, EA provides a clear vision to implement business strategy and helps reduce ad hoc implementations driven by a tactical and reactive approach.

11 Improve alignment of IT with mission, goals, and objectives: By identifying how IT assets directly enable business processes and how those processes execute the organization s mission, EA promotes IT solutions that are more pertinent and relevant for the business. Improve service delivery, business operations and business capabilities: Adoption of EA results in streamlining business processes and in making IT operations more efficient. EA processes help identify gaps in business capabilities (such as business analytics and case management) and provide a long-term vision to improve and/or acquire those capabilities. Improve interoperability and information sharing: By defining enterprise-wide standards and specifications for how systems will talk to each other, EA makes the job of integrating multiple systems and sharing information easier. Improve flexibility to dynamically respond to customer needs and statutory changes : EAenables faster design of new systems and extensions to existing systems by predefining standards. By advancing service orientation, EA promotes creation of user applications as a composition of reused services, which results in faster adaptation to changes. Reduce cost and cost of ownership: EA enables economies of scale in purchasing and reduces training requirements and support costs by establishing a less complex environment (due to technical homogeneity), which is easier to support and results in faster repairs. Reduce redundancy, duplication, complexity and information silos: EA enables portfolio rationalization and simplification to promote more effective use of IT and other resources to efficiently support business processes. Reduce business risk associated with IT and reduce risk for future IT investment: Focus on strategic goals allows EA to identify weaknesses and threats in the existing IT portfolio and to address them in the target architecture. The risk of future IT investments not delivering business value is greatly reduced when investments are made in accordance with a well-defined enterprise roadmap. Enable faster, simpler and cheaper procurement: By defining the target architecture and a roadmap, EA facilitates architect invest implement approach that simplifies procurement decisions and ensures architectural coherence of multi-vendor solutions. Enable predictable success of projects and realization of their defined objectives: EA promotes undertaking projects within the context of a defined enterprise roadmap. EA provides guidance to these projects to ensure their progress towards the target architecture and to help realize their defined business objectives.

12 3.2. Enterprise Architecture Principles The GoL enterprise architecture principles defined in this section are intended to support the way GoL EA will set about fulfilling its e-government vision. It defines the underlying general rules and guidelines for the use and deployment of IT resources and assets across the governments and provides a means of harmonizing decision-making across the governments. Architecture principles drive subsequent development of enterprise architecture reference models, standards, frameworks and future state harmonized architecture. They are the key element in a successful architecture governance strategy that governs the architecture process, affecting the development, maintenance, and use of the enterprise architecture. They provide a number of key benefits which include: Providing a framework within which the government can make conscious decisions around IT Acting as drivers for defining functional requirements for the architecture Providing input for assessing the existing IT systems and developing future strategic portfolios Providing parameters for the selection of standards The Liberia architecture principles have been categorized under the following architectural segments: General e-government Principles Business Architecture Principles Data Architecture Principles Application Architecture Principles Technology Architecture Principles The architecture principles are described in accordance to the TOGAF proposal. For each principle under a defined category has a principle code, a statement, rational and implications. The principle code, statement and rational are required for each principle. Implications are optional. Statement Rationale Implications Should succinctly and unambiguously communicate the fundamental rule. For most part, the principle statement for managing an organization's information are similar from one organization to the other. Should highlight the business benefits of adhering to the principle, using business terminologies. Should highlight the requirements, for both for the business and IT, for carrying out the principle - in terms of resources, cost and activities.

13 General e-government Principles General e-government Principles Nationwide Focus Standards Ownership Value Driven Interoperability Customer-Centric Service Delivery Design for Re-use Principle GP1: Name Statement Rationale Nationwide Focus Architecture decisions will be made based on the over-all value and efficiency for the nation, while considering the needs of individual agency programs. Planning and coordination at the state level, with input from the agency levels, will best deliver systems that support the state s goals and activities. Decisions based on a state perspective will tend to have greater long-term value than those made at the agency level. However, delivering necessary functions to agency programs is more important than the technology that is used to do it. Implications Some systems will be sub-optimized from the point of view of individual agencies, but optimized for the state as a whole. The state needs to have a process in place to support architectural decision making at the state level. Agencies should plan their initiatives to mesh with the state s architecture. Management for systems and applications should be approached starting from the enterprise level and proceeding down to the local level, with management tasks performed at the highest level that makes sense. This approach leads to the fewest number of tools and automatically minimizes the amount of data and probes needed. It also enables SLA, dashboard and similar high-level tools while also allowing the per-system specialized local tools needed for administrators to operate the systems. However, the state has always supported exceptions to its technical standards for legitimate business reasons. There may be some systems that are implemented that do not fit the architectural principles, but deliver considerable functionality to the state s programs. Functionality and business processes take primacy over IT structure. Principle GP2: Name Statement Standards Standards will be selected to encourage sharing, interoperability, and efficiency. Open

14 Rationale Implications Principle GP3: Name Statement Rationale Implications Principle GP4: Name standards will be preferred and proprietary standards will be avoided if possible in choosing the right solution for the business requirements. Standards will be promulgated only when there is evidence that an informational, non-binding guideline would be ineffective. Use of standards provides ability to leverage the knowledge and efforts of others. Risk is reduced. Proven solutions are implemented. However, standards should not be used to prevent an agency from being the best it can be in carrying out its mission. An open, vendor-neutral standards environment provides the flexibility and consistency that allows agencies to respond more quickly to changing business requirements. This allows the state to choose from a variety of sources and select the most economical solution without impacting applications. It also supports implementation flexibility because technology components can be purchased from many vendors, insulating the state from unexpected changes in vendor strategies and capabilities. Open standards do not exist for all parts of the architecture. Therefore, a combination of de facto industry standards, product standards, and open standards will be required in order to support a heterogeneous operating environment. Open systems must be differentiated from proprietary systems throughout this architecture. Ownership Value Driven Decisions on information technology investments will balance the total cost of ownership (costs of development or purchase, support, disaster recover, and retirement) against added value, reduced risk, ease of use, reusability, interoperability, current investments and compliance with the architecture. Recognize that tradeoffs in quality, cost and delivery time are critical to realistically meeting business requirements. When viewed over the whole state, choosing systems based on these criteria will lead to maximum value, and provide superior solutions over the lifecycle of the systems. A new system with high availability and performance cannot be implemented if lowest cost is the single driving criteria. Tradeoffs in reliability or performance against cost must be made on a case-by-case basis, but always in the best interest of the business purpose. All investments must be tied to business outcomes. Upfront costs for some items might be higher, but that will be balanced by reduced long-term costs. Products that can be reused and shared should be strongly considered because they can grow in value over time. Interoperability

15 Statement Rationale Implications Principle GP5: Name Statement Rationale Implications Principle GP6: Name Statement Rationale Implications The architecture should support the sharing of information and applications among agencies and across jurisdictions. Systems will be constructed with methods that substantially improve interoperability and the reusability of components. It is difficult to foresee what systems will need to interoperate. Organizational changes, new mandates, and new emphases can require interoperability between systems that were originally seen as separate or standalone. Designing systems to interoperate based on reusable component services will reduce redundancy, save resources and allow systems to change quickly to meet changing government needs. The enterprise architecture and systems that are built within it should support reusable, loosely coupled components (services). The architecture will need to support messaging between components. Application developers will need to alter their approach to application design. Support and enforcement of data standards will be essential to achieving interoperability. Customer-Centric Service Delivery The architecture should be focused on the delivery of government information and services to the citizens of Liberia and other customers. In order for the state to be effective in the delivery of government information and services, it must be focused on meeting the needs of the State s citizens. The architecture should be developed to support the complete process that delivers government information and services, including availability regardless of location, time and method of access and group (e.g., language, culture, age and ability). Make the presentation layer accessible and consistent. Consistency within and across application is desirable. Design for Re-use Identify opportunities for common components and implement them in such a way that there is an opportunity for reuse by another program, agency or unit of government. It is more cost-effective to build reusable components as reusable from the beginning. It will be cheaper to build custom products from standard reusable components than build all the components from scratch each time. Designing for reuse does have the implication of requiring additional governance and more complex projects owing to more stakeholders.

16 Business Architecture Principles Business Architecture Principles Common Vision Business Processes Drive Architecture Examine Processes First Design for Re-Use Principle BP1: Name Statement Rationale Common Vision A MAC's business and IT staff must have a common vision of both its business functions and the role of technology in those business functions. They jointly have the responsibility for defining IT needs and ensuring that the systems delivered by the development teams provide the projected benefits. Executive leadership of an agency is responsible for its mission. Information technology staff provides automation of processes to aid in accomplishing that mission. Business and IT purposes must be synchronized to best accomplish the mission. Implications Principle BP2: Name Statement Rationale Implications Business Processes Drive Architecture The architecture of any individual system must be driven by the business processes of the enterprise. Deployments of technology are most valuable when they are customer focused, business-driven and focused on the mission and goals of the enterprise. This minimizes the deployment of technology for technology s sake. Principle BP3: Name Statement Rationale Examine Processes First Business processes must be analyzed, simplified, or otherwise redesigned for optimization and efficiency before systems will be implemented. Process redesign challenges us to look at current processes differently and to discover the essential business requirements, avoiding automation of flawed processes. Process redesign also may point in the direction of more customer focused approaches. Work processes will be more streamlined, efficient, and cost effective.

17 Implications This minimizes the deployment of technology for technology s sake. Principle BP4: Name Statement Rationale Implications Design for Re-use Identify opportunities for common components and implement them in such a way that there is an opportunity for reuse by another program, agency or unit of government. It is more cost-effective to build reusable components as reusable from the beginning. It will be cheaper to build custom products from standard reusable components than build all the components from scratch each time. Designing for reuse does have the implication of requiring additional governance and more complex projects owing to more stakeholders Data Architecture Principles Data Architecture Principles Data is an Asset Data is Shared Data is Created, Accessible and Available Data has an Owner/Trustee Common Vocabulary and Data Definition Data Security Principle DP1: Name Statement Data is an Asset Data is a national asset that has high value to the Government of Benin, as data is the foundation of all decision making. The effective and careful management of data is therefore paramount and of high importance to ensure that, the government can rely on its accuracy and can obtain it as and when needed. Rationale Effective data management would ensure effective decision-making & improved performance. Besides organizing and managing the key data assets of the enterprise drive the business processes needed to run the government.

18 Implications This is one of three closely related principles regarding data: data is an asset; data is shared; and data is easily accessible. The implication is that there is an education task to ensure that all organizations within the Enterprise understand the relationship between value of data, sharing of data, and accessibility to data. Stewards must have the authority and means to manage the data for which they are accountable. A forum with comprehensive Government-wide representation should decide on process changes suggested by the steward. The MACs must make the cultural transition from "data-ownership" thinking to "data-stewardship" thinking. Principle DP2: Name Statement Rationale Data is Shared Users have access to the data necessary to perform their duties; therefore, data is shared across Government functions and organizations. Government wide enterprise data should be shared across government organizations and units / departments. Users should have access to the necessary shared data required to perform their respective business functions. Shared data should be centrally controlled and managed at the appropriate organizational level. Shared data will result in improved decisions since MACs will rely on fewer (ultimately one virtual) sources of more accurate and timely managed data for their entire decision-making. Electronically shared data will result in increased efficiency when existing data entities can be used, without re-keying, to create new entities. Implications This is one of three closely related principles regarding data: data is an asset; data is shared; and data is easily accessible. The implication is that there is an education task to ensure that all organizations within Government understands the relationship between value of data, sharing of data, and accessibility to data. To enable data sharing the MACs must develop and abide by a common set of policies, procedures and standards governing data management and access for both the short and the long term. For the short term, to preserve their significant investment in legacy systems, MACs must invest in software capable of migrating legacy system data into a shared data environment. MACs will also need to develop standard data models, data elements, and other metadata that defines this shared environment and develop a repository system for storing this metadata to make it accessible. Principle DP3: Name Statement Data is Created, Accessible, Availability Data is a national asset that has high value to the Government of Benin, as

19 data is the foundation of all decision making. The effective and careful management of data is therefore paramount and of high importance to ensure that, the government can rely on its accuracy and can obtain it as and when needed. Rationale Effective data management would ensure effective decision-making & improved performance. Besides organizing and managing the key data assets of the enterprise drive the business processes needed to run the government. Implications Data sharing will require a significant cultural change. This is one of three closely related principles regarding data: data is an asset; data is shared; and data is easily accessible. The implication is that there is an education task to ensure that all organizations within the Enterprise understand the relationship between value of data, sharing of data, and accessibility to data. Stewards must have the authority and means to manage the data for which they are accountable. A forum with comprehensive Government-wide representation should decide on process changes suggested by the steward. The MACs must make the cultural transition from "data-ownership" thinking to "data-stewardship" thinking. Principle DP4: Name Statement Data has a Owner A government unit must own each data entity / item. The government unit should be responsible for data definitions, domain, values, integrity and security. Owner should be identified for each data entities and its related data services Rationale Lack of a well-defined data ownership will lead to confusion as to who can change the data. Identifying the govt. unit with ownership of its respective data entities avoids ambiguity and creates clear responsibility and accountability for all data. Identifying the data owners will clearly define the point of contact in the respective government unit who will be responsible and accountable for all changes in the data entities & data services and the approval of the same. In order for enterprise data to be managed effectively, there can be only one primary source for each data entity so that data entity could be traceable back to the source system. Otherwise, inconsistent, erroneous and out -of-date data may result. Implications The data trustee will be responsible for meeting quality requirements levied upon the data for which the trustee is accountable. It is essential that the owner have the ability to provide user confidence in the data based upon attributes such as 'data source.'

20 Principle DP5: Name Statement It is essential to identify the true source of the data in order that the data authority can be assigned this trustee responsibility. This does not mean that classified sources will be revealed nor does it mean the source will be the owner. Information should be captured electronically once and immediately validated as close to the source as possible. Quality control measures must be implemented to ensure the integrity of the data. Common Vocabulary and Data Definition Data is defined consistently throughout the Enterprise, and the definitions are understandable and available to all users. Enterprise data and metadata standards should be defined to ensure seamless interoperability while interchanging data e.g. definition of egif, and Metadata Standards. Rationale The data to be exchanged across the government should have a common definition with an agreed format and meaning of the data items. A common vocabulary will facilitate effective communications and enable sharing of data. In addition, it is required to interface systems and exchange data. Provides metadata modelling, consistency and quality Centralized metadata provides single point for maintaining the metadata Implications The Government must establish the initial common vocabulary for the business. The definitions will be used uniformly throughout the MACs: Whenever a new data definition is required, the definition effort will be coordinated and reconciled with the Government metadata descriptions. Ambiguities resulting from multiple parochial definitions of data must give way to accepted Government wide definitions and understanding. Multiple data standardization initiatives need to be coordinated. Functional data administration responsibilities must be assigned. Principle DP6: Name Statement Rationale Data Security Data should only be available to users who require the information as part of their role. Provision should be there to provide role-based access to data. Open sharing of information and the release of information via relevant legislation must be balanced against the need to restrict the availability of classified, proprietary, and sensitive information. Existing laws and regulations require the safeguarding of national security and the privacy of data, while permitting free and open access. Implications Aggregation of data both classified and not, will create a large target requiring review and declassification procedures to maintain

21 appropriate control. Data owners and/or functional users must determine if the aggregation results in an increased classification level. MACs will need appropriate policy and procedures to handle reviews and declassification. Access to information based on a need-to-know policy will force regular reviews of the body of information. The current practice of having separate systems to contain different classifications needs to be rethought. Is there a software solution to separating classified and unclassified data? The current hardware solution is unwieldy, inefficient, and costly. It is more expensive to manage unclassified data on a classified system. Currently, the only way to combine the two is to place the unclassified data on the classified system, where it must remain. In order to adequately provide access to open information while maintaining secure information, security needs must be identified and developed at the data level, not the application level Application Architecture Principles Application Architecture Principles Delivering maximum value to Government Modular and component based Compliance with law ICT Responsibility Protection of Intellectual Property (IP) Common Use of Application Principle AP1: Name Statement Rationale Delivering maximum value to Government Information systems decisions must be made to provide maximum value to the Government as a whole. This principle embodies "service above self." Decisions made from a Government-wide perspective have greater long term value than decisions made from any particular MAC s perspective. Maximum return on investment requires information management decisions to adhere to Government-wide drivers and priorities. Implications Achieving maximum Government-wide benefit will require changes in the way information systems are planned and implemented across Government;

22 Some MACs may have to concede their own preferences for the greater benefit of the entire Government; Application development priorities must be established by the entire Government for the entire Government; Applications components should be shared across MACs organisational boundaries; Information management initiatives should be conducted in accordance with the Government ICT plan. Individual MACs should pursue information management initiatives which conform to the blueprints and priorities established by the Government. Principle AP2: Name Statement Rationale Modular and component based Adopt a modular and component based architectural solution, aligned to business processes, that conforms to established open standards with welldefined roles & responsibilities. Components should be independent of the physical topology of the system. Reduces total cost of ownership and avoids vendor lock-in Implications Avoid proprietary solutions and technologies if possible Consider adhering to W3C, e-gif etc technical standards, Consider use of latest web services, XML and integration standards Internet based web standards and technology should be preferred as the basis for all solutions Principle AP3: Name Statement Rationale Compliance with law Government information technology management processes must comply with all relevant laws, policies, and regulations. Government policy is to abide by laws, policies, and regulations. This will not preclude business process improvements that lead to changes in policies and regulations. Implications All MACs must be mindful to comply with laws, regulations, and external policies regarding the collection, retention, and management of data; Education and access to the rules. Efficiency, need and common sense are not the only drivers. Changes in the law and changes in regulations may drive changes in processes or applications. Principle AP4: Name ICT responsibility

23 Statement The ICT organisations of the MACs are responsible for owning and implementing ICT processes and infrastructure that enable solutions to meet user-defined requirements for functionality, service levels, cost, and delivery timing. Rationale MACs must effectively align expectations with capabilities and costs so that all projects are cost effective. Efficient and effective solutions have reasonable costs and clear benefits. Implications A project prioritisation process must be created by all MACs; The MACs ICT functions must define processes to manage business unit expectations; Data, application, and technology architecture models must be created to enable integrated quality solutions and to maximise results. Principle AP5: Name Statement Protection of Intellectual Property (IP) Government of Benin s Intellectual Property must be protected at all times and this protection must be reflected in ICT architectures, implementation, and governance processes. Rationale A major part of the Government s Intellectual Property is hosted in the ICT domain Implications While protection of IP assets is everybody's business, much of the actual protection is implemented in the ICT domain; A Security policy, governing human and ICT actors, will be required that can substantially improve protection of IP. This must be capable of both avoiding compromises and reducing liabilities. Principle AP6: Name Statement Rationale Common use of applications Development of applications used across Government is preferred over the development of similar or duplicative applications, which are only provided to particular MACs. Duplicative capability is expensive and creates complexity and conflicting data. Implications MACs will not be allowed to develop capabilities for their own use which are similar or duplicative of Government-wide capabilities; Data and information used to support Government decision-making will be standardised largely than previously. This is because the smaller MAC s capabilities, which produced different data (which was not shared among other MACs), will be replaced by shared Government-wide capabilities.

24 Technical Architecture Principles Technical Architecture Principles Interoperability Industry Proven Scalability, Availability, Backup and Archival Requirements Based Change Convergence Open Architecture Support Principle TP1: Name Statement Rationale Principle TP2: Name Statement Interoperability Systems must be designed, acquired, developed, or enhanced such that data and processes can be effectively shared, for appropriate purposes, across Interior and with our partners Inter-departmental exchange of information requires network interoperability. Increased efficiency will better serve our customers (e.g., the public, employees, etc.). Implications Every systems analyst needs to consider enterprise wide impacts when designing enhancing, acquiring or extending the scope or use of applications. Need for recognition that interoperability and security maybe impossible between vendor products that adhere to standards for interoperability (e.g., if using VPN s directly from firewalls, the current major firewall vendors don t interoperate although both ostensibly support interoperability.) We will need new tools that enable data sharing and the training for their proper use Need for Interior-wide working group to provide guidelines on interoperability Use of common protocols will be necessary Industry Proven IT solutions will use industry-proven and state-of-the-art mainstream technologies. Rationale Ensures robust product support. Enables greater use of commercial-off-the-shelf solutions. Avoids dependence on weak vendors.

25 Implications Analysis of network solutions will need to be more thorough (e.g., is capability mainstream or vendor?). Need to establish the criteria to identify the weak vendors and poor technology solutions The exploration of new network technology will be managed and investigation results We may be slow to adopt new technologies. Requires the technology portfolio to migrate away from existing weak products or products that are reaching obsolescence. Principle TP3: Name Scalability, Availability, Backup & Archival Statement Scalability: Technology standards chosen should meet the changing and growing ministry needs and requirements and the applications and technologies should essentially scale up, to adapt and respond to such requirement changes and demand fluctuations. Server, storage and network capacities must handle user, application and data loads. Rationale Availability / Failover: The technology infrastructure should exhibit no single point of failure Archival & Backup: The system would have data and source spanning across multi years. The archival& backup polices and mechanism should address the archival& backup requirement of the system Needed to support the overall SLA requirements around scalability, availability & performance Implications The system infrastructure should be architected considering failover requirements and ensure, a single server or network link failure does not bring down the entire system (although e.g. performance may degrade). The system should handle every request and yield a response. It should handle error and exception conditions effectively. In the event of failures or crashes, the transactions and data would need to be recovered. The platform solution should support effective disaster recovery Need to monitor the systems health at regular intervals. Use of central system, monitoring tool would be required to gauge the health of the system all time and monitor against the pre-defined SLA Principle TP4: Name Statement Rationale Requirements Based Change Only in response to business needs are changes to applications and technology made This principle will foster an atmosphere where the information environment changes in response to the needs of the business, rather than having the business change in response to information technology changes. This is to

26 ensure that the purpose of the information support the transaction of business is the basis for any proposed change. Unintended effects on business due to information technology changes will be minimized. A change in technology may provide an opportunity to improve the business process and hence, change business needs. Implications The data trustee will be responsible for meeting quality requirements levied upon the data for which the trustee is accountable. It is essential that the owner have the ability to provide user confidence in the data based upon attributes such as 'data source.' It is essential to identify the true source of the data in order that the data authority can be assigned this trustee responsibility. This does not mean that classified sources will be revealed nor does it mean the source will be the owner. Information should be captured electronically once and immediately validated as close to the source as possible. Quality control measures must be implemented to ensure the integrity of the data. Principle TP5: Name Statement Convergence Networks should be designed to support converged services to accommodate data, voice, and video services and to be application aware in the delivery of business-critical application systems. Rationale Network costs will be lower. Voice and data networks are becoming interchangeable (e.g., convergence). Implications Education of local network personnel (voice and/or data) on tradeoff potentials. Need for rudimentary models of network costing and network architecture for planning during system development process (e.g., for boundary estimations). May need to provide incentives for coordinating between local voice and data network personnel. Data network planners need input from local voice planners. Analysis & decision processes for local service may need to include input from data network organization. Requires modified (new) system development process to identify the network impacts to the total costs early in the design stage. Principle TP6: Name Statement Rationale Open Architecture Support Support for open standards The technical infrastructure must be designed to accommodate open, vendorneutral, mainstream technologies and multi-protocol communication.

27 Implications Open, vendor neutral networks provide the flexibility and consistency that allows agencies to respond more quickly to changing business requirements; Industry-wide, open standards and architecture provide for the consistent deployment, management, and expansion of networks to allow agencies to respond more quickly to changing business requirements; This approach supports economic and implementation flexibility because technology components can be purchased from many vendors. This insulates the state from unexpected changes in vendor strategies and capabilities; Design applications to be transport-independent Applying Architecture Principles 3.3. Stakeholder Management

28 4. Architecture Reference Models 4.1. Business Reference Model Overview Business Reference Model identifies the business functions, processes, organization, and information flow for accomplishing the mission of a Liberia e-government (e-liberia) initiative. To be effective, E-Gov solutions often involve business solutions that cross-traditional organizational boundaries - both within and across government organizations & agencies, and with outside constituencies such as citizens and business. Each ministry, agency or structure (MAC) has its own service delivery model, which is a mix of manual and electronic. However, these services exist as functional silos due to lack of national integrated service delivery platform. Although some services are partially integrated, they can still benefit from a welldeveloped business architecture integrated across all MACs. The Government of Liberia Enterprise Architecture (GoL) Business Reference Model adopted the Federal Enterprise Architecture (FEA), which is a function-driven framework that describes the business of Government. It provides a framework that facilitates a functional view of the Liberia Government's Lines of Business (LoB) as against the usual organizational view of government business. By describing the Liberia Government around common business areas instead of the silo-based, agency-by-agency view, the BRM promotes agency collaboration. It also serves as an underlying foundation for the Enterprise Architecture. The BRM is developed using the mandates that describes the functions of the various ministries, agencies and commissions and the US Government Federal Enterprise Architecture (FEA-BRM) as a base document with extensive modification to reflect the Liberia Government. This model can be viewed as the top down entry point into the Reference Architecture and it supports the primary aim of the architecture, which is to promote reuse and standardization. Identifying common Business capabilities enables us to identify the opportunities for developing common supporting ICT capabilities. The BRM has been structured into a layered hierarchy representing business functions of the Ghana Government. Business domains are at the highest level, followed by Business Processes and corresponding Sub-processes.

29 The Benefits of BRM The Business Reference Model provides a view of the Liberia Government's business. Through this government-wide perspective of lines of business and government functions, the BRM provides an insight for identifying potential government functions for streamlining and optimization of business processes, and for consolidation and integration of IT systems. The Liberia Government will be highly effective and efficient in performing its functions as a result of the follow up efforts to streamline and optimize business processes, and consolidate and integrate IT systems. The final beneficiaries will be the citizens, residents and commercial establishments in Liberia as they will enjoy greater convenience and better user experience when they transact with the Liberia Government When do you need to refer to BRM? The BRM treats the Liberia Government as a large business enterprise when defining its lines of business and the associated government functions. Hence, the BRM is a business architecture document that provides a good representation of the business of the Liberia Government. Upon careful study of the BRM, it will provide a thorough insight into the different functions of the Liberia Government business The Structure The structure of the BRM taxonomy is a three-layered hierarchy representing the business functions of the Liberia Government. The layers are: Level 1 Business Areas describes government functionality and activities surrounding the operations of government. Level 2 Lines of Business (LoB) (within each Business Area) relates to government functions at the middle level of the BRM hierarchy. Level 3 Business Sub Functions (under each LoB) relates to government sub-functions, at the lowest level of the BRM hierarchy. At an agency level, Business Capabilities are represented by Business Services that are enacted and supported through Business Processes, which are in turn supported and delivered by Service Components described in the Service Reference Model. The functional relationship between the GOL-BRM and the MAC-BRM is shown below (Figure 1.2).

30 The BRM metamodel diagram (Figure 1.2) shows how a MAC Business Architecture Reference Model aligns with the GOL BRM. Architects for the agents should identify the business processes of the MAC and classify them using the GOL BRM terminology. Ministry/Agency & Commission GOL - BRM Classification BRM Comprises/is part of Figure 1.2 GOL BRM Metamodel BRM Business Area Business Requirements Implemented by Business Processes Comprises/is part of Comprises/is part of BRM Line of Business Business Process Align to a Sub-function BRM Sub-Function Delivered by Business Capabilities Business Capability This metamodel shows the GOL BRM Reference hierarchy on the right side -- zero or one Business Reference Model (BRM) has zero or more BRM Business Areas, which each have zero or more BRM Line of Businesses, which each have zero or more BRM Sub-Functions. It also shows that a BRM Sub-Function is related to the MAC Business Process, and furthermore how the Business Process relates to the MAC Business Capability, which is delivered as Business Services. From the MAC viewpoint on the left side, it shows that the Business Process, which delivers its Business Capability, implements the Business Requirements The Business Areas Adapting a modified version of the FEA BRM, the GoL BRM separates government operations into three high level categories referred to as Business Areas:

31 Internal: Government to Government External: Citizen, Businesses and Public Stakeholders Services for Citizens Service Delivery Support Management of Government Resources provided by the government to and on behalf of individuals, businesses and other organisations, relating to the purpose of government. provides the policy, programs and managerial foundation to government operations. internal operations that enable the government to operate effectively and efficiently. After a careful study of the Line-of-Businesses under the Service Delivery Mode Business Area in the FEA and the nature of the Liberia Government Services for citizens, it was observed that the two Business Areas are tightly coupled and need not be separated as different categories. Both the Services (Services for Citizen) and the mechanisms used by the Liberia Government to achieve its purposes are combined under the Services for Citizens Business Area. Citizen under this category refers to persons and businesses. Services for Citizens Agricultural Services Business Support Community Infrastructure Cultural Affairs Disaster Management Education Environment Good Governance Foreign Affairs Health Justice Labor National Defense Natural Resources Sports Utility Services Service Delivery Support General Government Planning & Budgeting Information Exchange Public Relation Revenue Collection Regulatory Practices Managing Government Resources Administrative Management Supply Chain Management Human Resource Management Information and Technology Financial Management

32 Thus, the GOL BRM comprises of three Business Areas, which is made up of 31 Lines of Business. Twenty of these Lines of Business are found in the Services for Citizen layer and describe the purpose of the Liberia Government in functional terms. These Lines of Business are referred to as External Lines of Business. The remaining 11Internal Lines of Business describe the support functions the government must conduct in order to effectively deliver services for citizens. Each Line of Business is comprised of a collection of Sub-Functions that represent the lowest level of granularity in the BRM.

33 Management of Government Resources Services for Citizen Support Delivery of Services Business Reference Model Business Area Line of Business Sub Function Agricultural Services Input Supplies, Technical Support, Research & Development, Promotion Controls & Oversight General Government Information Exchange Support Planning & Budgeting Public Relations Revenue Collections Corrective Action, Program Evaluation, Program Monitoring Central Fiscal Operations, Legislative Functions, Parliamentary Support, Public Administration Central Records & Statistics Information Analysis & Sharing, IS Strategic Development, Information Preservation IS Infrastructure Development, Budget Delivery, Budget Formulation, Capital Planning, Strategic Planning, Enterprise Architecture, Budget Execution, Tax & Fiscal Policy Customer Services, Official Information Dissemination, Product Outreach, Research & Development User Fee Collection, Debt Collection, Tax Collection, Sales of Goods & Services, Government Asset Sales Business Support Community & Social Infrac. Cultural Affairs Disaster Management Education Environmental Foreign Affairs Good Governance Healthcare Justice Services Labor National Defense Natural Resources Association of Registration, Business Accounting & Reporting, Business Registration & Licensing, Consumer Protection, Financial Institutions Control Community Care, Community Development, Family, Disability, Habitation, Postal Services, Senior, Other Social Services Cultural & Historic Preservation, Chieftaincy Affairs, Arts Devt, Arts & Cultural Promotion, Disaster Monitoring & Prediction, Disaster Preparedness & Planning, Disaster Recovery, Emergency Response Primary, Secondary Education, Tertiary Education, Vocational, Civic Education, Environmental Monitoring and Forecasting, Environmental Remediation, Pollution Consular Services, International Devt & Humanitarian Aid, Trade & Tourism Promotion Electoral Participation, Rule of Law, Transparency & Accountability, Policing Community Health Services, Health insurance, Public Health Services, Hospital Services Prosecution Services, Court Reporting, Criminal Law, Human Right Obligations, Conflict Training & Education, Trade Union, Health &Safety, Labor Right, Women Empowerment Operational Defense, Border Security & Immigration Control, Intelligence Operations, Peacekeeping Protective Support Land Use Management, Mineral Resources, Energy Resources, Water Resources Administrative Management Financial Management Human Resource Management Information Technology Management Supply Chain Management Facility, Fleet & Equipment Management, Security Mgnt, Help Desk Services, Travel, Workplace Policy Development & Management Accounting, Funds Control, Payments, Collections & Receivables, Assets & Liabilities, Reporting, Cost Accounting Recruitment, Remuneration Management, Employee Performance Management, Training & Development, Labor Relations ICT Operations & Infrastructure Management, Access Management, Service Management, Solution Delivery & Maintenance, Retention Goods Acquisition, Inventory Control, Logistics Management, Services Acquisition. Sports Sports Development, Youth Employment, Youth Mentoring Schemes Utility Services Communications, Energy Services, Transport, Waste & Recycling, Water Supply,

34 Services for Citizen The Services for Citizen Business Area describes the mission and purpose of the Government of Liberia in terms of the services it provides to and on behalf of the Liberians citizen. Figure 1.4 below shows a graphical view of the Lines of Businesses under the Services for Citizen Business Area with their Sub-Functions. A full list of the "Line-of-Business" (LoBs) are described below: Line of Business: Agriculture (0100) The promotion and provision of sustainable agriculture and thriving agribusiness through research and development, the use of technology, as well as support services to farmers. Code Business Function Description 0101 Input Supplies Provision, distribution, and regulation of subsidised tools and materials for farming, fishing, lumbering and other agricultural activities Technical Support Provision of skills, expertise, tools, and techniques for the documentation and management of agricultural and fishing initiatives Research and Scientific investigative activities for the development and Development promotion of improved technologies and best practices for agricultural production and fisheries in an environmentally friendly and sustainable manner Promotion Projection of Liberia agriculture, including fisheries, in an environmentally friendly and sustainable manner for food based nutrition education as an added-value to agriculture, natural resource management as well as gender-mainstreaming of agricultural policies, programmes and projects. Line of Business: Business Support (0200) Business Support includes supporting the private sector, including small Business and non-profit organisations; supporting strategies to assist Business growth and management; supporting advocacy programs and advising on regulations surrounding Business activities; and assisting Businesses to comply with reporting requirements of the Government. Code Business Function Description 0201 Association Registration 0202 Business Accounting and Reporting This domain includes all activities that support, maintain and process the registration of associations; recording their details and issuing registration numbers. This domain includes all activities that support and assist businesses and organisations in their efforts to maintain accounts and records of their business activities, and to satisfy business reporting requirements of the government;

35 0203 Business Registration and Licensing This domain includes all activities that support the recording and registration of businesses including companies and corporations. It also involves the application assessment and the issuance of registration numbers, permits and licenses Consumer Protection Includes activities that safeguard the purchasers of goods and services; provide information to consumers and business about their rights and obligations and handle complaints and manage dispute resolution procedures 0205 Financial Institutions Control Activities include control banks, credit unions, building societies and friendly societies; advise on rules for capital adequacy and monitor the activities of financial institutions and investigate suspected breaches of prudential regulations. Line of Business: Community and Social Infrastructural Services (0300) All activities aimed at creating, expanding or improving community and social infrastructural development, social relationships and social services in Liberia. This includes all activities aimed at locality-specific or nationwide social development and general social services. This Business Function includes general community development and social services programs, as well as earned and unearned benefit programs. Code Business Function Description 0301 Community Care This domain includes all services that support the community, and provide leadership and coordination for community welfare including disadvantaged communities (e.g. rural) and care and rehabilitation activities that are not public health services 0302 Community Development Activities designed to assist communities (municipal and metropolitan) in preventing and eliminating blight and deterioration, assist economically distressed communities, and encourage and foster economic development through improved public services (infrastructure, public amenities, etc) Family This domain includes all services that support parents, carers, their families and support networks, to develop individuals and promote social equity. This domain includes adoption services and family services such as counselling and support Disability This domain includes all services that support people with a disability and their families, seeking to increase their inclusion in the community. It also includes whole-of-government leadership and coordination with respect to Disability services Habitation This domain includes all services involved directlyand indirectly in community housing and housing assistance, as well as influencing the overall housing systems within their jurisdiction Postal Services Provide for the timely and consistent exchange and delivery of national/international mail and packages i.e. between businesses, organisations, and residents of Liberia or with the rest of the world Senior This domain includes all services that support individuals that are classified as senior citizens (aged over 60). This domain includes such services as pension, home care, aged care, transitioning to

36 retirement, life style and nursing homes Other Social Services Activities designed to provide meaningful opportunities for social and economic growth of the disadvantaged sector of the population in order to develop individuals into productive and self-reliant citizens as well as promote social equality. Line of Business: Cultural Affairs (0400) Cultural Affairs includes supporting the arts and cultural organizations such as museums, libraries and galleries; supporting the development and management of cultural collections and artifacts, and stimulating growth in cultural industries; and sponsoring activities and events to celebrate the diversity of Liberia culture. Code Business Function Description 0401 Cultural and Historical Preservations Activities aimed at maintaining and preserving the cultural heritage and history of Liberia, its citizens and its regions Cultural Festivals This domain includes all services performed by a government to ensure the procurement and management of energy resources, including the production, sale and distribution of energy, as well as the management of spent fuel resources. Energy services include all types of massproduced energy (e.g., hydroelectric, wind, solar, or fossil fuels) Arts Development This domain includes all services relating to the networks that support the act of communication (transmission or receiving) through telephone, cable, radio signals and postal services Arts and Cultural Activities that promote the development of traditional arts, artefacts, Promotion dance and local/native festivals for the education and appreciation of nationals as well as foreigners Chieftaincy Affairs Activities for coordinating traditional leadership and conflict resolution in order to establish harmonious and peaceful communities Religious Harmonization Activities geared towards the recognition, honoring and harmonization of different religious denominations, beliefs and practices in the various regions. Line of Business: Disaster Management (0500) This domain includes all services that prepare for, manage, mitigate, respond to and repair the effects of all disasters, whether natural or manmade. Code Business Function Description 0501 Disaster Monitoring and Prediction 0502 Disaster Preparedness and Planning Disaster Monitoring and Prediction involves the actions taken to predict when and where a disaster may take place and communicate that information to affected parties. Disaster Preparedness and Planning involves the development of response programs to be used in case of a disaster as well as predisaster mitigation efforts to minimize the potential for loss of life and property. This involves the development of emergency management

37 programs and activities as well as staffing and equipping regional response centers, and mitigation focused construction and preparation Disaster Recovery Disaster Repair and Restore involves the cleanup and restoration activities that take place after a disaster. This involves the cleanup and rebuilding of homes, buildings, roads, environmental resources, or infrastructure that may be damaged due to a disaster Emergency Response Emergency Response involves the immediate actions taken to respond to a disaster. These actions include, but are not limited to, providing mobile telecommunications, operational support, power generation, search and rescue, and medical life-saving actions. Line of Business: Education (0700) This domain includes all formal education services that impart knowledge or understanding of a particular subject via systematic instruction to the public. The domain covers not only formal schooling, but also higher education, vocational training and adult and community education services. Code Business Function Description 0701 Primary & Secondary Education This domain refers to the provision of education in elementary subjects (reading and writing and arithmetic) and includes all educational services provided to children from preparatory years 0702 Tertiary Education This domain includes all services that relate to education provided by a college or university. Education at this level is associated with a degree, a Certificate of Higher Education or a Diploma/Advanced Diploma of Higher Education. Higher education also includes postgraduate studies Vocational Education This domain includes all education services related to a specific trade or occupation. Vocational education typically has an emphasis on manual or practical activities. Vocational training content is typically delivered in association with industries and training providers. Education of this type is also known as technical education Community Education This domain includes all non-compulsory education and personal development services that provides adult learning in literacy and numeracy. The domain also includes community learning, provided via a range of structured non-accredited short courses offered to the public Civic Education Line of Business: Environmental Management (0900) This domain includes all services required to monitor the environment and weather, determine proper environmental standards and ensure their compliance, and address environmental hazards and contamination. Services related to regulation of Natural Resource usage are covered under Natural Resource Services. Code Business Function Description

38 0901 Environmental Monitoring Forecasting 0902 Environmental Remediation and This domain includes all services that observe and predict environmental conditions. This includes but is not limited to the monitoring and forecasting of water quality, water levels, ice sheets, air quality, regulated and non-regulated emissions, as well as the observation and prediction of weather patterns and conditions. This domain includes all services that support the immediate and long-term activities associated with correcting and offsetting environmental deficiencies or imbalances, including restoration activities Pollution Activities designed to provide meaningful opportunities for social and economic growth of the disadvantaged sector of the population in order to develop individuals into productive and self-reliant citizens as well as promote social equality. Line of Business: Foreign and Diplomatic Affairs(1000) This domain includes all formal education services that impart knowledge or understanding of a particular subject via systematic instruction to the public. The domain covers not only formal schooling, but also higher education, vocational training and adult and community education services. Code Business Function Description 1001 Consular Services Consular Services refers to those activities associated with the implementation of foreign policy and diplomatic relations, including the operation of embassies, consulates, and other posts; ongoing membership in international organizations; the development of cooperative frameworks to improve relations with other Nations; and the development of treaties and agreements International Activities related to the implementation of development and Development and humanitarian assistance programs provided to developing and Humanitarian Aid transitioning countries throughout the world Trade and Tourism Trade involves the promotion of economic co-operation with other Promotion countries to gain market access for Liberian products and services as well as attract foreign investment for Liberian and maximize the inflow of development assistance from both bilateral and multilateral sources. Tourism involves promotion of Liberia tourism in domestic, regional and international markets; promulgation of legislation and regulations on tourism development including investment policies and incentives; researching regional and global tourism trends International Law and Order Liberia's participation in activities to establish law and order in other countries especially African nations, in the interest of Liberian and other citizens trapped in those places e.g. diplomatic negotiations and the commitment of peacekeeping soldiers to African and foreign war zones. Line of Business: Good Governance (1100) Improving the effectiveness, efficiency, accountability and transparency of information and

39 transactional exchanges between Ministries, Agencies and commissions and to empower Citizens through accurate and timely access to information and Government services. Code Business Function Description 1101 Electoral Participation Government's program that enables citizens to exercise their right to vote e.g. the LEPI's activities Rule of Law Government's programs to ensure that Civil Freedom of citizens is guaranteed by making them aware of their rights and ability to communicate freely without any penalties for infringement Transparency and Accountability Government's efforts to ensure transparency and accountability among Government officials and encourage the avoidance of corruption Policing Policing involves maintaining the safety of Liberia at all levels of society; guarding against internal threats to peace and stability; supporting law enforcement, community protection and corrective services; and coordinating intelligence gathering and international security activities. Line of Business: Healthcare (1200) Healthcare includes supporting the prevention, diagnosis and treatment of disease or injury; supporting the provision of health care services and medical research; supporting regulatory schemes for health care products and pharmaceuticals; and controlling the registration and conduct of health practitioners. Code Business Function Description 1201 Community Health Services 1202 Health Insurance Schemes 1203 Public Health Services This domain includes services that support the protection of the physical and mental wellbeing of community members in a particular district; and support the provision of direct assistance to individuals or groups and address the needs of the local community; In addition, the monitoring of community health services to ensure adequate levels of care. This domain includes services that support the provision of financial guarantees against risk of disease or injury; and support the operation of universal health insurance schemes; allow subsidized medical treatment within the public health system. This domain includes services that support the protection of the physical and mental wellbeing of all people at a broad level; and support the understanding and control of the determinants of disease. It also includes the government of Liberia's effort to reduce public exposure to risks encountered as part of lifestyle or the environment Medical Research This domain include services that support the scientific investigation of human health and disease; advise on medical research regulations and standards for ethical conduct; It also support the availability of medical equipment or research services, and advise on criteria for the allocation of funding to

40 medical research Hospital Services This domain includes services that support the provision of hospital services and health care through institutions offering a wide range of treatments and services 1206 Health Standards This domain includes services that support activities that are fundamental to the promotion of health and prevention of disease and the consistency of health procedures across jurisdictions; and advise on health regulations, standards and guidelines (including drugs and poisons control and food hygiene); It also include government activities that control the registration and conduct of health care providers. Line of Business: Justice Services (1300) Justice involves providing, interpreting and applying legislation, regulations or by-laws; providing advice on regulations regarding the conduct of individuals, Business and Government to conform to agreed rules and principles; and supporting the operation of the justice system. Code Business Function Description 1301 Prosecution Services This includes bringing individuals or organizations to trial for criminal offences and carries on of legal proceedings against a party in the interests of the public Court Reporting The capturing and making accessible a record of what is said in a court or other judicial decision-making body (including recording and publishing a statement of facts, arguments and judgments of a proceeding in the form of a transcript) Criminal Law This includes the application of the body of law that governs actions punishable by the state; provide and advise on rules of statute and common law to define criminal behavior, specific penalties and the conduct of legal proceedings Human Right Ensuring the freedoms to which all people are entitled are upheld Obligations and providing advise on and monitor principles which may be constitutionally entrenched and guaranteed, recognized at common law, or declared by an international legal instrument (including investigations into breaches and promotion of human rights obligations and principles) 1305 Conflict Resolution Facilitation activities outside a court of law such as mediation and arbitration that may be used in an attempt to settle a dispute between two or more parties e.g. Government agencies, citizens, or businesses. Line of Business: Labor (0800) Labor includes supporting employment growth and working environments; supporting strategies to improve workplace relations, productivity and performance; and supporting labor market stability and growth. Code Business Function Description 0801 Training and Vocational Rehabilitation includes all activities devoted to providing

41 Employment educational resources and life skills necessary to rejoin society as responsible and contributing members Trade Unions Trade Unions manage the relationship between the agency and its unions and bargaining units. This includes negotiating and administering labor contracts and collective bargaining agreements; managing negotiated grievances; and participating in negotiated third party proceedings Occupational Health Worker Safety refers to those activities undertaken to save lives, and Safety prevent injuries, and protect the health of America's workers Labor Rights Management 0805 Women Empowerment Labor Rights Management refers to those activities undertaken to ensure that employees and employers are aware of and comply with all statutes and regulations concerning labour rights, including those pertaining to wages, benefits, safety and health, whistleblower, and non-discrimination policies for non-federal employees. Recognition of women in industry, their contribution to commerce and projecting or leveraging their general role in business environments. Line of Business: National Defense and Security (1400) All activities involved in the effective formulation, coordination, monitoring and evaluation of defense policies and programs plus maintaining the Liberia Armed Forces (GAF) in a high state of preparedness for national and international engagements in the promotion of peace and stability within Liberia Code Business Function Description 1401 Operational Defence Linking tactics and strategy by establishing operational objectives needed to accomplish the strategic objectives, sequencing events to achieve the operational objectives, initiating actions and, applying resources to bring security Border Security and Immigration Control 1403 Intelligence Operations Protect Liberia Borders and ensuring Liberia's ability to resist foreign aggression or attack. Immigration includes assisting people wishing to enter Liberia on a permanent or temporary basis; providing and advising on entry or deportation requirements for migrants and visitors. Intelligence operations refer to the ability to understand dispositions and intentions as well as the characteristics and conditions of the operational environment that bear on national and military decisionmaking Peacekeeping Protective Support It also defines the ability to conduct activities to meet the intelligence needs of national and military decision-makers. It includes intelligence planning/direction, collection, processing/exploitation, analysis dissemination. Support international peacekeeping efforts to protect the civilians of Liberia s allies and other countries within the Liberian region. Assist efforts to restore peace and stability in war-torn countries,

42 support and assist with the protection of civilians involved in rehabilitation and reconstruction efforts in war-torn countries. Line of Business: Natural Resources (1500) Natural Resources involve supporting the sustainable use and management of energy, mineral, land and water supplies; evaluating resource consumption and exploitation practices; and advising on related regulations and supporting industries that realize the economic potential of resources. Code Business Function Description Land Use Management This domain includes all services that promote the effective use and management of the State s land. This domain also includes services related to land titles, surveying and valuations. Also, provide sustainable property services to government agencies such as those associated with national parks and government housing Mineral Resources This domain includes all services that promote the effective use and management of mineral resources. This domain also relates to mining and mineral processing and the application of legislation relating to mining and mineral processing Energy Resources This domain includes all services that promote the effective use and management of fossil fuels, renewable and other energy resources Water Resources This Line of Business includes all services that promote the effective use and management of the State s water resources. Support water industry partnerships and cooperative approaches to the management and use of water. The provision of advice on regulations regarding the exploitation of water resources to ensure a sustainable quality and availability for household, industrial and agricultural use. Line of Business: Sports (1600) The policies and activities to promote and accelerate sports development for the welfare of Liberians in order to achieve human development, good health, national integration and international recognition. Code Business Function Description 1601 Sports Development Development of sporting programs, curricula and activities to attract and develop talent as well as project Liberia's representation at national and international levels. Line of Business: Utility Services (1800) Provision of basic amenities such as telephony, internet services, electricity, water and drainage for public use Code Business Function Description 1801 Communications This domain includes all services relating to the networks that support the act of communication (transmission or receiving)

43 through telephone, cable, radio signals and postal services Energy Services This domain includes all services performed by a government to ensure the procurement and management of energy resources, including the production, sale and distribution of energy, as well as the management of spent fuel resources. Energy services include all types of mass-produced energy (e.g., hydroelectric, wind, solar, or fossil fuels) Transport This domain includes all services related to transport of passengers or goods. It includes all activities related to public transport, as well as transportation infrastructure, licensing and safety Waste and Recycling This domain includes all services that deal with unwanted or undesired material or substances (waste), and converting materials that are no longer useful as designed or intended into a new product (recycling). This domain also includes sewage services Water Supply This domain includes all services performed by a government to ensure the procurement and management of water resources for consumption by constituents, including the treatment, sale and distribution of water Support Delivery of Services The Service Delivery Support represents the functions used by the Liberia Government in providing its services to Citizens. It includes both government avenues for delivery services and the capabilities that support government operations. For example, the provision of the Utility Services Line of Business (LoB) is supported by the Regulatory Practices of the Service Delivery Support Business Area. Line of Business: Controls & Oversight (1900) Controls and Oversight ensures that the operations and programs of State government and its external business partners comply with applicable laws and regulations and prevent waste, fraud, and abuse. Code Business Function Description 1901 Corrective Actions Corrective Action involves the enforcement of activities to remedy internal or external programs that have been found noncompliant with a given law, regulation, or policy 1902 Program Evaluation Program Evaluation involves the analysis of internal and external program effectiveness and the determination of corrective actions as appropriate Program Monitoring Program Monitoring involves the data gathering activities required to determine the effectiveness of internal and external programs and the extent to which they comply with related laws, regulations, and policies.

44 Line of Business: General Government (1900) General Government involves the general overhead costs of State government, including legislative and executive activities; provision of central fiscal, personnel, and property activities; and the provision of services that cannot reasonably be classified in any other Line of Business. As a normal rule, all activities reasonably or closely associated with other LoBs or Sub-functions shall be included in those LoBs or Sub-functions rather than listed as a part of general government. This Line of Business is reserved for central government management operations; agency-specific management activities would not be included here. Code Business Function Description 1901 Central Fiscal Operations Central Fiscal Operations includes the fiscal operations that the Department of Finance, State Controller's Office, Treasurer's Office and Department of General Services performs on behalf of the government. Note: Tax-related functions are included within the Taxation Management Sub-function 1902 Legislative Functions Legislative Functions include the costs of the Legislative Branch Parliamentary Support supply administrative assistance to elected members in all tiers of government in Liberia to help them fulfill their duties; manage secretariat support and secretarial staff; provide access to reference and research services; offer advice on procedures and the interpretation of standing orders 1904 Public Administration Develop and administering programs to implement the policies and initiatives of the executive and elected representatives; review and evaluate the performance of such programs; develop policy and guidelines to improve public administration Central Records & Statistics Management Central Records and Statistics Management involves the operations surrounding the management of official documents, statistics, and records for the entire State government. This Subfunction is intended to include the management of records and statistics for State government as a whole. Note: Many agencies perform records and statistics management for a particular business function and as such should be mapped to that line of business. The Central Records and Statistics Management is intended for functions performed on behalf of the entire State government Line of Business: Information Exchange Support (2000) Information Exchange Support involves the ownership or custody of information and intellectual assets held by the government, and the governance of information collection, arrangement, storage, maintenance, retrieval, dissemination and destruction it includes maintaining the policies, guidelines and standards regarding information management and governance. Code Business Function Description

45 2001 Information Analysis & Sharing This domain includes all services relating to the networks that support the act of communication (transmission or receiving) through telephone, cable, radio signals and postal services IS Strategic Development The Information Systems Strategy Development Function includes the development of the vision of how IS will support the delivery of the Government strategies. This includes the definition of the IS expenditure targets such as the proportion of IS spend for ongoing support and maintenance versus investments, strategic architecture vision and strategic application development plans IS Infrastructure Development and Support This domain includes all services performed by a government to ensure the development and support of IS Infrastructure. This includes the establishment of National Backbone Network, building Government wide network infrastructure and the development of broadband internet access nationwide Information Security This domain includes all services pertaining to the protection of Government of Liberia's information systems from unauthorized access, use, disclosure, disruptions, modification, or destructions Information Preservation This domain includes all services concerned with maintaining or restoring access to information through the study, diagnosis, treatment and prevention of decay and damage Line of Business: Planning & Budgeting (2100) Planning and Budgeting involves the government activities of determining strategic direction, identifying and establishing programs, services and processes, and allocating resources (capital and labour) among those programs and processes. Code Business Function Description 2101 Budget Delivery Affect the legal appropriation and managerial distribution of budget authority to achieve results consistent with the formulated budget Budget Formulation Affect the activities undertaken to determine priorities for future spending and to develop an itemised forecast of future funding and expenditures during a targeted period of time (including the collection and use of performance information to assess the effectiveness of programs and develop budget priorities) Capital Planning Capital Planning involves the processes for ensuring that appropriate investments are selected for capital expenditures Enterprise Architecture Enterprise Architecture is an established process for describing the current state and defining the target state and transition strategy for an organization s people, processes, and technology Budget Execution Budget Execution involves the legal (apportionment) and managerial (allotment and sub-allotment) distribution of

46 budget authority to achieve results consistent with the formulated budget Strategic Planning Strategic Planning entails the determination of annual and long-term goals and the identification of the best approach for achieving those goals 2107 Tax & Fiscal Policy Tax and Fiscal Policy encompasses analysis of the implications for economic growth and stability in California and the state tax and spending policies. This includes assessing the sustainability of current programs and policies, the best means for raising revenues, the distribution of tax liabilities, and the appropriate limits on debt Line of Business: Public Relations (2200) This Line of Business involves the exchange of information and communication between the Government, citizens and stakeholders in direct support of citizen services, public policy, and/or national interest. It includes government-wide Customer Services activities. Code Business Function Description 2201 Customer Services Affect the legal appropriation and managerial distribution of budget authority to achieve results consistent with the formulated budget Official Information Dissemination Affect the activities undertaken to determine priorities for future spending and to develop an itemised forecast of future funding and expenditures during a targeted period of time (including the collection and use of performance information to assess the effectiveness of programs and develop budget priorities) Product Outreach Affect the efforts to gauge the ongoing effectiveness and efficiency of business services and business processes and identify opportunities for re-engineering or restructuring; plan and support innovation to business solutions, products and government services Research & Development Affect the processes for ensuring that appropriate investments are selected for capital and operational expenditures. Line of Business: Revenue Collection (2300) Revenue Collection includes the collection of government income from all sources. Ensuring successful management and sustainable development of revenue collection in Liberia through its agencies. Code Business Function Description 2301 User Fee Collection Affect the collection of fees imposed on individuals or organizations for the provision of government services and for the use of government goods or resources (e.g. national parks) Tax Collection Affect the activities associated with the collection of taxes

47 and levies from business and the community; assess and review the operation of the tax system. Also includes both personal and cooperate tax systems Sales of Goods and Services Affect the sales of goods and services to the public and other non-government entities (For Example Road tow collection) 2304 Government Asset Sales Affect the processes for ensuring that appropriate investments are selected for capital and operational expenditures. Line of Business: Regulatory Practices (2400) Regulatory Development involves activities associated with developing regulations, policies, and guidance to implement laws. Code Business Function Description 2401 Policy and Guidance Creation and dissemination of guidelines to assist in the Development interpretation and implementation of regulations Public Feedback Tracking Public Feedback Tracking involves the activities of soliciting, maintaining, and responding to public comments regarding proposed regulations Regulatory Creation Regulatory Creation involves the activities of researching and drafting proposed and final regulations Policy Publication Policy Publication includes all activities associated with the publication of a proposed or final rule Management of Government Resources The Managing the Government of Liberia Business Area refers to government-wide support activities that enable effective and efficient operations of the Liberia Government. For example, in order to provide services for citizens, government resources may be involved in managing changes to the business environment and the service delivery environment, managing finances to fund the provision of the services and their supporting operations, managing human resources to administer and support the services, and managing the working environment. The government must also manage and protect the data and information generated through these activities. Line of Business: Administrative Management (2500) This domain includes all services associated with the day-to-day management and maintenance of government s internal infrastructure. Code Business Function Description 2501 Facilities, Fleets and Equipment Management This domain includes all services that maintain, administer and operate infrastructure facilities that are possessions of an organization Help Desk Services Affect the management of a service centre to respond to government and contract employees' technical and

48 administrative questions Security Management Affect the physical protection of an organization's personnel, assets and facilities (including security clearance management) Travel Affect the activities associated with planning, preparing and monitoring of business related travel for an organization's employees Workplace Policy Development Affect the activities involved in developing and disseminating workplace policies such as dress codes, time reporting requirements, telecommuting, etc. Line of Business: Supply Chain Management (2600) Supply Chain Management involves the purchasing, tracking, and overall management of goods and services. Code Business Function Description 2601 Goods Acquisition Goods Acquisition involves the procurement of physical goods, products, and capital assets to be used by State government Inventory Control Inventory Control refers to the tracking of information related to procured assets and resources with regard to quantity, quality, and location Logistics Management Logistics Management involves the planning and tracking of personnel and their resources in relation to their availability and location Services Acquisition Services Acquisition involves the oversight and/or management of contractors and service providers from the private sector. Line of Business: Human Resource Management (2700) The HR Management Function covers the day to day management of the Government Organisation s staff including recruitment of staff, development and training, redeployment or retirement and ongoing appraisals / performance management. Code Business Function Description 2701 Recruitment establish procedures for recruiting and selecting high-quality, productive employees with the right skills and competencies, in accordance with merit system principles (including developing a staffing strategy and plan); establish an applicant evaluation approach; announce the vacancy; source and evaluate candidates against the competency requirements for the position; initiate pre-employment activities; hire employees Remuneration Management Affect the design, development and implementation of compensation programs that attract, retain and fairly compensate agency employees. In addition, the design, development and implementation of

49 2703 Employee Performance Management pay for performance compensation programs to recognise and reward high performance, with both base pay increases and performance bonus payments (including developing and implementing compensation programs; administering bonus and monetary awards programs; administering pay changes; managing time, attendance, leave and pay; and managing payroll). Affect the design, development and implementation of a comprehensive performance management approach to ensure agency employees are demonstrating competencies required of their work assignments; 2704 Training and Development 2705 Organization and Position Management Design, develop and implement a comprehensive performance management strategy that enables managers to make distinctions in performance and links individual performance to agency goal and mission accomplishment (including managing employee performance at the individual level and evaluating the overall effectiveness of the agency s employee development approach). Affect the design, development and implementation of a comprehensive employee development approach to ensure that agency employees have the right competencies and skills for current and future work assignments (including conducting employee development needs assessments; designing employee development programs; administering and delivering employee development programs; and evaluating the overall effectiveness of the agency s employee development approach). Affect the design, development and implementation of organisational and position structures that create a high performance, competency-driven framework that both advances the agency mission and serves agency human capital needs Workplace Relations Affect the design, development and implementation of programs that strive to maintain an effective employeremployee relationship that balances the agency s needs against its employees rights. It also manages the relationship between the agency and its unions and bargaining units. This includes negotiating and administering labour contracts and collective bargaining agreements; managing negotiated grievances; and participating in negotiated third party proceedings. Line of Business: Information Technology Management (2800) This Line of Business involves the exchange of information and communication between the

50 Government, citizens and stakeholders in direct support of citizen services, public policy, and/or national interest. It includes government-wide Customer Services activities. Code Business Function Description 2801 ICT Operations and Infrastructure Management 2802 ICT Resource Access Management Affect the activities associated with managing and maintaining standard operations within the ICT environment and supporting the ICT infrastructure; Minimize the likelihood and consequences of disaster or disruption to normal service operations and recovery of business services and applications following disastrous events or disruptions. Manage user access to ICT resources and authenticate and verify user identity and authority to access; Log, track and monitor user access activities and provide, restrict and remove rights to access ICT Service Assistance Provide a primary point of contact for users of ICT services regarding requests for service or incidents causing disruption to normal service operation or reduction in quality of service; provide first level of resolution and support for requests and incidents or referring on to more specialised support and initiate change to remedy causes of disruption or service quality reduction ICT Service Management affect the activities and processes involved in providing quality ICT services (including managing the ability to meet demand for services; managing the agreed levels of service between the ICT service provider and the service customer; managing the ICT configuration that s supports service provision; and includes managing change to ICT resources) 2805 ICT Solution Delivery and Maintenance 2806 ICT Supplier Relationship Management Affect the activities associated with delivering and maintaining software services and applications to meet business and corporate needs. Business solutions may include in-house, inter-agency and vendor-supplied software services and applications. Affect the activities involved in managing the contractual relationships between the organization and suppliers of ICT services and software solutions and establish, monitor and report on achievement of agreed service levels. Line of Business: Financial Management (2900) Financial Management involves the agency use of financial information to measure, operate and predict the effectiveness and efficiency of an entity's activities in relation to its objectives. The ability to obtain and use such information is usually characterized by having in place policies, practices, standards and a system of controls that reliably capture and report activity in a consistent manner. Code Business Function Description 2901 Accounting Account for assets, liabilities, revenues and expenses associated with the maintenance of government programs and expenditure of government appropriations in accordance

51 2902 Asset and Liability Management 2903 Financial Resource Management with applicable standards. Account for support for the management of assets and liabilities of the government (including the major assets and liabilities presented on the government balance sheet that contribute towards the net debt and net worth of the Government. Affect the management of government financial assets and provide advice on legislative responsibilities and reporting requirements; Manage the efficient, effective and ethical use of government resources Payments Affect the disbursements of government funds, via a variety of mechanisms, to government and private individuals, government agencies, state, territory, local and international governments, and the private sector, to effect payment for goods and services, or distribute entitlements, benefits, grants, subsidies, loans or claims Procurement Affect the whole process of acquiring property and services. It begins when an agency has identified a need and decided on its procurement requirement. Procurement continues through the processes of risk assessment, seeking and evaluating alternative solutions, contract award, delivery of and payment for the property or services and, where relevant, the ongoing management of a contract and consideration of options related to the contract.

52 4.2. Data Reference Model Overview The Data Reference Model (DRM) is a classification taxonomy that facilitates the development of the Government of Liberia information, which can be effectively shared across MACs for better and effective government service delivery, improve decision-making and improve mission performance. As a catalyst, the DRM multiplies the value of existing data holdings residing in silos through better discovery and understanding of the meaning of the data, how to access it, and how to work with it to support performance results. It is used to describe the context for information exchanges and the type of data entities and attributes that support the government's business operations. The DRM is a service-oriented model that provides the pathway for Services to Citizens to become operational. At the same time, the DRM provides an impetus for government organizations to better understand their data and how it fits in the total realm of government information. The DRM provides a standard means by which data may be described, categorized and shared among the MACs within the Government of Liberia. The proposed Data Reference Model is based on the FEA version Benefits of DRM The DRM can help identify opportunities for data sharing and reuse by providing a means to consistently describe data architectures. The DRM s approach to Data Description, Data Context and Data Sharing enables MACs to uniformly describe their data and information, resulting in increased opportunities for cross-agency interactions. It categorizes government information and establishes a classification of government data with respect to how it supports the business of the government. DRM standards allow government agencies to share data in common formats with common definitions. This will result in consistent application of data across government. DRM can help identify opportunities for eliminating redundant data collection activities and storage within and across agencies It will provide an index of government information that can facilitate the exchange of electronic information The DRM will provide classifications of government data that allow general users (citizens) to locate information with ease When do you refer to the DRM? The DRM provides guidance to enterprise architects and data architects for implementing repeatable processes to enable data sharing in accordance with government-wide agreements, including

53 agreements encompassing Ministries, Agencies and Commissions as well as other public and private non-government institutions. The intent is to mature, advance and sustains these data agreements in an iterative manner DRM Implementation The DRM provides a common, consistent means of describing, categorizing and sharing data. In line with the FEA DRM, the GoL DRM is structured into three standardization areas (i.e. Data Context, Data Description and Data Sharing). These standardization areas provide MACs with a standard and structured approach to categorize and describe their data and information leading to increased opportunities for cross-agencies interactions: 1. Data Context: facilitates discovery of data through an approach to the categorization of data according to taxonomies. Additionally, it enables the definition of authoritative data assets within a COI. Data Context is the basis for data governance. Understanding Data Context provides the means for informed government decision-making with regard to its information holdings. 2. Data Description: provides a means to uniformly describe data, thereby supporting its discovery and sharing. The description of data may include structured, semi-structured and unstructured information. 3. Data Sharing: supports the access and exchange of data where access consists of ad-hoc requests (such as a query of a data asset) and exchange consists of fixed, recurring transactions between parties. This is enabled by capabilities provided by both the Data Context and Data Description standardization areas. Data Sharing Data Access & Exchange Data Description Semantics of Data & Data Assets Data Context Business Context & Taxonomies

54 The figure above describes the relationship between the three key data standardization areas. The arrangement indicates how Data Sharing is supported by the capabilities provided by the Data Description and Data Context standardization areas and how Data Description and Data Context capabilities are mutually supportive Data Context standardization area Definitions The Data Context standardization area establishes a management mechanism that taxonomies and descriptive information to categorize / classify data assets. Data Context is any information that provides additional meaning to data to relate it to the purposes for which it was created and used. Data Context is the basis for data governance. Taxonomies are represented by a hierarchical set of Topics connected by relationship. The Topics are either single words or phrases arranged hierarchically. These hierarchies normally go from more concepts that are general to ones that are more specific. They are implemented in the form of extensible Markup Language (XML) Topic Maps, Web Ontology Language (OWL) hierarchies or ISO Classification schemes. A topic is a category within a Taxonomy. A Topic is the central concept for applying context to data. For example, an agency may have a Taxonomy that represents their organizational structure. In such a Taxonomy, each role in the organizational structure (e.g. CIO) represents a Topic. A Data Asset is a collection of Digital Data Resources that is managed by an organization, categorized for discovery and governed by a data steward. The Data Asset inventory could be implemented as records in a metadata registry. Purpose Data Context standardization addresses key questions such as: What are the data (subject areas/topics and entities of interest) contained within the Data Asset that are needed to support the objective/vision of the egovernance initiative? Which government organizations, units and agencies are responsible for maintaining the Data Asset? What is the linkage to the business reference model? What core information or services are needed to make the data discoverable and establish governance? (see Data Sharing)

55 Abstract Model The abstract model below illustrates the concepts that comprises the Data Context standardization area and the relationships between them. Concepts are expressed as boxes, while relationships are expressed as arrows. Data Source is-a-type-of Data Steward manages Data Asset categorizes provides-management-context-for Taxonomy contains Topic categorizes Query Point is-represented-as participates-in relates categorizes Exchange Package Structured Data Ressource Relationship categorizes is-a-type-of Digital Data Resource Term Data Steward Data Asset Definition A Data Steward is the person responsible for managing a Data Asset. Relationships: A Data Asset may be managed by a Data Steward. A Data Asset is a managed container for data. In many cases this will be a relational database. However, a Data Asset may also be a website, a document repository, a directory or a data service. Relationships: A Data Asset provides management context for a Digital Data Resource. Example: A document that is stored and managed within a data asset (such as a document repository) has management context provided

56 Digital Data Resource Query Point Exchange Package Relationship for it through the metadata that is associated with that document within the document repository. A Digital Data Resource is a digital container of information, typically known as a file. A Digital Data Resource may be one of three specific types of data resources, each corresponding to one of the three types of data described earlier and each described below (see Structured Data Resource, Semi-Structured Data Resource, and Unstructured Data Resource ). An endpoint that provides an interface for accessing and querying a Data Asset. A concrete representation of a Query Point may be a specific URL at which a query Web Service may be invoked. A description of a specific recurring data exchange between a Service Producer and a Service Consumer. This describes the relationship between two Topics. Relationships: A Relationship relates a Topic Structured Resource Data Example: A Person Entity may be represented in one Data Asset in a Customer context because it is part of a CUSTOMER_INFO table. However, the same Entity may be represented in a Suspect context on a law enforcement website. The metadata that is associated with the Person Entity would be different in each context: for example, the Suspect context would likely include physical characteristic metadata (height, hair color, etc.), while the Customer context would not. A Structured Data Resource is a Digital Data Resource containing structured data. This data can be accessed in a uniform manner, independent of data values, once the Data Schema is known. Relationships: A Structured Data Resource is a type of Digital Data Resource. Data Context Implementation This first layer of classification under the "Data Context" standardization area is referred to as the Subject Area followed by a Logical Data Component classification. The Subject Areas and the Logical Data Component classifications are included to help define the context in which the data was defined and applied. Describing the culture of the data provides semantic understanding for those who will need to integrate the data or may desire to utilize the schema that contains it.

57 Subject Area e.g. Civil Registry Service Logical Data Component e.g. Marriage Registration Data Entities e.g. Person Subject Area - Taxonomy The Subject Areas provide a collection of data classifications that represent broad categories of information. This layer contains the major areas of information and data subjects that support the business of the Government of Liberia. Typically, this layer aligns to the data areas or highest layer of data within the GoL BRM data architectures. The Subject Area layer of the Government of Liberia DRM will facilitate discovery of data and information common to various lines of business. Additionally, these classifications improve the ability to discover specific data and metadata for semantic understanding. Logical Data Components - Topics The next data classification layer, logical data components, is developed to further refine data classifications to generic groupings of data that are related to the Subject Areas, and should be considered conceptual entities. These high-level groupings provide sufficient context for Communities of Interests to discover data commonality for business process information needs. Using information in this layer, Government of Liberia MACs can map their data descriptions to the GoL DRM, while maintaining their existing data architectures and descriptions. This approach leaves some data stewardship responsibilities with the GoL mission areas. In providing services to citizens, the government engages in several activities that requires the store of data. The categorization of the data entities are based on the various activities of the Government irrespective of the MAC that is responsible for the activity. The Government recruits and manages employees, and the data entities related to this activity are grouped into the Human Resources (HR) group. The Government manages many physical facilities, such as Government buildings, and the data entities related to those activities are grouped into the facilities group.

58 Data Description standardization area Definitions The Data Description standardization area provides a means to uniformly capture the semantic and syntactic structure of data. It focuses on understanding data at two levels of abstraction; (1) Metadata artefact required to understand the data, and (2) Aggregation of metadata artefacts to define a managed data asset. The division of data along these two axes is intended to support harmonization (via comparison of logical data models) and registration (via description of universal resource attributes). Implementation of the Data Schema concept group would take the form of Entity-Relationship diagrams, class diagrams, etc. Implementation of the Digital Data Resource could be records in a content management system or metadata catalogue. Purpose The Data Description standardization area enables: Discovery of Data: he capability to quickly and accurately identify and find data that supports mission requirements. Data Entity Harmonization: an enhanced capability to compare data artefacts across government through a common, well-defined model that supports the harmonization of those artifacts and the creation of common entities. Data Re-use: the capability to increase utilization of data in new and synergistic ways in order to innovatively and creatively support missions Abstract Model The Figure xxx below illustrates the concepts that comprises the Data Description standardization area and the relationships between them. Concepts are expressed as boxes, while relationships are expressed as arrows.

59 Data Schema Data Object refers-to Entity contains Attribute contains contains contains participates-in relates is-constrained-by Structured Data Ressource Semi Structured Data Resource Unstructured Data Resource Relationship Data Type is-a-type-of is-a-type-of Digital Data Resource is-a-type-of describes-semi/ unstructured Data Asset describesstructured Term Data Schema Entity Data Type Attribute Definition Describes a structured data asset and the representation of its metadata. The data artefacts for data schema could be the conceptual and logical data models. The Data Schema concept group is comprised of those concepts pertaining to the representation of structured data. A Data Schema provides a means to provide data sharing services that is independent of the values of the data in the data resource that it describes. Relationships: A Data Schema defines a Structured Data Resource. A Data Schema describes a Structured Data Asset. An Entity is an abstraction for a person, place, object, event or concept described (or characterized) by common Attributes. For example, Person' and Agency are Entities. An instance of an Entity represents one particular occurrence of the Entity, such as a specific person or a specific agency. Relationships: An Entity contains an Attribute. An Entity participates in a Relationship with another Entity. A Data Type is a constraint on the type of physical representation that an instance of an Attribute may hold (e.g. string or integer ). Relationships: none An Attribute is a characteristic of an Entity whose value may be used to help distinguish one instance of an Entity from other instances of

60 Relationship the same Entity. For example, an Attribute of a Person Entity may be Social Security Number (SSN). This describes the relationship between two Entities. Structured Resource Data Relationships: A Relationship relates an Entity. Example: a Person Entity may have a Relationship with an Agency Entity of works for A Structured Data Resource is a Digital Data Resource containing structured data. This data can be accessed in a uniform manner, independent of data values, once the Data Schema is known. Semi-structured Data Resource Relationships: A Structured Data Resource is a type of Digital Data Resource. A Semi-Structured Data Resource is a Digital Data Resource containing semi-structured data. This will generally consist partly of structured data and partly of unstructured data. Unstructured Resource Data Relationships: A Semi-Structured Data Resource is a type of Digital Data Resource. An Unstructured Data Resource is a Digital Data Resource containing unstructured data. Unstructured data is a collection of data values that are likely to be processed only by specialised application programs. Relationships: An Unstructured Data Resource is a type of Digital Data Resource. Data Description Implementation Person Entity The first core level entity on which the DRM is based is the person entity. Employees, customers, and citizens, are all persons. The core assumption underlying the person entity (and actually, much of the DRM), is that each person residing in Liberia would have one, unique, numerical identifier across all Government agencies.

61 DATA ENTITY Person DATA ATTRIBUTE Date of Birth Place of Birth DATA TYPE Date Text Organization Entity The organization entity is another primary logical data component of the GoL DRM. An organization is an administrative structure with a mission. An organization also usually has an independent legal standing and may act as a legal party in court proceedings. Government MACs, private and public companies, and non for profit organizations are all organizations and in the DRM they are derived from the basic organization entity. The main purpose of the organization entity is to map out those attributes and relationships common to all organizations. Nearly all organizations have a name and a contact address, have employees, maintain a budget, have goals and policies, carry out projects, contract suppliers and sign and carry out agreements. Programs Employees Budget 0..* +execute 0..* +has 0..* +maintai Facilities Budget +Procure 0..* 0..* 0..* 1..* +maintains 1..* 1..* 1..* 0..* Organization Entity +Organization Identifier + Name +Contact Address +Primary activity code +has 0..* +store 0..* Document 0..* +manage 0..* +has 0..* Contract 0..* 0..* Policy +sign Agreement 0..* Program +execute

62 Data Sharing standardization area Definitions Data Sharing standardization area describes the access and exchange of data. It supports the access and exchange of data, where access consists of ad-hoc requests (such as a query of a data asset), and exchange consists of fixed, re-occurring transactions between parties. Data sharing needs are often difficult to predict in advance. At a broad level, data can be shared in two ways, through Data Exchange Services and through Data Access Services. Purpose Data Exchange: Fixed, recurring transactions between parties, such as the regular exchange of data among government organizations, units and agencies. These exchanges are implemented with data exchange services; Data Access: Requests for data services, such as a query of a Data Asset. These requests are supported by Data Access Services. The Data Sharing standardization area answers key questions like: What is the data sharing architecture? (i.e., How will the data be made sharable) What volume of data will be shared etc.? Abstract Model Entity Supplier describes-structured refers-to produces Exchange Package refers-to Payload Description disseminated-to Consumer returnsresult set queries -specified-in Query Point accesses Data Asset Term Exchange Package Definition An Exchange Package is a description of a specific recurring data exchange between a Supplier and a Consumer. An Exchange Package contains information (metadata) relating to the exchange (such as Supplier ID, Consumer ID, validity period for data, etc.), as well as a reference to the

63 Payload (message content) for the exchange. An Exchange Package can also be used to define the result format for a query that is accepted and processed by a Query Point in a data sharing scenario. Relationships: An Exchange Package refers to an Entity. An Exchange Package is disseminated to a Consumer. An Exchange Package queries a Query Point. An Exchange Package refers to a Payload Definition. Entity Supplier Example: an Exchange Package describes a specific recurring data exchange involving shipment information. See the Data Description chapter. A Supplier is an entity (person or organisation) that supplies data to a Consumer. Relationships: A Supplier produces an Exchange Package. Payload Definition Example: a MAC that supplies data to one or more other MAC A Payload Definition is an electronic definition that defines the requirements for the Payload (data) that is exchanged between a Supplier and a Consumer. Relationships: none Query Point Data Asset Example: A specific message set expressed as an XML schema or an EDI transaction set that contains information about a Person entity. See the Data Context section See the Data Context section Data Sharing Implementation The Data Sharing standardization area is supported by the Data Description and Data Context standardization areas in the following ways: Data Description: Uniform definition of Exchange Packages and Query Points supports the capability to effectively share them within and between government organization and agencies. Data Context: Categorization of Exchange Packages and Query Points supports their discovery, and their subsequent use in data access and data exchange. Example:

64 QUERY POINT URL for Web Service GetIRDTaxNumber e.g. EXCHANGE PACKAGE GetIRDTaxNumber Web Service Definition PAYLOAD DEFINITION XML Schema TaxNumberDescriptiveType SERVICE PROVIDER Inland Revenue Department SERVICE CONSUMER Customs Department Guidance and Standards: Implementation of Exchange Packages could be standard XML messages or EDI transaction sets. Implementation of Query Points could be descriptions in a Universal Description, Discovery and Integration (UDDI) or ebxml registry of a data access web service Security & Privacy Security and privacy considerations apply to all three of the DRM s standardization areas. Security defines the methods of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide integrity, confidentiality and availability, whether in storage or in transit. Privacy addresses the acceptable collection, storage, use and disclosure of information, and its accuracy. An institutional process that includes roles and responsibilities for data stewardship for each project or program in the agency needs to be defined as part of a policy that governs data quality, security and privacy. There are a number of areas that should be addressed in building such a policy. These include: constructing a policy that is compliant with legislation and standards addressing sensitivity of information that eliminates possible compromise of sources and methods of information collection and analysis establishing the practices of data stewardship addressing specific data access policies defined by the responsible steward, for example:

65 o data is available for open, unrestricted access o data is accessible only to a defined group of persons or organizations o data access is dependent on the identity of the accessing person, data about that person (e.g. current position) and data about the environment (e.g. physical location) o data is self-protecting through digital rights management similar technologies. The successful categorizing, describing and sharing of data are dependent on the implementation of security regarding the data being exchanged. Security and privacy requirements must be considered at each level of the DRM and, in particular, regarding the sharing of data.

66 4.3. Application Reference Model Overview The ARM is a business-driven, component-based taxonomy that categorizes the system and application related standards and technologies that support and enable the delivery of service components and capabilities. It is also used to define business processes in the form of services delivered by the government to citizens, businesses and other parts of the government. In principle, ARM is more about the function of the software instead of where it is applied. It excludes infrastructure software where infrastructure is anything that is broad based or commodity in nature. The taxonomy of infrastructural software and hardware are included in the technology reference model. The Applications Reference Model describes logical groups of IT Capabilities (Logical Application Components) that manage the information objects in the Data Reference Model and support the Business Capabilities in the Business Reference Model. These components will tend to be stable but the technology used to implement them will change over time, based on the technologies currently available and changing Business needs. The components provide the common, re-usable Building Blocks which can then be combined and orchestrated in order to construct Business applications. These offer discrete IT functionality source able from multiple vendors in the marketplace. Aligning agency capital investments to the ARM leverages a common, standardized vocabulary, allowing interagency discovery, collaboration, and interoperability. Ministries, Agencies and Commissions will benefit from economies of scale by identifying and reusing the best solutions and technologies for applications that are developed/provided or subscribed to support their business functions, mission, and target architecture Benefits of ARM The Application Reference Model will aid in recommending service capabilities to support the reuse of business components and services across the Government of Liberia. Specifically, the ARM provides the following benefits: Provide a framework that identifies service components and their relationships to the technology architecture of MACs across the Government of Liberia. Classify, categorize and recommend components for the reuse of business services and capabilities across the Federal Government Define existing service components that may be leveraged outside agency boundaries

67 Align and leverage existing Government guidance and application/architecture recommendations Facilitates faster response to business needs by allowing new applications or extensions to existing applications to be built from pre-existing components ARM Structure The GoL ARM adopted the SRM provided by the Federal Enterprise Architecture (FEA). This ARM taxonomy is structured as a three-layer hierarchy as shown in Figure xxx. It should be noted that, due to the breadth of FEA s coverage (of the types of applications and their components supporting the business functions of the Federal enterprise), the SRM Service Types and Service Components represent generic application components and/or services that are applicable to multiple types of applications. The ARM Application Domains provide a highlevel view of the services and capabilities that support enterprise and organizational processes and applications. Service Domains are differentiated by their business-oriented capability and are comprised of Service Types that further categorize and define the capabilities of each Domain. Each Service Domain is classified into one or more Service Types that group similar capabilities in support of the domain. Application Types provide an additional layer of categorization that defines the business context of a specific Application component within a given domain. Each Service Type includes one or more Application Components that provide the building blocks to deliver the Service Component capability to the business. Industry best practices indicate that deeper analysis of applications is necessary to first identify relevant architecture areas (such as Business Intelligence and Identity and Access Management) or layers, and then identify the components and services in relation to the architecture areas or layers, in order to: Distinctly identify application components and services in the context of the application architecture Enhance the possibility of identifying reusable and/or shareable components Help create more reusable and/or shareable services by advancing service orientation Level 1 Service Domain Used to classify the services, capabilities and processes. Service Domains are comprised of SRM Service Types.

68 Example: Customer Services Level 2 Service Type Used to breakdown the SRM Service Domain through providing the business context for a specific SRM Service Component. Example: Customer Relationship Management Level 3 Service Component defined as a self contained business process or service with predetermined functionality that may be exposed through a business or technology interface. Example: Online Help; change management

69 Back Office Services Integration Services Business Analytical Services Business Support Services Digital Asset Services Customer Services Process Automation Services Security Management Application Security o Identification, Authentication o Authorization & Access Control o Audit Trail Capture & Analysis Data Security Network & Infrastructure Security Physical Security Collaboration & Communication Collaborations o , Calendars, Task Mgnt o Discussion Forums, o Office Productivity Suite o Social Networking Communications o Chat, IM o Audio/Video Conferencing o Event / News Management System Management License Management Remote Systems Control System Resource Monitoring Software Distribution Issue Tracking Form Management Form Creation Form Modification APPLICATION REFERENCE MODEL Customer Services Customer Relationship Management Customer Preference Customer Initiated Assistance Content Management Content Authoring Content Retrieval Tagging & Aggregation Content Publishing Syndication Mgnt. Process Integration Business Process Orchestration Case Management/ Workflow Engine Rule based Processing Supply Chain Mgnt Customer Relationship Management One stop Citizen Portal Customer Preference Lines of Business Services Health Land Registry Crime Management Civil Registration National Identity Border Management Education Driving License Labor Management Customs Vehicle Registration Tourism Tax Company Registration Youth & Sports Document Management Document Imaging / OCR Document Referencing Document Revision Library Storage Document Retrieval Application Integration Service Oriented Architecture Enterprise Application Integration Financial Management Customer Relationship Management One stop Citizen Portal Customer Preference Knowledge Management Information Retrieval Smart Document Knowledge Capture Knowledge Distribution & Delivery Data Integration Data Interoperability & Exchange Bulk Data upload Extract, Transform, Load Data Services Asset Management Customer Relationship Management One stop Citizen Portal Customer Preference Service Domain Service Type Service Component Records Management Digital Right Management Record Linking/Association Document Retirement External Integration Payment Gateway Integration External Agency & 3rd Party Integration HR Management Customer Relationship Management One stop Citizen Portal Customer Preference Tracking & Workflow Process Tracking Case Management Conflict Resolution Routing & Scheduling Inbound Correspondence Management Outbound Correspondence Management Business Intelligence Demand forecasting Balance Scorecard Decision Support & Planning Data Mining Search & Reporting Search o Web Search o Enterprise Search o Application Search Reporting o OLAP o Ad Hoc o Standardized/Canned Visualization Graphing/Charting Imagery Multimedia Mapping/Geospatial

70 Customer Services Domain The Customer Services Domain defines the set of capabilities that are directly related to an internal or external customer, the business s interaction with the customer and the customerdriven activities or functions. The Customer Services Domain represents those capabilities and services that are at the front end of a business and interface at varying levels with the customer. Service Type Service Component Description Customer Relationship Management Capabilities within this Service Type are used to plan, schedule and control the activities between the customer and the enterprise, both before and after a product or service is offered. It involves data collection and analysis to better understand your customers need and wants. It also includes customized strategies for addressing unique customer needs. The whole point of CRM is to get new customers, to keep the customers you ve got, and to maximize the value of the relationships you have with those customers. 'Customer' has a broader meaning for Government. They include citizens, businesses, community groups, religious groups, military personnel, public interest groups, associations, etc. Citizens are looking to MACs such as local assemblies to deliver services effectively and efficiently. Because they are heavily influenced by the service delivery of the private sector, citizens expect to be able to access Government information and services at their convenience. Call Centre Management Handle telephone sales and/or service to the end customer Customer Analytics Allow for the analysis of an organisation's customers, as well as the scoring of third-party information as it relates to an organisation s customers Sales and Marketing Facilitate the promotion of a product or service and capture of new business Product Management Facilitate the creation and maintenance of products and services Brand Management Support the application of a trade name to a product or service as well as developing an awareness for the name Customer Account Support the retention and delivery of a service or Management product to an organization's clients Contact and Profile Provide a comprehensive view of all customer Management interactions, including calls, , correspondence and meetings; also provides for the maintenance of a customer s account, business and personal information. 70

71 Customer Preferences Customer Initiated Assistance Customer Feedback Is used to collect, analyze and handle comments and feedback from an organization's customers Surveys Are used to collect useful information from an organization's customers Capabilities within this Service Type allow an organisation's customers to change a user interface and the way that data is displayed. Personalization Change a user interface and how data is displayed Subscription Allow a customer to join a forum, listserv, or mailing list Alerts and Notification Allow a customer to be contacted in relation to a subscription or service of interest Capabilities within this Service Type allow customers to proactively seek assistance and service from an organisation. Online Help Online Tutorials Self-Service Reservations/Registration Multi-Lingual Support Scheduling Provide an electronic interface to customer assistance Provide an electronic interface to educate and assist customers Allow an organisation's customers to sign up for a particular service at their own initiative Allow electronic enrolment and confirmations for services Allow access to data and information in multiple languages Define the set of capabilities that support the plan for performing work or service to meet the needs of an organisation s customers Digital Asset Services Domain The Digital Asset Services Domain defines the set of capabilities that support the generation, management and distribution of intellectual capital and electronic media across the business and extended enterprise. Service Type Service Component Description Knowledge Management Capabilities within this Service Type identify, gather and transform documents, reports and other sources into meaningful information. Knowledge Management Services enable the Government to determine, define and forecast the needs of citizens as customers and to develop, modify and adjust services to match these needs. Information Retrieval Allow access to data and information for use by an organzation and its stakeholders Information Mapping/Taxonomy Support the creation and maintenance of relationships between data entities, naming standards and categorization 71

72 Records Management Document Management Information Sharing Support the use of documents and data in a multiuser environment for use by an organization and its stakeholders Smart Documents Support the interaction of information and process (business logic) rules between users of the document (i.e. the logic and use of the document is embedded within the document itself and is managed within the document parameters) Knowledge Capture Facilitate collection of data and information Knowledge Distribution Support the transfer of knowledge to the end and Delivery customer. An effective Electronic Records Management to support information age Government will require a formalization of control over paper based records already existing in the MACs as well as planning for those that will be generated by new service delivery and policymaking systems. Electronic records provide easy access to documents access in paper form, enable more effective sharing of information and contribute to knowledge flows across Government. Electronic records need to be kept in such a manner that retains their qualities of legal admissibility and evidential weight. Privacy and access issues require that electronic records be managed consistently within a regulatory framework. Digital Rights Support the claim and ownership of intellectual Management capital and artifacts belonging to an organization Record Support the correlation between logical data and Linking/Association information sets Document Retirement Support the termination or cancellation of documents and artifacts used by an organization and its stakeholders Capabilities within this Service Type control the capture and maintenance of an organization's documents and files. Document management systems are used to track and store electronic documents and images of paper documents. Some MACs are required by regulation to maintain member records for a considerable length of time and others have large document generating transactions volumes that are expected to increase exponentially over the years. Document Imaging and Support the scanning of documents OCR Document Referencing Support the redirection to other documents and information for related content Document Revisions Support the versioning and editing of content and documents Library/Storage Support document and data warehousing and archiving Document Retrieval & Support the editing and commendation of Approval documents before releasing them Indexing Support the rapid retrieval of documents through 72

73 Content Management a structured numbering construct Capabilities within this Service Type manage the storage, maintenance and retrieval of documents and information of a system or website. Content Management practices and goals will vary across the MACs but the life cycle of how content is rendered will be standard based on the creation, updating, publishing, translating, archiving and retrieval of content. For example, one or more authors create an instance of digital content. Over time, that content may be edited. One or more individuals may provide some editorial oversight thereby approving the content for publication. Publishing may take many forms. Publishing may be the act of pushing content out to others, or simply granting digital access rights to certain content to a particular person or group of persons. Later that content may be superseded by another form of content and thus retired or removed from use. Content Authoring Allow for the creation of tutorials, CBT courseware, websites, CD-ROMs and other interactive programs Content Retrieval and Allow for the approval of interactive programs Approval Tagging and Aggregation Support the identification of specific content within a larger set of content for collection and summarization Content Publishing and Allow for the propagation of interactive programs Delivery Syndication Management Control and regulate an organisation's brand Integration Services Domain This service domain defines the set of capabilities that describes the various service components to allow interoperability and seamless information sharing and exchange across government MACs and third parties. The various service types which further sub-categorize this service domain and the service components which define the building blocks to deliver the service capability are outlined below: Service Type Service Component Description Process Integration Application Capabilities within this Service Type provide llightweight process orchestration service that allows federated Business Process Management (BPM)/Workflow Engines to work together. Business Process Orchestration Case Management / Workflow Engine Rule Based Processing ICT enabled capabilities to define services which enable the data or functional components of one system or component to be used by another system or 73

74 Integration component. It includes any middleware or bus components that facilitate integration between applications or services. Service Oriented Architecture Enterprise Application Integration Data Integration ICT enabled capabilities to define services for data acquisition, sharing/exchange or migration of data across systems. Data Interoperability and Exchange Bulk Data Upload Extract, Transform, Load Data Services External ICT enabled capabilities to define services that provide the controlled and Integration managed gateways that enable the exchange of data with third parties and other governments. Payment Gateway Integration External Agency & 3rd Party Integration Allow for the creation of tutorials, CBT courseware, websites, CD-ROMs and other interactive programs Allow for the approval of interactive programs Back Office Services Domain The Back Office Services Domain defines the set of capabilities that support the management of enterprise planning and transactional-based functions. This service domain defines the capabilities dealing with the day-to-day back-office business support services such as enterprise resource planning, financial management, IT procurement and supply chain management, asset and facilities management, service management etc. The various service types which further sub-categorize this service domain and the service components which define the building blocks to deliver the service capability are outlined below: Service Type Service Component Description Supply Chain Management Capabilities within this Service Type plan, schedule and control a supply chain and the sequence of organizations and functions that mine, make or assemble materials and products from manufacturer to wholesaler to retailer to consumer. Procurement Support the ordering and purchasing of products and services Sourcing Management Support the supply of goods or services as well as the tracking and analysis of costs for these goods Inventory Management Provide for the balancing of customer service levels with inventory investment Catalogue Management Support the listing of available products or services 74

75 Financial Management Asset Management Human Resource Management that an organisation offers Ordering/Purchasing Allow the placement of request for a product Invoice/Requisition Tracking and Approval Support the identification of where a shipment or delivery is within the business cycle Contact and Profile Management Provide a comprehensive view of all customer interactions, including calls, , correspondence and meetings; also provides for the maintenance of a customer s account, business and personal information. Logistics and Transportation Provide for efficient freight and traffic management Capabilities within this Service Type regulate the activities surrounding the business cycle of an organization. Change Management Control the process for updates or modifications to the existing documents, software or business processes of an organisation Configuration Control the hardware and software environments, Management as well as documents of an organisation Requirement Gather, analyse and fulfil the needs and Management prerequisites of an organisation's efforts Program/Project Manage and control a particular effort of an Management organisation Quality Management Help determine the level that a product or service satisfies certain requirements Risk Management Support the identification and probabilities or chances of hazards as they relate to a task, decision or long-term goal; includes risk assessment and risk mitigation Capabilities within this Service Type support the acquisition, oversight and tracking of an organization's assets. Property & Asset Support multiple users working on related tasks Management Asset Monitor and maintain a communications network Cataloguing/Identification in order to diagnose problems, gather statistics and provide general usage Facilities Management Support the construction, management and maintenance of facilities for an organization Asset Transfer, Allocation Support the movement, assignment, and and Maintenance replacement of assets Computers/Automation Management Support the identification, upgrade, allocation and replacement of physical devices, including servers and desktops, used to facilitate production and process-driven activities Capabilities within this Service Type provide for the planning and supervision of an organization's personnel. Workforce Support the hiring and re-structuring of employees Acquisition/Optimization and their roles within an organization 75

76 Resource Planning and Allocation Skills Management Support the determination of strategic direction, the identification and establishment of programs and processes and the allocation of resources (capital and labor) among those programs and processes Support the proficiency of employees in the delivery of an organization's products or services System Support Services Domain This service domain defines the set of ICT enabled capabilities that will support all other service domains. The various service types which further sub-categorize this service domain and the service components which define the building blocks to deliver the service capability are outlined below: Service Type Service Component Description Security Management Collaboration & Communication Capabilities within this Service Type protect an organisation's information and information systems. Identification and Authentication Support obtaining information about those parties attempting to log on to a system or application for security purposes and the validation of those users Access Control Support the management of permissions for logging onto a computer, application, service or network; includes user management and role/privilege management Cryptography Support the use and management of ciphers, including encryption and decryption processes, to ensure confidentiality and integrity of data Intrusion Prevention System Incident Response Virus Protection Digital Signature Management Include penetration testing and other measures to prevent unauthorized access to a government information system Provide active response and remediation to a security incident that has allowed unauthorized access to a government information system Provide anti-virus service to prevent, detect and remediate infection of government computing assets Support the use and management of electronic signatures to support authentication and data integrity; includes Public Key Infrastructure (PKI) Support the identification and monitoring of activities within an application, system, or network Audit Trail Capture and Analysis Capabilities within this Service Type allow for the simultaneous communication and sharing of content, schedules, messages and ideas within an organization. Support the transmission of memos and messages over a network 76

77 System Management Form Management Document Library Support the grouping and archiving of files and records on a server Shared Calendaring Allow an entire team as well as individuals to view, add and modify each other sschedules, meetings and activities Task Management Support a specific undertaking or function assigned to an employee Social Networking Support the ability to share content and build relationships. Capabilities within this Service Type support the administration and upkeep of an organization's technology assets, including the hardware, software, infrastructure, licenses and service components that comprise those assets. License Management Support the purchase, upgrade and tracking of legal usage contracts for system software and applications Remote Systems Control Support the monitoring, administration and usage of applications and enterprise systems from locations outside of the immediate system environment System Resource Support the balance and allocation of memory, Monitoring usage, disk space and performance on computers and their applications Software Distribution Support the propagation, installation and upgrade of written computer programs, applications and service components Issue Tracking Receive and track user-reported issues and problems in using IT systems, including help desk calls Capabilities within this Service Type support the creation, modification and usage of physical or electronic documents used to capture information within the business cycle. Form Creation Form Modification Support the design and generation of electronic or physical forms and templates for use within the business cycle by an organization and its stakeholders Support the maintenance of electronic or physical forms, templates and their respective elements and fields Process Automation Services Domain The Process Automation Services Domain defines the set of capabilities that support the automation of process and management activities that assist in effectively managing the business. The Process Automation Services domain represents those services and capabilities 77

78 that serve to automate and facilitate the processes associated with tracking, monitoring and maintaining liaison throughout the business cycle of an organization. Service Type Service Component Description Tracking and Workflow Routing and Scheduling Capabilities within this Service Type provide automatic monitoring and routing of documents to the users responsible for working on them to support each step of the business cycle. Process Tracking Allow the monitoring of activities within the business cycle Case Management Manage the life cycle of a particular claim or investigation within an organisation to include creating, routing, tracing, assignment and closing of a case as well as collaboration among case handlers Conflict Resolution Support the conclusion of contention or differences within the business cycle Capabilities within this Service Type provide automatic directing and assignment or allocation of time for a particular action or event. Inbound Correspondence Manage externally initiated communication Management between an organization and its stakeholders Outbound Correspondence Management Manage internally initiated communication between an organization and its stakeholders Business Analytical Services The Business Analytical Services Domain defines the set of capabilities supporting the extraction, aggregation and presentation of information to facilitate decision analysis and business evaluation. Service Type Service Component Description Simulation Utilize models to mimic real-world processes Business Intelligence Business Intelligence services provide on-demand analytics for both real time and non real time decision making. BI is the type of service that allows MACs to access, analyze, and share information in order to drive decisions that are more informed. Such a system will involve four main capabilities, each of which can operate and be used independently of the others. Demand Forecasting Management Facilitate the prediction of sufficient production to meet an organization's sales of a product or service Balanced Scorecard Support the listing and analysis of both positive and negative impacts associated with a decision Decision Support and Planning Support the analysis of information and predict the impact of decisions before they are made Search & Reporting This service type defines the set of capabilities supporting the extraction, aggregation and presentation of government data to facilitate decision analysis. It provide information that pertains to the history, current status or 78

79 Visualization future projections of an organization to help analyze data for the purposes of risk assessment and policy development, customer segmentation and ad hoc queries etc. Web Search Identify and retrieve content across the Internet or intranets. Enterprise Search Search multiple types of content across a variety of sources, producing a consolidated list ranked by relevance. Application Specific Search limited to and within a specific application. Search Ad Hoc Support the use of dynamic reports on an asneeded basis Standardized/Canned Support the use of pre-conceived or pre-written reports OLAP [Online Analytical Processing] Supports the analysis of information that has been summarized into multidimensional views and hierarchies Capabilities within this Service Type convert data into graphical or picture form Graphing/Charting Support the presentation of information in the form of diagrams or tables Imagery Support the creation of film or electronic images from pictures or paper forms Multimedia Support the representation of information in more than one form to include text, audio, graphics, animated graphics and full motion video Mapping/ Geospatial Provide for the representation of position information through the use of attributes such as elevation and latitude and longitude coordinates 79

80 4.4. Technical Reference Model Overview The Technical Reference Model defines Liberia Government's generic classification scheme in terms of the standards and infrastructure systems including software, hardware and services to support business applications. It also unifies existing Government Organization TRM s and E- Gov guidance by providing a foundation to advance the reuse and standardization of ICT infrastructure components/services from a Government-wide perspective. The goal of the Model is to allow a common viewpoint and understanding of the technology domains across all the Ministries, Agencies and Commissions. This in turn aids standardisation as various stakeholders come to understand the possibilities for leveraging related domain activities in other departments. It provides taxonomy for categorising infrastructure technologies. It should not be used to categorise business processes or business applications, which are covered by other models within the GoL Enterprise Architecture. The technology domains cover broad based or commodity products. It is unlikely that any agency would actually construct a product within any of the technology domains, although many will need to deal with implementation and integration issues between products in these domains. Aligning capital investments to the TRM leverages a common, standardized vocabulary, allowing cross Government Organization discovery, collaboration, and interoperability. Government Organizations will benefit from economies of scale by identifying and reusing the best solutions and technologies to support their Business functions, mission, and target architecture. Specific criteria to assist with the identification of technologies are as follows: software and hardware required to manage applications and other technologies software required to design and develop business applications general purpose out-of-the-box software that is commonly available and can be deployed to anyone in the organisation without the need for a business case or justification out-of-the-box software that does not embed a business process and is not mandated by the organisation to perform a specific function (eg. project management) desktop and server software that forms part of the standard operating environment special purpose software such as graphics and design tools that do not include a customised user front-end back end platforms required to support applications that can be differentiated from the application and are technologies. 80

81 Benefits of TRM The purpose of this Technical Reference Model is to promote smooth and less ambiguous communications between the Government of Liberia's Ministries, Departments and Agencies (MACs) by providing categorizations for technologies that are well accepted in the Information Technology industry. It categorizes technologies in technology domains and provides a layered structure of IT systems. Infrastructure integration through a comprehensive technical architecture is a key enabler to the process of delivering electronic government services to citizens. To deliver the services at the appropriate level, business requirements and technical constraints such as security, cost, and service availability must be considered. A well-implemented technology infrastructure can help resolve many of the challenges faced by the MACs Structure of TRM Organized in a hierarchy, the TRM categorizes the standards and technologies that collectively support the secure delivery, exchange and construction of business and application Service Components that may be used and leveraged in a component-based or service-oriented architecture. Level 1 Service Area Each Service Area aggregates the standards and technologies into lower-level functional areas. Each Service Area consists of multiple Service Categories and Service Standards. Level 2 Service Categories Each Service Category classifies lower levels of technologies and standards with respect to the business or technology function they serve. In turn, each Service Category is comprised of one or more Service Standards. Level 3 Service Standards They define the standards and technologies that support a Service Category. To support MAC mapping into the TRM, many of the Service Standards provide illustrative specifications or technologies as examples. 81

82 TECHNICAL REFERENCE MODEL Service Access & Delivery Access Channel Web Browser Web Access Standard (WCAG) Mobile Devices Collaboration & Communications(Social networking services, IVR, VoIP, SMS, , Kiosk) Delivery Channel Internet Intranet P2P VPN Presentation/Interface Static Display(HTML, PDF) Dynamic / Server-Side Display (JSP, ASP) Content Rendering Wireless (WML) / Mobile / Voice (Voice XML) User Personalization Interconnection Enterprise Level IP Network Application Layer Protocols Transport Layer Protocols Internet Layer Protocols Service Area Service Category Service Standard Service Integration Process Integration BPM Workflow Engine Rule Engine Application / Service Integration EAI Middleware Enterprise Service Bus Object Request Brokers Remote Procedural Calls Service Discovery (UDDI) & Description (WSDL) Data Integration Data Exchange & Transformation Data Exchange Format / Classification Data Integration Meta Language Interoperable Character Set ETL SWIFT External Integration Service interface with external gateways (payment gateway, external agency, govt. gateway etc) Service Component Framework Business Service Components Lines of Business Application Business Logic Web Services Common Utilities Reusable Components Data Management Database Connectivity (JDBC, ODBC) Data Access Objects / ORM Data Validation, Cleansing / De-duplication Data Backup & Archival BI & Reporting BI Tools & Standards Reporting Tools & Standards Search Technology Access Management Anti Spam / Anti Virus Desktop & Enterprise Firewall Identity, Authentication, authorization and privacy Single-Sign On / Identity Management Security Management Security IP Security Public Key Technology Intrusion Detection & Prevention Proxy Servers / Directory Services Remote Security Secured Transport XML Security Electronic Finger Printing Service Platform, Storage & Infrastructure Database/Storage Structured Data Storage (DBMS) Unstructured Data Storage (Content, GIS etc) Storage Devices (SAN/ NAS) Platforms & Delivery Servers Web Servers, Application Servers Portal Servers, Content Servers Media Servers Desktop OS, Mobile OS, Server OS Hardware / Infrastructure Servers / Computers Embedded Technology Devices Peripherals Wide Area Network, Local Area Network Network Devices / Standards Software Engineering Modeling process, application & data design Integrated Development Environment Application Development Framework Programming language for Application Development Testing Tools Configuration Management Software COTS 82

83 The TRM is composed of the following four (4) Service Areas: 1. Service Access and Delivery 2. Service Integration 3. Service Component Framework 4. Service Platform, Storage and Infrastructure Service Access and Delivery This service area refers to the collection of standards and specifications to support external access, exchange, and delivery of Service Components or capabilities. The various service categories which further sub-categorize this service area, and the service standards which define the low level standards and technology to support the service categories are outlined below: Service Category Access Channel Delivery Channel Interconnection Service Standard Web Browser Web Access Standard (WCAG) Mobile Devices Collaboration and Communications Telephony Internet Intranet Virtual Private Network (VPN) Enterprise Level IP Network Application Layer Protocols Transport Layer Protocols Internet Layer Protocols Service Standard Example An access channel defines the interface between an application and its users, whether it is a browser, smart phone, tablet or other medium. Web Browser Examples of web browsers includes Microsoft Internet Explorer (IE), Mozilla Firefox, and Google Chrome. Web Access Standards Examples includes WCAG by W3C (web accessibility guidelines), ISO :2008 Guidance on World Wide Web user interfaces etc. Mobile Devices Examples includes smart phones, tablets etc. Collaboration and Communications Examples includes social networking, Short Message Service (SMS), Interactive Voice Response (IVR), Voice over Internet Protocol (VoIP), kiosks, s etc. VPN - The use of the public telecommunication infrastructure to connect entities together, maintaining privacy through the use of a tunnelling protocol and security procedures. The internet standards as defined by the Internet Engineering Task Force (IETF) Enterprise Level IP Network Examples include IPV6 Application Layer Protocols Examples include DNS, DHCP, FTP/FTPS, HTTP/HTTPS, IMAP, IRC, LDAP, MIME, SNMP, POP3, RIP, SMTP, SOAP, SSH, Telnet etc. Transport Layer Protocols Examples include TCP, UDP, DCCP, ECN etc. Internet Layer Protocols 83

84 Service Interface and Integration This service area refers to the collection of technologies, methodologies, standards, and specifications that govern how MACs will interface (both internally and externally) with a Service Component. This area also defines the methods by which components will interface and integrate with back office / legacy assets. The various service categories which further sub-categorize this service area, and the standards which define the low level standards and technology to support the service categories are outlined below: Service Category Process Integration Application/ Service Integration Data Integration External Integration Service Standard BPM Workflow Engine Rule Engine EAI Middleware Enterprise Service Bus Object Request Brokers Remote Procedural Calls Service Discovery and Description Data Exchange and Transformation Data Exchange Format / Classification Data Integration Meta Language Interoperable Character Set Extract, Transform and Load Service interface with external gateways (payment gateway, external agency, government gateway etc.) Service Standard Description and Example Business Process Notation (BPMN) 2.0, Business Process Execution Language (BPEL), Business Activity Monitoring (BAM) Message oriented middleware IBMMQ, MSMQ, JMS, JMX for Monitor and Optimize ORB CORBA, COM, DCOM Service Discovery UDDI Service Description WSDL, API Character encoding for information interchange ASCII, Unicode, UTF-8 Data description RDF, XML, XNAL, XCIL, XCRL Data exchange and Transformation XMI, XSLT, ISO 8601 for data element and interchange format Data exchange Formats UN/EDIFACT, EDI, XML/EDI, XLINK, PDF, doc, ppt, xls, Tiff/Gif/Jpeg, RTF, MPEG, PST, CSV, htm, avi/mp3/mp4 Ontology-based information exchange OWL Data integration meta language XML Signature and Encryption, XML-DSS, XML-Key Management specification, SAML, XACML Data Types / Validation DTD, XML Schema Data Transformation XSLT Banking Integration SWIFT 84

85 Service Component Framework This service area refers to the underlying foundation, technologies, standards, and specifications by which Service Components are built, exchanged, and deployed across Distributed or Service-Orientated Architectures. The various service categories which further sub-categorize this service area and the service standards which define the low level standards and technology to support the service categories are outlined below: Service Category Presentation/User Interface Business Service Component Data Management BI and Reporting Security Management Service Standard Static Display Dynamic / Server-Side Display Content Rendering Wireless / Mobile / Voice User Personalization Lines of Business Application Business Logic Web Services Common Utilities Reusable Components Database Connectivity Data Access Objects/ORM Data Validation, Cleansing / De-duplication Data Backup and Archival BI Tools and Standards Reporting Tools and Standards Search Technology Access Management Anti Spam / Anti Virus Desktop and Enterprise Firewall Identity, Authentication, authorization and privacy Single-Sign On / Identity Management Security IP Security Public Key Technology Intrusion Detection and Prevention Proxy Servers / Directory Services Service Standard Description and Example Static Display Examples include HTML, PDF Dynamic / Server-Side Display Examples include JSP, ASP, ASP.Net Content Rendering Examples include DHTML, XHTML, CSS, X3D Wireless / Mobile / Voice WML, XHTMLMP, Voice XML User Personalization Application business logic: Platform Independent EJB, C++, JavaScript Platform Dependent VB, VB.NET, C#, VB Script Data exchange XMI, XQuery, SOAP, ebxml, RDF, WSUI Database Connectivity DBC, ODBC, ADO, OLE/DB, DAO, DB2 Connector Reporting and Analysis OLAP, XBRL, JOLAP, XML for analysis Access management Support for OS, App server, DBMS, IDM and directory service standards, password encryption during storage and transmission Digital Signatures Secure hash algorithms, authentication, message integrity, nonrepudiation Security S/MIMEv3 Encryption Algorithm DES, triple DES Enterprise Firewall Support various layers of TCP/IP protocol stack, support for OS, network protocols, data transport, electronic mail systems and app technologies standards Identity, Authentication, authorization and privacy SAMLv1.1, X.509 for identity 85

86 Service Category Service Standard Remote Security Secured Transport XML Security Electronic Finger Printing Service Standard Description and Example certificates, Identity management Support for OS, App server, DBMS, IDM and directory service standards, password encryption standards for storage and transmission IP security IPSec Proxy server Compatible with LDAPv3, able to integrate with adopted standards for directory services Remote Security SSH Secure transport TLS/SSL XML security standards WS-Security, WS-I Basic Security Profile Version, XML-DSIG Service Platform, Storage and Infrastructure This service area refers to the collection of delivery and support platforms, infrastructure capabilities and hardware requirements to support the construction, maintenance, and availability of a Service Component or capabilities. The various service categories which further sub-categorize this service area and the service standards which define the low level standards and technology to support the service categories are outlined below: Service Category Database / Storage Service Standard Structured Data Storage Unstructured Data Storage Storage Devices Service Standard Description and Example Structured data storage (DBMS) DBMS should provide support for basic properties of a database transaction atomicity, consistency, isolation, durability, support for data security, built-in audit, JDBC, ODBC, web service standards, transactional and analytical data should be in separate data store e.g. DB2, Oracle, SQL Server, Postgre SQL, Sybase Unstructured data storage Content server, GIS server Storage devices NAS, SAN 86

87 Service Category Platform and Delivery Servers Hardware / Infrastructure Service Standard Web Servers Application Servers Portal Servers Content Servers Media Servers Desktop OS Mobile OS Server OS Servers / Computers Embedded Technology Devices Peripherals Wide Area Network Local Area Network Network Devices / Standards Service Standard Description and Example Wireless / Mobile -J2me Platform Independent -JEE, Linux, Eclipse Platform Dependent Windows,.NET, Mac OS Web Servers Apache, IIS Media Servers Windows media service Application Servers Weblogic, Websphere, JBoss, ilog, Oracle business rules, Jrules Portal Servers Liferay, JBoss portal, Oracle web center Content Server Alfresco, Desktop OS Windows, Mac Server OS Windows Server 2003/2008, Unix, Linux, Mobile OS Android, ios, Blackberry Servers / Computers Enterprise server, mainframe Embedded Technology Devices RAM, RAID, microprocessor Peripherals Printer, scanner, fax, cameras Wide Area Network (WAN) Frame Relay, DSL, Metro Ethernet, ATM Local Area Network (LAN) Ethernet, VLAN Network Devices / Standards Hub, switch, router, gateway, NIC, ISDN, T1/T3, DSL, firewall 87

88 Service Category Software Engineering Service Standard Modelling process, application and data design Integrated Development Environment Application Development Framework Programming language for Application Development Testing Tools Configuration Management Software Commercial Off The Shelf (COTS) Software Service Standard Description and Example Modelling process, application and data design BPMN for process modelling, BPEL4WS for web services, ERD for data modelling, UML 2 and above for app modelling, XML schema v1.0, WML v2.0 Integrated Development Environment RAD, Visual Studio, Eclipse, Net beans, JDeveloper Application Development Framework Use of enterprise framework for app development, support for reuse of existing components and services, provide support for creating web services Programming language for Application Development Language should allow for code portability, code collaboration, browser compatibility, should be compatible with the app development framework adopted Testing Tools Tools to be selected for functional testing, usability testing, performance, load and stress testing, security testing, reliability testing, regression testing Configuration Management Software version control, defect tracking, issue tracking, change management, release management, requirement management and traceability COTS Software applications should support open standards and other industry standards that promote interoperability with other products/vendors, access to training, allow parameterization and customization for local needs 88

89 5. Future State Recommendation The target architecture recommendations are presented across the following nine architecture segments considered for assessment. 1. Application Architecture 2. Information Architecture 3. Infrastructure Architecture 4. Integration Architecture 5. Security Architecture 6. EA Process and Governance 89

90 5.1. Application Architecture Overview The targeted e-government enterprise architecture for the government of Liberia proposes an application architecture that combines multiple components as described in Figure 1.1. This layered architecture approach, allocated with a different set of service components such as Presentation and Portal Access, Community of Interest (CoI) Services and Applications, Collaborations, Integration & Connectivity Services, Shared Services, Enterprise Intelligence, Security and Service Management. Each layer would be loosely coupled with the adjacent layers providing demarcation of functionalities. Components in each layer will interact with components of other layers. The layered approach ensures a clean division of responsibility and makes the system more scalable, flexible, maintainable and extensible with a high level of cohesion between components. This figure represented here primarily provides a relationship of the Community of Interest (CoI) e-services with the application through which they are made available. In this view, the e-services are client facing. These services are made available through multiple applications and databases in the background. These applications are made services by web service enabling the existing and new applications. The integration and connectivity services are the glue to it. The Figure is not intended to show source code filenames or specific executable elements. This diagram is meant to represent a lower level of detail, interpreting components more as sub-systems. Specifically state the framework and design patterns implemented. The Application Architecture can be divided into the following seven components: User Access Layer Presentation & Portal Access Layer Services Layer Integration & Connectivity Layer Generic Service Delivery Layer Applications & Databases Layer Infrastructure Layer 90

91 Capacity Marketing Building and & Training Awareness Governance Policies Architecture Principles Governance Policies Architecture Principles Standards Standards System Management System Management Security Management Security Management Application Reference Architecture Framework In Person 5.2. The Application Architecture Citizens (Individuals & Communities) (G2C) Liberia Post Phone Fax e-forms e-fillings Web/ Portals Information Providers (G2B & G2G) Credit Cards Payments Online EDI Presentation & Portal Access Enterprise Intelligence Search Metadata Content Management Query Community of Interest Services Collaboration Directory Services Document/ Records Management EDI/EFT Permit Services License Services Taxation Services Agriculture Services Enterprise Service Bus Procurement Services Information Services e-forms Electronic Payment Services Identity Management Health Services Employment Services Generic Service Delivery Layer Business Intelligence Geographic Information Systems Others Commune Services Education Services Public Safety Services Financial Mgnt Services Environment Services Revenue Collection Inventory Services Others Integration & Connectivity Services Application Servers Land Information System Judiciary Management System Planning & Budgeting System Education Management System Geographic Information System Agricultural Management Syst. Conferencing Messaging Database A Database D Workflow Information Integration Master Databases Database B Database E Expert Location Group Work Infrastructure Infrastructure User Devices (Desktop/Laptop/PDA Networks (LAN/WAN/VPN) Platforms/Servers Database C Database F User Devices (Desktop/ Laptop/ PDA Network (LAN/ WAN/ VPN) Platforms/ Servers 91

92 The User Access Layer The User Access Layer forms the list of the actors who would be interacting with the systems, it would be primarily the citizens, businesses and government themselves sub-categorised into Citizens and Information Providers. Citizens include individual Beninese, intermediaries and communities whereas information providers include businesses, government employees and other government. Based on the roles different type of e-services would be made available. Furthermore, different varieties of services are categorized into G2C (Government to Citizens), G2B (Government to Businesses) and G2G(Government to Government) services. These services are accessible to different roles based on their authorization levels. The User Access Layer of the application architecture further defines a multi-channel that addresses the Government of Benin's objectives of improving the services provided to citizen and reducing the cost of providing the service. The strategy meets citizen requirements by providing services that are flexible, accessible, complete, easy and secure. The implementation of the e-government channel strategy will include user profiling that will show the different segments such as meeting requirements of the uneducated citizen or a disabled person and how a user s channel preferences are influenced by circumstances such as the nature of the service required, or his/her need for direct, person-to-person interaction e-government Channel In considering the availability of Internet and it related services, the Application Architecture defines an integrated channel strategy, which will be based on existing traditional channels as well as the introduction new electronic ones. The channel strategy involves identifying the different modes of service delivery, which is the interaction between the user and the Government and the type of interaction, whether it is transactional or just information rendering. For example, if a citizen wants to apply for a driving license, the enquiries could be done via the Government Web Portal, by telephone (and IVR), , fax or post. The citizen could then complete the application online via the Web Portal using the Identity Management credentials, or complete forms and send by post or apply by face to face at the DVLA. The interaction could take place over the different channels such as the office counter, telephone, , post, etc. A channel is a means used by the administrative functions of the MACs to interact with and deliver services to its users. The channel strategy will look at the services from a delivery mode and the channels are categorized into the following groups: Dissemination of Information: This category focuses on promoting and marketing Government services, educating citizens, organizations and other Governments on the various services delivered by Government as well as awareness creation; Notification: This category deals with Government informing citizens, organisations and other Government about events and activities; 92

93 Payment Transaction: Deals with any agreement, communication or movement carried out between separate entities often involving the exchange of money. The entities here are citizens, businesses, NGOs, other Governments and Government; Registration: For Government services; Subscription: An agreement with another organisation or institution that gives one the right to receive information. May sometimes involve the payment of a sum of money; Service Rendering: Refers to a service offered to citizens by any of the MACs that originally has not been requested for. For instance services offered by charity organisations and other entities; Request: The act of citizens asking for something to be done. A request is followed by a delivery of the service being asked for. Request can be from citizens to Government or vice versa Presentation and Portal Access Layer Although, the diagram shows different channels of access to the portal, the primary channel supported by the architecture is a browser-based access with a single sign on capability. However, given the current state of ICT implementation in Benin, other forms of access should leverage this single point of access in order to increase the reach of the e-government to citizens. For example, if a citizen wants to apply for a driving license, the enquiries could be done via the Government Web Portal, by telephone (and IVR), , fax or post. The citizen could then complete the application online via the Web Portal using the Identity Management credentials, or complete forms and send by post or apply by face to face at the DVLA. The interaction could take place over the different channels such as the office counter, telephone, , post, etc Portal Access Layer The Portal Access Layer provides the capability to aggregate services from many different and disparate application systems and presents the resulting information through a consistent user interface (IU). The enterprise can allow the customer to customize the UI to view information in a way that is most convenient to the customer. This is usually referred to as personalization. There are tools that can help with campaigns and the creation of business rules in addition to a recommendation engine that can dynamically add content based on preferences and the "usage" of the user. Content can be provided based on profiles, job, location and business rules, which enhances the user effectiveness and productivity leading to increased loyalty to the web portal. The Portal usually provides support for multiply devices utilizing transcoding technology to produce the proper HTML format based on the particular device accessing the Portal. This provides a single point of interaction for the use of regardless of the type of device the user may use (e.g. Mobile phone, PDA, Laptop). The Portal Access Layer supports the user by providing a workplace for applications, processes and content. 93

94 The portal hosts the portlets, where each e-service would map to one or more portlets. Portlets execute in a portal Server, the clients on the system typically access the portlets to invoke e-service. Furthermore, the portals allows the creation of "virtual" portals within one portal infrastructure for different departments and agencies Enterprise Intelligence The Enterprise Intelligence is responsible for managing all aspects of content and data for e- Government. Proper handling and display of this information is very crucial, as there are privacy issues associated. This sub-layer includes Content Management, Information Management, and Analysis and Mining. Delivery of information to Citizens, Agencies (employees) and private businesses is a vital role of e- Government. Content can be thought of as Documents, Rich Media and Web Content. Since most activities of government involve documents, the storage and retrieval is an important element in the effective and efficient delivery of services. Delivery of information that changes during its lifecycle is another important aspect of content delivery. Content Management systems provide the mechanism to maintain changing information automatically. The information management aspect deals with the management of the components of information from the various Ministries, Departments and Agencies and making them available for further analysis. Finally, the Enterprise Intelligence sub-layer also includes the extensive analysis and mining of data for the delivery of e-government services. As Governments move more to the delivery of knowledge from data, the analytics, reporting and delivery of this information plays a vital role in effective service of Customer interactions. The automatic triggering of query can cut days of the reaction time to incidents. Also, federated data searches allow for the aggregation of data from various sources Services Layer The Services Layer provides the Community of Interest services and the Collaboration services. This domain encompasses the range of electronic-services that support the core businesses of Benin Government departments that are not represented in the Generic Service Delivery domain. As such it is a diverse domain where commercial software products are often less likely to be available and therefore applications are more likely to be sourced from other jurisdictions or custom developed. The CoI services provides the e-services that are made available to Citizens, Businesses and Government Employees through the web portal and its portlets. User collaboration is a key capability supporting a transformation to an e-government environment. Technology support for collaboration is provided by several key functional capabilities: Instant Messaging and Awareness provides ability to interact with key team members emeeting via a browser where users can whiteboard and share regards of firewall placement The ability to organize related tools, content and team members 94

95 Integration and Connectivity Layer The fulfillment of the Government of Benin's e-government vision will require increase vertical and horizontal integration of Government operations and services. The Integration and Connectivity layer includes tools and application services that facilitate the interlinking of the e-government systems, thus supporting interoperability and communication across MACs. The integration service architecture will include different integration approaches and an integration hub to orchestrate the integration of application services across Government e-government Service Bus The e-government Service Bus (egsb) is the technology responsible for the movement of data among multiple applications services, both within and outside of the MAC. The solution will use open standards to connect, transform, and route documents as XML messages across the channels and the various application services. It will enable monitoring and management of data, with minimal impact on existing applications. The e-gsb will provide the underlying infrastructure platform for delivering the service-oriented architecture (SOA) and event-driven architecture (EDA) requirements of the GGEA. The egsb is a key enabler for SOA because it provides the capability to route and transport service requests from the service consumer to the correct service provider. The true value of the egsb concept, however, is to enable the infrastructure for SOA in a way that reflects the future needs of the MACs. The egsb must be centrally managed and administered and have the ability to be physically distributed to enable intra and inter MACs applications integration. The egsb would include the following functions: Communication Service Interaction Integration Management Security e-government Information Integration e-government Information Integration (egii) is the integration of data from multiple systems into a unified, consistent and accurate representation geared toward the viewing and manipulation of the data. MACs must have the capability to aggregate, restructure and present information in a consistent and secure way to the user. To support the Government s BI architecture there is a need for data integration, which is the extraction, transformation and loading (ETL) of data from disparate systems into a single data store for the purposes of manipulation and evaluation (reporting). Data warehouses and data marts are the data stores and ETL tools are the data integration components. The data transfer techniques available to the MACs include: 95

96 Real time Transfer Incremental Batch Transfer Native Replication Bulk Refresh Using Batch File Transfer Bulk Refresh Generic Service Delivery Layer Generic Service Delivery also referred to as the Shared Services Layer includes those aspects of service delivery that are of a more generic nature and are likely to occur across many if not all agencies. In the sub-domains of Generic Service Delivery, it is possible that there are commercial off-the-shelf products that may meet the needs of departments. Moreover, a product that services one department in any one of the sub-domains may well also be suitable to service other departments with little or no change Directory Services A government-wide electronic directory service provides a shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include identity of individuals, folders, files, printers, users, groups, devices, telephone numbers and other objects. It serves as a central information repository for the e-government service delivery platform Electronic Payment Services The implementation of government-wide e-payment System is recognized as a key enabler for the attainment of the Government of Benin's e-government vision. It is intended to provide consumers of e-government Services with a singular payment method that meets the highest industry security levels and provides a homogeneous payment experience across all services. This is achieved through the implementation of a web service that supports both one-off transactions that are part of an online process and the posting of journal entries for electronic bill presentment and payment. The main online payment functions envisaged for the Government of Benin e-payments Gateway are: Purchasing Government goods and services online, as a routine or on ad hoc basis; Bill Presentment and Payment paying utility bills, fines, rates payment, registration and licensing renewal; Refunds to the MACs Currently the Benin economy is cash-based, where the use of cash dominates the payment of goods and services in the country. Relatively large transactions use cheques. The use of electronic payment systems i.e. debit and credit cards, online payments and mobile payments are generally in its infancy. The introduction of e-government services creates new financial needs that cannot be effectively fulfilled by the traditional cash and cheque payment systems. Government as a merchant would like to sell services online and e-commerce technology offers a number of possibilities for creating new 96

97 payment systems that substitute for existing payment systems, as well as creating enhancements to exiting systems. The Internet based payment gateway will allow credit and debit card details to be entered online at the time of purchase and details encrypted using Secure Socket Layering (SSL) technology (available via the browser). The Internet payment gateway provides online authorization and settlement, or decline of credit/debit card transactions. The Payments Gateway will be triggered by a Web Services SOAP call made from the Government of Benin Web Portal to the payment facility that processes a real time authorization and returns a result as a synchronous process. The Payments Gateway will make a payment request to a cards processing provider who will return an authentication code to the Payment Gateway for the transaction Identity Management In the context of e-government services access, users are usually enrolled with multiple unrelated services with different user interface and different credential. Thus, user has an inconsistent user interface and works with different copies of the identity. For example, a citizen's driving license identification number may be used in the provision of certain services in relation to the government vehicle and driver registration system whereas the national citizen identification number will be required in the provision of certain social services. Such inconsistence will be avoided by the use of a federated model. A federated model provides a single logon service across multiple applications with a single identifier. In this model the federated Central Logon Service issues the credentials after a registration process. Credentials issued by this central logon service can be consumed by the other applications. Different application has its own user registration process to determine the authorization level. Once the authentication procedure is done by the Central Logon Service it communicates the outco me to the application. One advantage of this model is user can retain distinct application identifier for each participating application. While user registers with the Central Logon Service, a new identifier will be assigned to user for subsequent use. It is the duty of the logon service to keep the mapping between Central Logon Service identifier and each application identifier. This model can be implemented to support two authentication flows: Logon thorough Central Logon Service Logon thorough application Logon through Portal In this flow user would log on to the portal first and then user would be presented with a list of services, which he/she can access. Upon selection user would be taken to the respective application as an authenticated user. 97

98 Logon through application In this flow user, first access the application. Then it is the duty of the application to authenticate the user using the application specific credential. Portal authentication will not play any role over here Electronic Forms (e-forms) Electronic form is a dynamic document that captures information and submits it in structured way to Government agencies for processing. The form is actually a visual representation of complex application, which is powered by Adobe Reader widely used in Government at the moment. The application enables the form to do a lot of tasks for you, like checking that information is in the right format, making sure that required fields are filled out, and that all calculations are correct. The Benin Government e-forms service is a forms factory developed by the Government to provide e-forms and support services to all MACs. The forms factory concept will offer a Government-wide e-form solution using a shared infrastructure and a standard forms application to reduce the cost of e-form implementation. MACs will be able to order e-forms for agency, citizen and business use through the shared infrastructure. The forms factory will ensure a common architecture, a structured classification of forms and standardised design to improve quality and ease of use. Forms can be completed online, downloaded by a user for use at anytime, online or offline and submitted to MACs in a variety of ways: printed and mailed through the post, ed as a PDF, or submitted electronically for data extraction into an agency data file. E-forms streamline and automate business processes by helping people interact with information more effectively. Permits, registrations, purchase orders, requests for assistance or any MAC s forms used to collect and track information can be transformed into an e-form. E-forms will use the ubiquitous Adobe Reader software and PDF and XML standards to capture information from customers and integrate that information with an agency's existing data infrastructure. By combining forms and business process functionality, MACs can use e-forms to offer a robust solution that works inside and outside of the firewall, online or offline. Form Submission The user requests an e-form via the Government Web Portal, the requests are sent to a report generator, which checks whether the request has session information, or not, if not a new session identity is requested from a session manager. A new session identity is created and details stored with a time stamp. The report generator sends a request for the e-form page including the session identity and the response sent back to the user a Web Service interface. In entering the e-form page on the Portal, users will be prompted to identify themselves by providing their credentials, which will be a User ID and a password. If the user does not have a valid User ID and password, he/she will be asked to register/enroll by following a link to Government of Benin Identity Management service. After he/she is registered, he/she then comes back to the e-forms system to 98

99 access the e-form services. If the Identity Management service returns an indication that the user is not validated a suitable error message will be generated and the details logged. When the user has completed the form, they may submit the form. It is possible at any time for the user to save the form in its current state of completion. It is also possible for the user to retrieve a partially completed form and to continue to fill it in. However, this is only possible if the user is able to provide a credential to validate their identity. Depending upon the particular implementation, the form may either be submitted via an XML transaction, , or through any of the channels that will be specified by the MACs. In all cases, however the form is first saved in the form cache. Receiving Status Information The user may obtain status information on the progress of their transactions, which means the progress on the forms that they have submitted. A suitable link on the home page must be provided as a facility for the user to discover this information. The status information is envisaged as a text string that is meaningful to the user, for example 'Completed. The following additional mechanisms should also be provided: A complete re-synchronising of the status of all transactions held on the e-forms system with the status as held on the MAC s system; There should also be a facility for deleting transactions from the e-forms system when their status has been deemed delete by the MAC s Services adapter, based upon suitable business rules. MAC's System Polling The e-forms system will, from time to time, poll the MAC s system for progress report on all the transactions that are being processed. The MAC s System Interface or adapter will hold all changes to transactions since the last poll. 1. At pre-defined time intervals, the e-form Adapter requests for polling of MAC s systems for status information. 2. The e-form Adapter creates a Government of Benin XML message requesting information about all transactions and sends this to the relevant MAC s System Interface via the appropriate messaging protocol; 3. The MAC s System Interface retrieves the status changes and returns the changes. 4. The e-form Adapter receives the changes and calls the Form Cache to make the necessary status updates. 5. If an error occurs, then repeat steps 2-4. If after a number of tries the information cannot be accessed: the e-form Adapter logs the problem and raises a system alert. 6. These additional mechanisms should be provided: There should be a re-synchronising of the status of all transactions held on the e-forms engine with that on the MAC s systems. 99

100 There should also be a facility for deleting completed transactions from the e-forms engine rules Document and Records Management Document Management is the process of managing documents throughout their lifecycle, from inception, through creation, review, storage and dissemination all the way to their destruction, where a document is defined very widely to include those stored electronically or on paper. Alternatively, document management is the process of retrieving, sharing, tracking, revising, and distributing documents and the information they contain. It includes such features as security, version control, and check-in/check-out. Hummingbird Enterprise DM is an example of a document management system. A records management system supports the declaration and management of records throughout their life cycle from creation to destruction, including access and security. Records management can be seen as a subset of document management, being concerned with specific types of documents, that is, those officially recognized as being records, as such, for example, for legal or auditing purposes Applications and Databases Layer Application Systems The MACs have to deploy application services to automate various business processes and this section describes some of the applications features that may be required by the MACs. The objective is to provide a high-level overview of some of the application components to be deployed to support some of the functions described in the Business Reference Model (BRM). Agricultural Management System The Ministry of Food and Agriculture (MOFA) is the ministry responsible for the development and growth of agriculture in the country.the ministry s primary roles are the formulation of appropriate agricultural policies, planning & co-ordination, monitoring and evaluation of the nation s agricultural sector with the following objectives: Improve agriculture productivity, incomes and employment opportunities; Contribute effectively to balance of payments; Establish effective agriculture industry linkages; Promote balanced regional development. An advanced management system of agricultural resources is one of the most important tools to implement efficient management and modernisation of agricultural production and influences. The above objectives can however be effectively achieved through e-agriculture. e-agriculture is an emerging field within agricultural informatics, agricultural development and business. It refers to 100

101 agricultural services and information delivered or enhanced through the Internet and related technologies. e-agriculture focuses on the enhancement of agriculture through improved information and communication processes. More specifically, e-agriculture involves the conceptualisation, design, development, evaluation and application of ICT with a primary focus on the following main agricultural industry phases: Crop cultivation; Water management; Fertilizer application; Pest management; Harvesting and post harvesting handling; Transporting of food and food products; Packaging; Food preservation; Food processing/value addition; Food quality management; All stakeholders in the agriculture industry need information and knowledge about the above phases to manage them efficiently. The agriculture systems must provide timely accurate, complete and concise information for effective decision-making. Education Management System The educational system in Benin comprises of three main levels; Basic Level; Secondary Level Tertiary Level A ministry currently manages each level. The education system would encapsulate all core business and academic rules, integrating with all other key management software from financials, timetabling, human resource management, and other software as required. Features of the education system include: The Client Structure - provides a 360 degree view by holding information on students, organisations, staff, contacts, committee members, the relationship between them and the institution. This feature is part of the original functionality indicative of the fact that the system has been developed as a truly client centric application, making it easier for institutions to deliver a strong client service. The Institutional Structure holds information about the institution and all of the academic and vocational programs, awards and courses that are delivered. This module also holds detailed curriculum information to support the generation of the calendar and course prospectus; Common Programming Framework - Covers all aspects of the user interface, application security, administration, auditing, searches, queries, extracts and reporting. This ensures that 101

102 the entire application performs consistently throughout, reducing overheads associated with system training and maintenance. Planning and Budgeting System The planning and budgeting process can be a very cumbersome and tedious process to undertake in every agency, however in today s competitive and changing business environment, frequent or continuous planning and budgeting is more paramount than ever. As such the use of the planning and budgeting application software will provide a connected and streamlined budgeting, planning, forecasting, reporting and analysis as well as control over the accuracy, completeness, and timeliness of the planning and budgeting process while ensuring that the agency s strategies are reflected in the financial plans. In today s competitive business environment, MACs of all sizes need to become more agile and flexible through the improvement of operational and financial planning. Since business survival is based on speed and agility, budgets and forecasts must be tied to organizational strategy and updated as the business environment changes. This however requires collaborative and integrated planning and budgeting. The system will replace cumbersome and error-prone spreadsheets whilst enabling more collaborative and event-based planning. Judiciary Management System The Benin judicial service comprises of various sub-systems; investigation, prosecution, trial procedures, jails, judicial administration, arbitration, public notaries and state compensation. Hence, the deployment of a Judicial Management System would greatly improve the management of these sub-systems nationwide. The enhanced management and improved communication would benefit judges, lawyers, court administrators and the court user. The main objective is to improve interoperability, reduce delays and associated procedural errors. Within the criminal justice system, ICT-enabled change would provide: Fast, effective channels to enable criminal justice organisations to talk to, and work with each other, for example through case management and secure ; Improved security guarantees that the right information is communicated to the right people at the right time and in a secure way; Improved visibility ensures that laws are easier to understand to the citizen and especially to victims and witnesses of crime, facilitates the follow-up of legal cases, and ultimately introduces quality standards into the judicial system of the country. This can be achieved through the use of 'Joined up Justice' which is confidence in Government and the rule of law. aimed at rebuilding public 102

103 Master Data Management This sub-layer of the application architecture deals with the databases that stores the various application data from the application systems described earlier. To facilitate effective decision making by business intelligence and data mining techniques, a master data management technique is proposed. Master data (also known as reference data) represents the Government s business entities, terminology, definitions and classifications used to describe business information. Due to the autonomous nature of the MAC s, reference data such as accounting codes and other common identifiers such as citizen ID, tax number, etc are inconsistent. 103

104 1. Information Architecture 1.1. Overview This section provides the recommended best practices and guidelines to be adopted by the GoL MACs for the development of the Information Architecture segment of Government Enterprise Architecture (GEA). The information architecture is that segment of the GEA that defines the structure of the governments logical and physical data assets and address data management considerations. It reflects the domain entities, their relationships and establishes accountability for data integrity. Definition of data architecture should be incremental to meet specific domain requirements. An initial high level information reference architecture framework should be considered as the starting point that will provide the basic building blocks required for the development of the information architecture segment and drive the definition of standards. The information architecture should be designed adhering to the recommended overarching Information Architecture Principles (e.g., data creation and accessibility, data availability, data security, confidentiality, integrity, data ownership, standard common data definitions etc.) and Data Reference Model (DRM) as outlined in the Architecture Vision section of the main report Information Reference Architecture Framework The Information Reference Architecture Framework is derived from the Data Reference Model described earlier. It defines and describes the decomposition of information/data architecture framework components that is essential to manage the data assets of the Government of Liberia. 104

105 Data Lifecycle, Data Quality Management & Data Governance Data Quality Management Identity & Access Management Data Context, Data Definition and Data Life Cycle Management Data Classification & Taxonomy Access Control Data Lifecycle Management Data Security Enterprise Data & Metadata Standards Data Encryption Data Governance & Ownership Data Audit & Logging Enterprise Data Model Conceptual Data Model Logical Data Model Enterprise Meta- Model Canonical Data Model Data Integration Batch Integration (ETL/ELT) Real-Time Integration Data Conversion & Transformation DB Replication Dashboards / Analytics / Data Mining BI, Search, Reporting, Data Warehouse & Master Data Management Search (Web, Enterprise, Federated) Reporting (Predefined, Adhoc, Query) MDM Hub / Deduplication Content & Knowledge Management Document Management Content Management Knowledge Management Records Management RDBMS / Distributed File Systems Data Infrastructure Management Server / Network/OS Storage Disaster Recovery / Backup Database Monitoring / Support Information Reference Architecture Framework 105

106 To provide a comprehensive coverage, best practices and guidelines has been recommended for the following information architecture framework components (as defined above). 1. Data context and data definition This component deals with defining the context of the data by classifying data as per subject area and defining the enterprise data and metadata standards to ensure seamless interoperability by removing ambiguities and inconsistencies in the use of data across MACs. 2. Enterprise data model This component deals with data analysis and design of the underlying data structure. 3. Data life cycle, quality management and data governance Data life cycle management deals with the management of structured data assets across the data life cycle, from creation and acquisition through archival and purge. Data quality deals with defining, monitoring and improving data quality. Data governance deals with planning, oversight, and control over data management and use of data 4. Data sharing and integration This component deals with managing data transformation and data exchange across applications and data store, defining capabilities from batch-based to real-time integration (including extract, transform and load (ETL) and extract, load and transform (ELT)), event-driven, message-driven, and real-time integration. 5. Data security This component deals with managing data privacy, confidentiality and to prevent unauthorized data access, creation and change. 6. Business Intelligence (BI), search, reporting, data warehouse and Master Data Management (MDM) - This component deals with managing analytical data processing, enabling access to decision support data for reporting and analysis, providing search and reporting and managing reference master data. 7. Document, content and knowledge management This component deals with storing, protecting, indexing, and enabling access to data found in unstructured sources (electronic files and physical records including text, graphics, images, audio, video etc.). 8. Data infrastructure management This component deals with managing the core data infrastructure foundation which is one of the critical capabilities required within information architecture. It looks at the ability of the database management system to effectively store and retrieve various styles and structures of data and information. The ability to manage and operate other infrastructure components in a highly available and recoverable fashion is also essential to ensure the availability of the data in a timely manner. It is advisable for GoL participating countries to develop capabilities across the above framework component areas to appropriately manage data and information asset. 106

107 Data Context and Data Definition Data Classification and Taxonomy Data is a critical asset for governments and should be protected. Adopting a data classification scheme to classify government information as per the sensitivity to business continuity and security concerns is critical. Define a government-wide consistent approach to capture the context of the data assets and define a data classification scheme as outlined in the Data Reference Model (DRM) Data Context standardization area. DRM Data Context standardization area establishes an approach to the categorization / classification of data assets focusing on two management mechanisms to capture the context of the data, viz: a. Taxonomies and Topics b. Data asset / entity description Data Classification Scheme - Each MAC should maintain data entity catalogue based on the data classification scheme as outlined below by categorizing data assets based on subject areas context (taxonomy) at the highest level and logical data components (topics) within each subject area: Subject Area (Taxonomy) e.g. Tax Administration Services Logical Data Components (Topic) e.g. VAT Registration Data Entities e.g. VAT Registration Profile, VAT Returns, Purchase/Sales Transaction, Organization, Address a. Taxonomies provides a high-level set of categories that groups the logical data components and data entities based on the business/domain area they most closely align with, the stakeholders they impact, the extend or degree to which they are dependent on each other and the need to be managed as a unit. b. The logical grouping of data components within each subject area provides a boundary zone that encapsulates related data entities to form a logical grouping. Creation of logical data components groups data entities into encapsulated modules for governance, security, and deployment purposes. 107

108 Implementation of taxonomies could take the form of OWL Web Ontology Language hierarchies or ISO Classification schemes. Each MAC should create their own information catalogue with descriptions of strategic business data and information exchanges. Enterprise Data and Metadata Standards Data Standards Enterprise data standard catalogue should be defined and adopted across MACs to ensure seamless interoperability, remove ambiguities and inconsistencies in the use of data across MACs and enable easier, more efficient exchanging and processing of data. Common and generic data entities used across MACs (e.g. Name, Organization, Address, , Identifier etc.) should be identified and consistent data standards for these entities defined at the enterprise level and adopted across MACs. While defining common data standards, it is advisable to leverage where possible international universal formats and standards (ISO, W3C, OASIS etc.) that may already exist to achieve interoperability between different systems, processes and platforms and eliminate data transformation required to convert common data from one proprietary format to another. 108

109 Some examples of common international data standards: a. ISO 3166 Country Codes b. ISO Currency Codes c. ISO 8601 data elements and interchange format for representation of dates and times etc. d. OASIS Customer Information Quality (CIQ) Specifications v3.0 that defines a universal common format to describe the customer/citizen name, address, unique identifier and other customer attributes. Standard naming convention A full business name should be assigned to each data standard using the following format: OBJECT QUALIFIER(S) DESIGNATOR where: a. OBJECT is a keyword that describes the main object/entity/concept to which the standard relates, e.g. Person, Company, Organization, etc. This subject word is omitted where the name of the standard is otherwise sufficiently clear as to render a prefix superfluous; b. QUALIFIER(S) is a qualifying word(s) used to describe the standard uniquely. Each word used is itself meaningful to the standard being described. The order of the words is in decreasing order of importance from left to right c. DESIGNATOR is a keyword that designates the class or category of data to which the standard belongs, e.g. name, number, code etc. This designator word is at the end of names that are made up of several words. d. Standard designator used: Name Alphanumeric data by which a data element is known. e.g. Person First Name, Person Last Name, Organization Name, Number Alphanumeric data that is used for identification purposes, e.g. a Business Registration Number, Citizenship Number, Tax Identification Number (TIN) Description / Information Alphanumeric data that is used to describe a specific data element e.g. Business Description Type Data that categorizes a data element e.g. Organization Type Code Data, maintained by the user, which readily identifies an occurrence of a data element e.g. Country Code, Currency Code Any of the standard Data Types e.g. Date, Time may be used as standard designators e.g. Person Birth Date, Business Registration Date These standards should apply to all MAC ICT systems that are mandated in the GoL egif and are for use in all other public sector interfaces. Compliance with these standards should follow the e-gif compliance rules. 109

110 Metadata Standards Metadata means "data about data". Metadata provides a context for data assets in the form of core standardized and structured resource description that explains the origin, purpose, time reference, geographic location, creator, access conditions and terms of use of a resource. Metadata are typically used for resource discovery, providing searchable information that helps users to easily find existing data. 110

111 The GoL metadata standards should be primarily based on the international Dublin Core model (ISO 15836). The model provides standard for metadata and metadata element description and covers: - Dublin Core (DCMI Metadata Terms) standard based on ISO to be used for metadata description of websites, digital documents and objects. - Dublin Core Metadata Element Set A simple and extensible metadata element set intended to facilitate discovery of electronic resources. XML based metadata schema should be defined and standardized across the government. Every data item important for data exchange across the enterprise should have metadata. The use of standardized records in XML format brings key resource description together into a single document, creating rich and structured content about the data. A centralized server-based source of metadata is preferred. Metadata can be viewed with web browsers, can be used for extract and analysis engines and can enable field-specific searching. Metadata can be harvested for data sharing through the Open Archives Initiative Protocol for Metadata Harvesting (OAI-PMH) that supports access to web accessible material through interoperable repositories for metadata sharing, publishing and archiving Enterprise Data Model Data Modelling Common data definitions (e.g., citizen's demographic profile) across MACs as per the data standards are essential to eliminate redundancies. Data owners need to be identified to be responsible for common data definition, ensuring data integrity and protecting data from misuse and destruction. Conceptual Data Model - The conceptual data model (CDM) identifies the semantics of data assets from the business context point of view and depicts the highest level significant business data entities, along with their relationship, to emphasize the business rules. - UML Class Diagram, Entity Relationship Diagram or Object Role Model (ORM) could be used as the modelling technique for depicting the conceptual data model. - The CDM data entities typically do not contain any attributes and is technology and application dependent. - Segregate the conceptual data model into multiple views based on the subject area. - Abstract out the common data entities used across MACs e.g., person (citizen, employee) profile, company profile, name, address, contact, , unique identifier etc. 111

112 - Propose a generic enterprise core common conceptual data model based on the common data entities and industry standard best practices that describe the core generic data entities at the enterprise level to be exchanged and shared across MACs. - Propose MAC specific segment wise conceptual data model based on the MAC specific business entities required to support the business process and government services of the MAC. Leverage the common data entities defined in the earlier step to support these business services in each MAC. 112

113 Logical Data Model - A logical data model depicts the logical view of the conceptual data model by representing the data in as much detail as possible, without regard to how they will be physical implemented in the database. - Derive the enterprise core and segment wise logical data model from the enterprise core common and segment wise conceptual data model respectively (developed in the earlier stage) providing the logical view with respect to: i. Identifying the data elements/attributes for each data entity, ii. iii. iv. Canonical Data Model Defining the data type for each data elements / attributes Applying normalization, applying generalization / inheritance where applicable defining super type and specialized sub type data entities, and Absorbing relationships as attributes applying cardinality or multiplicity. - Canonical data model is an enterprise application integration design pattern that defines a standardized and agreed common data definition and model to enable MACs maintaining different data formats to communicate and share in a standard data format. - This model is essential in defining the data integration architecture for service delivery gateway Data Life Cycle, Quality Management and Data Governance Data Life Cycle Management Data life cycle management is the process of managing the government data throughout its life cycle from creation to disposal as depicted below: 113

114 114

115 Data Collection and Creation This is the first step of the data life cycle process when the structured data will be captured electronically in the source system. Some of the means of data collection and capture includes data collected from online web forms and eforms, data acquired from external sources, initial data migration from legacy systems to new systems etc. Rigorous data quality checks, such as, data validation, cleansing, standardization and deduplication check at the data source during the process of data collection is essential to improve the quality of the data being captured. This will reduce the propagation of erroneous, inconsistent, incomplete and potential duplicate data to other downstream systems. Online forms should be pre-filled with available data to minimize data entry error. Data Storage and Transmission Data Transmission - To ensure secure transmission of sensitive data secure for transmitting it must be encrypted to an appropriate standard. Only data confirmed as un-classified or public should be transmitted in unencrypted form. Encryption ensures data security during transmission. - Pretty Good Privacy (PGP), an industry-standard encryption technology could be leveraged. Using this method, encrypted data can be transferred via portable media or electronically via file upload or . Data Storage - After data is collected and transferred to its storage location, it must be protected from unauthorized access by both internal and external sources to prevent identify theft - A data storage strategy is essential because digital storage media are inherently unreliable, unless they are stored appropriately, and all file formats and physical storage media will ultimately become obsolete. - Some important physical dataset storage and archiving considerations for electronic/digital data include i. Server Hardware and Software What type of database will be needed for the data? Will any physical system infrastructure need to be set up or is the infrastructure already in place? Will this system be utilized for other projects and data? Who will oversee the administration of this system? The database must be protected from unauthorized access by both internal and external sources to prevent identify theft ii. Network Infrastructure Does the database need to be connected to a network or to the Internet? How much bandwidth is required to serve the target audience? What hours of the day does it need to be accessible? 115

116 iii. iv. Size and Format of Datasets The size of a dataset should be estimated so that storage space can properly be accounted for. The types and formats should be identified to avoid any surprises related to database capabilities and compatibilities. Database Maintenance and Updating A database or dataset should have carefully defined procedures for updating. If a dataset is live or ongoing, this will include such things as additions, modifications, and deletions, as well as frequency of updates. Versioning will be extremely important when working in a multi-user environment. v. Database Backup and Recovery Requirements To ensure the longevity of a dataset, the requirements for the backing up or recovery of a database in case of user error, software / media failure, or disaster, should be clearly defined and agreed upon. Mechanisms, schedules, frequency and types of backups, and appropriate recovery plans should be specified and planned. This can include types of storage media for onsite backups and whether offsite backing up is necessary. 116

117 Data Usage Good data management requires ongoing data audit to monitor the use and continued effectiveness of existing data. Data audit trails should be maintained with the ability to generate audit reports. Data Sharing Data and information should be readily accessible to those who need them or those who are given permission to access them. Some issues to address with access to data and a database system include - - Relevant data policy and data ownership issues regarding access and use of data. - The data sharing needs along with various types and differentiated levels of access needed and as deemed appropriate. The need for single-access or multi-user access, and subsequent versioning issues associated with multi-user access systems. - The cost of actually providing data versus the cost of providing access to data. - Enterprise standard format for data exchanges along with the transformation service required as appropriate for end-users. - System design considerations, including any data (if any) that requires restricted access to a subset of users. - Liability issues should be included in the metadata in terms of accuracy, recommended use, use restrictions, etc. A carefully worded disclaimer statement can be included in the metadata so as to free the provider, data collector, or anyone associated with the data set of any legal responsibility for misuse or inaccuracies in the data. - Intentional obfuscation of detail to protect sensitive data (e.g. private property rights, endangered species) but still share data Data Retention and Disposal Plan and define a data retention and disposal policy. Access control mechanisms must also be utilized to ensure that only authorized users can access data to which they have been granted explicit access rights during the disposal process. All computer systems, electronic devices and electronic media must be properly cleaned of sensitive data and software before being transferred outside the government. Having a strategy for reliably erasing data files is a critical component of managing data securely and is relevant at various stages in the data cycle. - For hard drives, which are magnetic storage devices, simply deleting does not erase a file on most systems, but only removes a reference to the file. It takes little effort to restore files deleted in this way. Files need to be overwritten to ensure they are effectively erased. 117

118 - Software is available for the secure erasing of files from hard discs, meeting recognized standards of overwriting to adequately erase sensitive files. - The most reliable way to dispose of data is physical destruction. Risk-adverse approaches for all drives are to encrypt devices when installing the operating software and before first use; and physically destroy the drive using a secure destruction facility approved by the government when data need to be destroyed. Shredders certified to an appropriate security level should be used for destroying paper and CD/DVD discs. Computer or external hard drives at the end of their life can be removed from their casings and disposed of securely through physical destruction. Adoption of a consistent backup policy across all government MACs should be considered. The agency responsible for ICT in each country can identify the MACs which are currently dependent on a single server and arrange for backing up of data on one common backup platform in each country. 118

119 Data Quality Management Data Quality is the process of measuring the quality or accuracy of the data within the government. The data quality improvement life cycle involves the following steps: Detect Data Quality Problems Monitor Results Analyze Data Quality Solutions Implement Changes Data Quality Improvement Lifecycle - Detect i. In this step using statistical methods, profile the data and identify the significant problems contributing to data quality degradation, such as, inconsistent and incomplete data, invalid data, duplicate or near duplicate records, violation of business rules etc. - Analyze i. In this step investigate the cause(s) of a problem and analyze the data improvement solutions that will cost effectively eliminate the problem without introducing new quality issues. ii. - Implement Examples of data improvement solutions could be defining data standards, better communication of business rules, defining data validation, cleansing and standardization rules, strong data validation checks during insert and edit of transactional data in the source system during the data collection process etc. 119

120 i. In this step implement the changes to reduce the data quality problem. This could include publication of data standards, enforcement of business rules, enforcement of more rigorous data validation, cleansing and standardization rules, tight edit checks in the data collection processes, centralization of master data to create single version of the truth etc. 120

121 ii. Examples of some of the data scrubbing activities include: Format fields Ensure consistent terms and formats across a given field. Parse components - Break down strings of data into multiple fields to more effectively standardize data elements with greater accuracy. Check content Some records include accurate information that is embedded in the wrong fields. Other fields may appear populated but are not accurate (for example, a phone number field that looks like: ). The data cleansing process and rules should identify and correct these anomalies so the data is fit for use. Consider valid values and data range checks at the field levels. Eliminate duplicates. Identify matches and eliminate duplicate records. Once the data is standardized, this can be done with a high degree of confidence. - Measure and Monitor i. Define the data quality metrics and service levels to monitor the data quality conditions over time. Examples of possible data quality metrics to be monitored over time include reduction in business rule error rate, improvement in the consistency and validity of data over time, reduction in duplicate records etc. ii. iii. Using statistical methods monitor the results to ensure that the implemented changes are having the desired effect and to begin the cycle again with the next most significant quality reducer. Having an automated or repeatable process in place will enable the government to measure accuracy on a regular basis, show an improvement and eventually reaching and maintain its target accuracy level Data Governance and Data Ownership Data Governance Data governance refers to the administration and processes around data protection, sharing of data on different levels across the organization and data quality based on the agreed defined data principles. Having a data governance model is important as it ensures that: - Data principles are defined, updated, maintained and implemented. - A logical view of the data is created and the entities and attributes all have definitions. 121

122 - The physical implementation of the data does not break any legal requirements that the organization must comply to. - The day to day management of the data includes activities such as storage, replication, access, interfaces, audit, reconciliation, archiving, backup and recovery all of which are done using common standards and processes. Some of the data governance best practices to be considered include: - Define the scope and goals - Build a functioning data governance council a. A data governance steering committee or council is the central decision-making body for data governance. Members are accountable for creating and enforcing policies and procedures, establishing governance processes, settling disputes over data, refining workflows and other data governance decisions. Without a formally assigned and approved council, there will be no coordination of the work of data governance. 122

123 - Institutionalize data stewardship b. Before data can be formally managed, stewardship of the data must be formally established. Data stewardship must be formally recognized and assigned in order to sanction the role and define its scope. Its definition will vary according to what data is most important to the organization. c. Data stewards will be accountable for all aspects of the data under their control. They will establish data quality thresholds; monitor the cost of poor data quality, deciding who should have access to the data, for what purpose and under what conditions; collect and verify all applicable metadata; and act as a representative of the data in resolving all usage conflicts. - Intentionally segregate duties Data steward should not have responsibilities for any aspect of managing business processes. Doing so puts the data steward in the untenable position of managing both data and the process in which it was created. This is equally true of data quality verification. Data stewards should be involved in the tactics of data correction and cleansing, but the business should define rules for its respective data sets. - Establish controls and measurable key performance indicators (KPIs) to monitor the progress. - Always be transparent specifically while in the management of data quality. The results of the process of measuring the progress of governance should be made available to all stakeholders, - Try to address data quality problems at the source. It is always recommended to get to the root cause of data quality issues. Implement change management. Implicit in any well-designed change management system is an issue escalation and resolution process, and a feedback mechanism that keeps the originator of the issue informed about progress. Data Ownership Data ownership A key aspect of data management is identification of owner(s) of data through the data life cycle. Data owner across MACs need to be identified for ownership of datasets and its related data services and must be accountable for the effective and efficient management of such data. - The key responsibilities of a data owner(s) include: i. Establish policies and agreements for data security and data sharing. ii. iii. iv. Ensure important datasets are developed, maintained and accessed within the defined specifications adhering to data policy guidelines. Maintain appropriate levels of data security and ensure data accessibility to authorized users. Ensure adequate and agreed-upon data quality and metadata metrics are maintained on a continuous basis. 123

124 v. Ensure periodic data audits to assure ongoing data integrity. vi. Ensure fundamental data maintenance across the data life cycle including data storage and data archival Data Sharing and Integration Data integration deals with the integration of all type of government data (both operational and decision support/business intelligence data) both in batch and/or realtime mode. The best practices and guidelines to enable the GoL to set up data integration capabilities include: Define an effective data integration strategy that will look beyond ETL that supports both analytical and operational processes and data. Consider leveraging a universal data integration solution that will support the following architectural considerations: - Extract, Transform and Load (ETL) i. ETL is leveraged across all of the data integration programs to access data from one system (preferably the source), transform it and load it in the target system. The ETL technology brings together underlying services, normally through a design interface, to build re-usable services and support various data integration initiatives. - Data Quality i. Data quality checks are essential when data is loaded from the source to the target. Ensure the data integration solution provides a graphical environment for data stewards that allows them to bring together the underlying services to profile, parse, enrich, cleanse and match data to create the business rules to be applied either in real-time/batch as a part of data integration/migration/synchronization process. - Data Synchronization i. Ensure data synchronization to enable data to be moved from source to the target by enabling the use of message queues, triggers, Change Data Capture, and more. - Data Federation i. Ensure data federation capability that allows data to remain in place and be integrated and accessed as needed. ii. Due to its dynamic nature, this technique lends itself to solving potential problems where there is need to access large amounts of data or data from many underlying systems. - Metadata Mapping 124

125 i. Ensure metadata mapping capabilities that will allow the import of metadata from various systems and exchange metadata with other systems. - Enterprise Connectivity i. As part of data integration initiative ensuring connectivity with the interfacing systems is essential to allow data transfer across systems. ii. iii. Ensure the data integration solution supports a wide variety of connectivity techniques such as native access using standard utilities and open standard access (such as ODBC) to all major structured data sources, including relational databases, flat files, ERP systems, and mark-up languages such as XML for reading and writing. Support for connecting to and reading and writing data from message queues and the ability to receive and send data to and from Web services should also be supported by the solution to provide complete connectivity. 125

126 Data Security This is covered in section of the Security Architecture segment of this report Business Intelligence (BI), Search and Reporting The following provides comprehensive industry best practices with respect to the coverage of BI and reporting capabilities that may be essential for an organization. However all may be not applicable for the GoL participating countries. It is advisable that based on the requirements of the governments and MACs the applicable BI and reporting capabilities should be considered leveraging the use of standard reporting tools that will support these capabilities. Business Intelligence Search - It defines the set of capabilities supporting the extraction, aggregation and presentation of government data to facilitate decision analysis. It provides information that pertains to the history, current status or future projections of the government to help analyze data for the purpose of supporting risk assessment and policy development and ad hoc queries etc. - BI broadly covers the following capabilities: i. Demand and Forecasting Facilitate the prediction of sufficient production to meet an organization s demand for a service. ii. iii. iv. Balanced Scorecard Supporting the strategy performance framework pulling together financial and non financial data. Decision Support and Planning Support the analysis of information and predict the impact of decisions before they are made. Data Mining Provide for the efficient discovery of non-obvious, valuable patterns and relationships within a large collection of data. - Search provides the ability to locate sources of specific data (i.e., structured, usually in operational systems) or information (i.e., unstructured, usually in content repositories or internet/intranet stores). i. Web Search Identify and retrieve content across the intranet/internet. ii. iii. iv. Reporting Enterprise Search Multiple types of content across a variety of sources, producing a consolidated list ranked by relevance. Federated Search Across multiple applications or using multiple search applications. Application Specific Search Limited to and within a specific application. 126

127 - Reporting provides the ability to report and query data held within the Business Intelligence. It can also be used to conduct operational reporting on source systems where the use of the service is deemed appropriate. i. Pre-Defined Reporting Pre-defined reports created for users, to meet regular requirements. ii. iii. iv. Ad hoc Reporting User created reports for infrequent requirements. Support the use of dynamic reports on an as-needed basis. Query and Analysis Allows users to query and analyze data, e.g. drill down, slice and dice. Application Specific Reporting Limited to and within a specific application. 127

128 Reporting Tool Selection Guidelines It is advisable that the following guidelines be adopted while choosing the right reporting tool The tool should have good presentation mechanism such as charts, graphs, query, text etc., which allows users to call up pre-defined reports or create ad hoc reports. The tool should also have the customization capability to allow users to customize and pre-set the presentation of report to ensure adherence with organization standard. The tool should have good transformation techniques, support business logic to convert raw data into useful information. The tool should support generating reports in various file formats like rtf, CSV, xml, etc. The reporting tools should have data source connection capabilities and support standard access mechanism. The tool should have the flexibility to provide support for data integration from various databases, web services, flat files, objects etc. The tool should have the requisite security features to prevent unauthorized access. The tool should also have the capability to seamlessly integrate with external user authentication and single sign-on frameworks. The tool should have flexible export capabilities supporting excel, flat file and PDF export format. The tool should be platform independent. Version control features and change control features should be available. Scheduling and distribution capabilities of a reporting tool are value added features. Scheduling of reports to run daily, weekly and distribution of the reports generated to target audience either by s or web publishing means should be encouraged Document, Content and Knowledge Management Use of electronic documents plays a decisive role in the public sector modernization and egovernment across the globe, facilitating the exchange of information and improving collaboration across the government. Converting paper-based document repositories into electronic format will allow easy access and retrieval of information in electronic form for government staffs and citizens improves process efficiency and reduces operational cost. MACs which maintain large volume of documents (for e.g., the Land Registry department, the Inland Revenue department, Finance and Treasury, Judicial Services etc,) faces increasing challenges in managing and sharing documents. Such MACs are ideal candidate for the use of electronic document repositories. Consider moving from paper-based forms to electronic online forms or eforms that will allow citizens to fill in the form data online thereby less likely to be error prone and reduce manual data entry effort. 128

129 For existing paper forms and documents, scanning and OCR/ICR of the content is a fast way to capture the data with greater efficiency than manual entry and lower error rates. Use of electronic document management solution (DMS) will enable the governments to share information within and across MACs. Consider the use of a government wide central document repository to consolidate documents across MACs that will facilitate faster content based searching of documents. Appropriate security controls should be enforced to prevent unauthorized access to confidential documents. In case of multiple DMS rollout out in different MACs, a unified single document gateway could be conceptualized, integrating all the MAC DMS. Leverage industry standard based out of the box document management solutions (preferably open source avoiding proprietary solutions and technologies wherever possible) that will facilitate faster deployment of the solution with minimum turnaround time and less development effort Along with the technology consideration, there is a need for cultural change with a paradigm shift in the mindset of the people using it (i.e., citizens, government staff etc.). Proper training should be imparted to all level of staff within government. Some of the emerging trends in knowledge management: - Deploy knowledge portals for internal government staff for information sharing and national portals for citizen access for information dissemination as well as access to services. - Leveraging enterprise 2.o technology e.g., surveys, polls, discussion forums. - Use of social media and networks to deepen interaction between government and the citizenry by moving beyond a traditional broadcasting model to active engagement on issues, programs and decision making. - Integration of mobile devices into communication planning (e.g. text messaging for notifications and transactions). 129

130 5.3. Infrastructure Architecture The key principle that underlines the Infrastructure architecture is that of a service-based approach to the development and deployment of shared infrastructure services for all MACs. It must also be based on extensive exploitation of virtualization and consolidation of components, enabling MACs to request for services rather than physical infrastructure items such as servers. To operationalize the Liberia Government's goal of e-governance, a nation-wide technical infrastructure should be planned from two perspectives: Shared and Secured Network and Shared and Secured Data Centre Services The infrastructure architecture described in this section is limited to the Shared and Secured Network aspect. The shared and secured network required to support the connected Government vision of the Government of Liberia includes: Service Access Domain Integration Platform Network 130

131 Security Enterprise ICT Management Maintenance Environment Service Access Integration Common Technologies to all Domains Platform Network Mobile Access Workflow BI/ETL Virtualization Server Peripherals Remote Access Enterprise Service Bus Shared & Collaboration Services Storage DC Facility Shared PC In-Office-Shared-Printer Common Business System Cloud Computing - SAAS - PAAS - NAAS Local Area Network - LAN & WLAN Portal Web Server Integrated Directory Groupware/ File Server / Mail Server Integrated Account Management/ Authentication/ Authorization Wide Area Network (Network Services) DNS, DHCP, Proxy Data Centre Physical Site Layout Cabling Infrastructure Tiered Reliability Environmental Factors Figure x: Infrastructure Reference Architecture Framework 131

132 Service Access Domain The service Access Domain provides for a common set of enabling infrastructure service that can be leveraged by all clients hosted within the environment. Examples of the include Internet connectivity, LAN infrastructure, first level security, external DNS, and SMTP mail routing. The services available within the service Access Domain can be architected and deployed using a range of hardware and software options that include the deployment of server or appliance-based technologies. Important considerations include the correct forecasting of sizing and throughput required to support lower layer enterprise applications. Other constraints to be considered are the development of bandwidth budget and supported protocol tables. These assist with the correct sizing of the bandwidth and the development of security policies that support the final configuration. If such an approach is taken to implement the service Access Domain, developed services will be highly available, secure, and manageable using enterprise tools Mobile Access Mobile users include professionals and data collectors who access enterprise through a variety of connections, including real-time wireless and wireless LANs/WANs (through a wireless data network), a synchronization solution, or a combination of both. Mobile middleware and infrastructure software addresses the need to deliver corporate applications specifically to mobile and wireless environments. Mobile device security software is software products designed or optimized to provide security specifically for mobile devices, PDAs, and other smart hand-held devices. This security can take the form of encryption, authentication, authorization, access control, PKI middleware or firewall protection, and is primarily concerned with protecting content on mobile devices. This competitive market encompasses several functional markets, including security software and system management software. A mobile security software solution can incorporate one or more of these approaches. Secure ID generally utilizes two-factor authentication that is based on something you know (e.g., a password or PIN) and something you have (e.g., an authenticator) to provide a more reliable level of user authentication than reusable passwords. Secure ID offers access through VPN, WLAN, , intranets, Microsoft Windows desktops, or Web servers. Mobile middleware and infrastructure software vendors offer a variety of platforms to enterprise customers, wireless operators, device manufactures, and other channel partners. These include pureplay mobile vendors, larger independent software vendors and application providers, and device manufactures that also provide software solutions. Requirements and user product selection will determine the product choice. 132

133 Remote Access Architecture MACs may want to provide authorized users access to certain applications and enterprise systems from a remote location (Home, Hotel etc.). The Remote Access methods most commonly used for these purpose can be divided into four categories based on their High-level architectures: tunneling, portals, and remote desktop access. The remote access methods in all four categories have some features in common: They are all dependent on the physical security of the client devices. They can use multiple types of server and user authentication mechanisms. This flexibility allows some remote access methods to work with an organization s existing authentication mechanisms, such as passwords or certificates. Some remote access methods have standardized authentication mechanisms, while others use implementation-specific mechanisms. They can use cryptography to protect the data flowing between the authorized user client device and the organization from being viewed by others. This cryptographic protection is inherent in VPNs and cryptographic tunneling in general, and it is an option in most remote desktop access and direct application access systems. They can allow users to store data on their client devices. For example, most tunnel, portal, and remote desktop access systems offer features for copying files from computers inside the organization to the user's client device. Tunneling Many remote access methods offer a secure communications tunnel through which information can be transmitted between networks, including public networks such as the Internet. Tunnels are typically established through virtual private network (VPN) technologies. Once a VPN tunnel has been established between a user s client device and the organization s VPN gateway, user can access many of the organization s computing resources through the tunnel. Perimeter Application Server Software Servers Application Client Software VPN Gateway Client Devices Tunnels use cryptography to protect the confidentiality and integrity of the transmitted information between the client device and the VPN gateway. Tunnels can also authenticate users, provide access 133

134 control (such as restricting which protocols may be transmitted or which internal hosts may be reached through remote access), and perform other security functions. However, although remote access methods based on tunneling protect the communications between the client device and the VPN gateway, they do not provide any protection for the communications between the VPN gateway and internal resources. The types of VPNs most commonly used for users are Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) tunnels. Application Portal Another category of remote access solutions involves portals. A portal is a server that offers access to one or more applications through a single centralized interface. A teleworker uses a portal client on a telework client device to access the portal. Most portals are web-based for them, the portal client is a regular web browser. Figure 2-2 shows the basic portal solution architecture. The application client software is installed on the portal server, and it communicates with application server software on servers within the organization. The portal server communicates securely with the portal client as needed; the exact nature of this depends on the type of portal solution in use, as discussed below. Perimeter Application Server Software Servers Application Client Software Application Client Software Portal Client Devices In terms of security, portals have most of the same characteristics as tunnels: portals protect information between client devices and the portal, and they can provide authentication, access control, and other security services. However, there is an important difference between tunnels and portals the location of the application client software and associated data. In a tunnel, the software and data are on the client device; in a portal, they are on the portal server. A portal server transfer's data to the client device as rendered desktop screen images or web pages, but data is typically stored on the client device much more temporarily than data for a tunneled solution is. (However, portals can be configured to allow clients to download content from the portal and store it on the client device or other locations outside the secure remote access environment.) 134

135 There are a few types of portal solutions commonly used for remote access. A web-based portal provides a user with access to multiple web-based applications from a single portal web site. An SSL portal VPN is a common form of web-based portal. Another type of portal solution is terminal server access, which gives each user access to a separate standardized virtual desktop. The terminal server simulates the look and feel of a desktop operating system and provides access to applications. Remote Desktop Access A remote desktop access solution gives a user the ability to remotely control a particular desktop computer at the organization, most often the user s own computer at the organization s office, from a user client device. The user has keyboard and mouse control over the remote computer and sees that computer s screen on the local user client device s screen. Remote desktop access allows the user to access all of the applications, data, and other resources that are normally available from their computer in the office. Figure xx shows the basic remote desktop access architecture. A remote desktop access client program or web browser plug-in is installed on each user client device, and it connects directly with the user's corresponding internal workstation on the organization s internal network. Perimeter Application Client Software Application Server Software Servers Application Client Software Internal Workstation Client Devices There are two major styles of remote desktop access: direct between the user client and the internal workstation and indirect through a trusted intermediate system. However, direct access is often not possible because it is prevented by many firewalls. For example, if the internal workstation is behind a firewall performing network address translation (NAT), the user client device cannot initiate contact with the internal workstation unless either the NAT allows such contact9 or the internal workstation initiates communications with the external user client device (e.g., periodically checking with the client device to see if it wants to connect). Indirect remote desktop access is performed through an intermediate server. This server is sometimes part of the organization's firewall, but is more often run by a trusted commercial or free third-party service outside the organization's network perimeter. 135

136 Open Web Server The Open Web Server distributes information content through the Internet, and its primary use is as a tool to disclose information to the public as well as to enterprises. Because it operates 24 hours a day and 7 days a week embracing a variety of access from unspecified clients, it is under constant threat from all sorts of possible malicious attacks (data tampering, denial of service, information tapping, unauthorized promotion/denial of access authority, etc.). Therefore, measures must be adopted to protect assets from those attacks, and to prevent security events/accidents from occurring. These measures are implemented in a highsecurity segment with firewall isolation, or DMZ (Demilitarized Zone), which lies in between the external network (the Internet) and internal network. In light of possible IPv4 address depletion problem, previous considerations must be due for proper coexistence and parallel usage of IPv4 and IPv6. This involves careful implementation of operation/management/monitoring/maintenance methods, at the design stage as well as in the purchase of equipment, and security measures for running various devices used on open Web server devices. General user (Citizens, Enterprises) Internet Mobile Access Server Mail Server External Proxy Server Open DNS Server External Firewall DMZ Load Balancer Open Web Server Internal Firewall Intranet DMZ Internal DNS Server Internal Proxy Server CMS Equipment 136

137 Integration Domain Service Oriented Related Functions SOA is an architecture that enables services software functions corresponding to the individual job-operations to be accessible and linked to each other on a network by the standardized protocols and work as an integrated system. At present, such architectures are generally compliant with the Web service technical specifications. The architecture also ensures prompt system constructions and high maintainability, by defining interfaces between services and linking them on the network Business Intelligence (BI) BI refers to an approach of utilizing an enormous amount of job-operation system output data, etc, for decision-making, by storing, classifying, searching, analyzing, and transforming factual data: it also refers to a scheme or an activity for realizing the idea of extracting useful knowledge or insights in a systematic way and enabling business predictions, or systems and technologies supporting such activities. Its objective is to utilize information for improving jobexecution efficiency through flexibly analyzing the required information. In comparison with conventional data-analysis, which is closed in individual stand-alone systems, along with the implementation of system-linkage infrastructure such as SOA, the cross-system analysis of data separately stored in individual systems after being homogenized has become necessary, and the mechanisms for the management and transformation of metadata has been implemented Shared Services and Collaboration Domain The concept of a shared services and collaboration Domain is a network and server environment that would be shared by multiple clients. Clients may utilize shared capacity on servers or the throughput available via shared appliances with other customers or in situations where security constraint demand dedicated servers for their own use. Customers share a controlled firewall service that permits discrete connection including logging and reporting on a per customer basis. However, where the security demands or if a customer requires a highly secure mode of operations they could be hosted in a customer dedicated environment. This model provides the maximum degree of leverage for individual customers, and enables a deployment model where additional customers can be facilitated quickly. The shared services model above also positions the environment to be highly scalable. 137

138 Both options of scaling up or out exist with the addition of extra appliances or file service or the consolidation using symmetric multi-processor (SMP)-based platforms. Key design Attributes of this environment include: Firewall structure Access load balancing Data caching Monitoring and reporting Out-of-band management Network separation management Redundant service in a farm Security management Groupware/File Servers/ Mail Servers Domain The groupware, file server, and mail server are accepted as productivity enhancing mechanisms for organizations as they realize sharing and exchange information among the information system users. These mechanisms provide such facilities as electronic mail, electronic bulletin board, electronic conference room, scheduling, conference room booking, and file sharing. The objective of these facilities is to achieve smoother communication among the users, and thus support information sharing for well-informed policy planning. Groupware Electronic Mail Groupware Server Electronic Mail Server --Electronic bulleting board, Electronic conference --Schedule management --Facility booking --Electronic mail (within the cabinet office and ministries) --Electronic mail (GWAN) --Electronic mail (Internet) --Address book File Sharing File Server --File Sharing --Shared drive (for personal use) --Shared drive (for office use only) --Regular Back up Instant Messaging IM Server --Message exchange --Presence / Absence status display --Contact list --File transmission Users Full-text search File text server --Content, Data gathering --Context extraction, Analysis --Index creation --Search Service Screen sharing --White board

139 Function and Services provided by Groupware/File Server/Mail Server Function Description Groupware Groupware provides facilities for information sharing among users, and thus contributes to achieving smoother communication. The users can exchange their opinions and information using the electronic bulletin board and electronic conference. Such functions as user schedule management, facility management (e.g. conference room), and To-Do list contribute to enhance routine task efficiency for the users. The groupware also provides functions for managing attribute information (e.g. user ID assigned to each user, and the group he/she belongs), allowing it to be used as an employee directory Electronic Mail Electronic mail provides the users with the means to send/receive an ( ) within the ministry or with external organizations. Standardized protocol for sending and receiving mails is employed, and communication requests from the terminals shall be compatible with SMTP (for transmission) and POP, IMAP (for reception). In light of the need to exchange highly confidential s, this function shall be compatible with encryption and electronic signature. To avoid virus infection via communication, it shall perform anti-virus functions by checking attached files. Note that the communication may be provided as a function of groupware. File Sharing Refers to the practice of shared use of storage resources among the terminals, making cross-user information sharing easier and quicker. This mechanism includes the shared use of storage areas under the control of file server, enabling file sharing according to the user s affiliation and authority. Rigorous access control shall be implemented in the file sharing mechanism, and access history shall be recorded in the audit log. Instant Messaging Refers to the provision of a real-time message exchange function, whereby the usage status of the users is checked in advance. This function shall not only be able to identify if the user is on-line or off-line, it provides further on-line status information (i.e. enabled/disabled to respond, at/away-from-desk, at conference, etc.), enabling to select the contact method most suited to the situation (telephone/ , instant messaging). Full-Text Search Refers to the functions to search for a given string among the document database provided by groupware and the stock of document files stored on the file server. The user shall be able to use combined criteria single of multiple keyword, and logical conditions connecting them (AND, OR, etc.) and only the allowed range of the search results shall be presented to the user depending on his authority level. Web Conference Refers to the functions that allow a plurality of users on the network to have a 139

140 conference, sharing a common screen and using voice/video communication. It also provides functions to share office documents, and shared use of a virtual whiteboard to which the conference participants are able to write sentences and figures. A Web interface is also provided for booking and managing a Web conference Multiple Core Services Domain The multiple Core Service Domain is intended for customers who are security conscious and not prepared to share a network environment with third parties. In situations where customers insist on an environment dedicated to their own use, this will be provisioned using a dedicated firewall that provides separation from other customer infrastructures. While maintaining a dedicated environment provides for a very secure application and database hosting environment, it requires additional overhead I terms of cost and support resources. However, it does offer customers the ability to scale their business services with minimal impact on third parties and in larger environment. The addition of network or SAN attached storage provides for an entity-level backup and recovery strategy to assist in business continuity planning Integrated Directory The integrated directory provides master database functions that cover the collected account information separately maintained in each ministry. It maintains the master account information data in coordination with the data stored in the human resource/payroll account information system and GIMA (Government Identity Management for Authentication) - an inter-ministerial common system. The account information stored in the integrated directory is distributed to each relevant directory within the Cabinet Office and Ministries via the integrated account management functions and directory linkage functions. Individual MAC and Offices Provision Infrastructure for User Basic Information within the MACs User Authorization Infrastructure within the MACs Integrated Directory User Authorization Infrastructure within the MACs Integrated Directory Provision Infrastructure for User Basic Information within the MACs Human Resource System (for each Ministry) Authentication Information User ID Password Name Universal ID Password Name Authentication Information User ID Password Name Human Resource System (for each Ministry) 140 Directory for Web Applications Directory for Operating Systems Directory for Groupware Government Infrastructure Public for Key Infrastructure Electronic Certificate (PKI)

141 The integrated directory provides master database functions that control the collection of account information constructed by the Cabinet Office and Ministries. It provides a common platform to unify the management of account information used for running Web applications and groupware, as well as to enable the staff member search of the staff member directory. As it stores the master data for account information to be saved in a variety of directories, it needs to be updated for the latest organization/personnel information, in close coordination with the human resource/payroll account system and GIMA (Government Identity Management for Authentication, when personnel shuffling is implemented. 141

142 Platform Domain Overview Platform refers to the set of technology standards that enables software applications and hardware devices to run and operate as an interconnected, managed unit or environment. This includes the following components: Servers: Computers that allow multiple users to access network services and applications simultaneously End user devices: Stand-alone devices, which as productivity devices form a key part of the network and the Government infrastructure Mobile devices: Single-user network client devices with user interfaces that allow users to connect to enterprise infrastructure remotely Peripherals: Helper devices able to work separately or with computers Storage: Devices and systems that serve as physical and persistent stores for data and executables Voice Telephony These components are typically current technologies and are continually changing to meet market demand. The Platform layer includes standards for: Hardware devices Operating systems Telephone infrastructure Servers A Server refers to a computer that provides functions, data, and services on the common platform system, etc. Because servers process requests from the terminals connected to the ministry s internal LAN / WAN or the individual business systems and return the results of processing, the server hardware and the network, as well as its configuration, responsible for communications between servers, is required to have high reliability, availability and maintainability. There are three subcategories of server class computers: High-end servers Midrange servers Entry-level servers 142

143 High-end servers: Highly scalable, highly available servers designed for mission critical network computing. Usually used for solutions which require very high processing power (e.g., running a stock exchange or Government Payroll). Midrange servers: Positioned between department level and Government entity-wide server solutions, these are designed to deliver high performance with a choice or RISC or x86 servers to protect IT investments over time. Entry-level servers: Less powerful servers that support departmental or workgroup-level applications. These are designed for general purpose use and price/performance optimization, and are scalable and reliable. They can range from single processor systems to up to four processors running on multiple operating systems. These servers are suitable for general infrastructure services (e.g., file, print, Domain Naming Services (DNS), and small departmental applications). The three tiers of servers provide flexible, cost-effective options for Liberia Government needs for application and data hosting. Servers are configured for different roles (Web server, DB server, AP Server, etc.) according to the services and functions they provide. The proper configuration or placement of the different types of servers is indispensable: especially for the purpose of stable provision of services or for the preparation for the future increase in system load, the expansion / enhancement method matching the server type must be available, such as a scaling-up method (server configuration method enabling performance increase by enhancing the performance or adding the number of the CPUs, etc. into a chassis) or a scaling-out method (server configuration method enabling performance enhancement by adding a server-chassis for parallel processing). In addition, functions provided by servers are required to be allocated or configured so that a group of servers providing the individual services can, by the application of virtualization software, be implemented in a single physical server. Virtualization software, which refers to software that enables a single hardware server to run more than one virtual machine, enables more than one operating system to run on single server hardware with minimum loss of performance: the individual operation system is allocated virtual CPUs, network interfaces, and storages. Highly reliable, highly available, and highly maintainable servers, collaborating with storage are able to realize distributed processing, and are expected to be further visualized, consolidated, or integrated because of their adaptability to centralized and integrated management. Types of Servers Function Description 143

144 Server Hardware Server LAN Database Server Application Server Web Server Refers to server devices to process functions or services available on the common platform system: it is required to have functions and configurations with high efficiency, reliability, availability, flexibility, and maintainability so that those functions and services work well even in a situation where operating systems, middleware, or applications are added, or changed, or the volume of information to process is increased. Refers to LANs or network equipment for communication between servers on the common platform system Refers to programs that provide the services of saving and retrieving masterdata or transaction data processed by the services available on the common platform system, or the hardware configured for the execution of such services: it has the capability of high-speed processing of queries written in query languages. Note that the information on database servers should be arranged so that it is available to queries made by the services or functions on the common platform system in such a way that the performance requirements (response time, throughput, capacity) are satisfied. Refers to programs that execute and manage business logics contained in the services available on the common platform system, or the hardware configured for the execution of such logics: it works for providing interfaces to web services available on the common platform system, executing business logic, managing transactions, and connecting to databases, etc. Refers to the computer that provides world wide web services on the Internet. It includes the hardware, operating system, web server software, TCP/IP protocols and the website content (web pages). If a web server is used internally, and not by the public, it may be known as an intranet server. Examples of web server technologies include: Apache: a widely used, public domain, UNIX-based web server from the Apache Group ( It is based on, and is a plug-in replacement for, NCSA's HTTP server Version 1.3. The name came from a body of existing code and many patch files Internet Information Server: web server software from Microsoft that runs under various versions of Microsoft Windows. It supports Netscape's SSL security protocol and turns a Windows-based PC into a website. It is recommended that servers be standardized around a vendor or vendors with proven compatible hardware using consistent infrastructure architecture. This has the following benefits: Volume discounts Reduced support costs Increased product awareness Reduces development effort Increased level of integration 144

145 Storage Storage refers to an external memory device to store the information handled in the common platform system. The device assumed as storage in the common platform system is a hard-disk drive or tape drive. High reliability and high performance is required for storage because it is used for storing data on the requests from the terminals connected to the MAC s internal LAN / WAN or the individual business systems. Storage must enable distributed processing through having high reliability, availability, and maintainability in close linkage with the server. At the same time, because storage is well controlled in an integrated way, further virtualization, consolidation, or integration will be expected. Types of Storage Function Description Disk Storage Refers to an external memory device for storing mainly the data, database, and system data handled in the common platform system: here, a hard-disk drive is assumed as storage. Tape Storage Refers to an external memory device for backing-up/ archiving / migrating / data exchanging mainly the data, database, and system data handled in the common platform system. SAN Design A Fiber Chanel (FC) fabric (network) is a multi-terabit, low-latency switching network, mainly used to interconnect servers to storage. Deployment of mid-range to high-end FC fabrics is based on FC directors (core switches), which are high-availability switches with high aggregate switching bandwidth and high port density. For the edge part of a large or small fabric, smaller and lower-cost FC switches are typically used. Directors and switches use one or more interswitch links (ISLs) to connect and form a larger fabric. It is common to deploy one or more isolated FC fabrics, called SAN islands. SANs are also extended to campus, metropolitan, and wide-area distances using T1/T3, ATM, IP, SONET, dark fiber, and DWDM technologies. Enterprise-level SAN s should at least include the following features: Multiple independent fabrics; Core plus edge switch topology; Appropriate port aggregation ratio, depending on application server requirements; Appropriate core design, depending on number of ports required; Evolving design, with initial installation suitable for current needs. This will be key as MACs will be migrated in sequence generally; Providing a Secure SAN platform. 145

146 Network Attached Storage NAS is a hard disk storage system, which includes RAID configuration, with its own LAN IP address rather than being attached to the server that is serving applications to a network's workstation users. It has its own software for configuring and mapping file locations to the network attached devices. A NAS can be included as part of a more comprehensive solution like SAN. It is ideal for less critical data storage for applications such as , File and Print, etc. Backup/Recovery Backup Storage is required to enable the backup of all business critical data defined by the MAC. Tape backup systems have traditionally been very popular with capacities ranging from ten megabytes to ten gigabytes and beyond. Tapes are considered to be slower, not exactly the most reliable way to store computer data, and increasingly difficult to locate Backup concerns the capture of change to the data and recovery is to redo this change to get to a specific point-in-time. With Open-Systems and in particular three-tier architecture systems the following components form architecture in different combinations: Network and Communications equipment; Servers or Host systems; Database servers and persistent storage systems. The combination of these components makes up a general architecture and a complete backup/recovery plan should enable the restoration of all layers to create an end-to-end functional system in the event of any failure. This opens up the backup and subsequently the recovery to different types of mechanisms that is most cost effective to a particular component or layer. Also each component will have its own backup/recovery processes and procedures. It would be too expensive to have a single backup/recovery strategy for all components, and in some case technologically impossible. Therefore it is necessary to combine different strategies to form a cost-effective and tight backup/recovery strategy. Storage - Recommendation To provide a fully tolerant environment, Liberia Government MACs should consolidate storage into a SAN. The SAN for shared services will provide the following; Consolidated Storage: A single place to protect information Reduced TCO: SAN provides considerable cost savings over disks in single servers Reduced management: Tasks such as backup, restore, and snapshots can be passed to a central SAN rather than shifted at the server level 146

147 Faster recovery in the event of data loss Fault tolerant management tools A review between NAS devices and SANs should be done, but a SAN is the recommended choice for Liberia Government entities. This decision would be made at the design phase. The logical SAN architecture exhibit below provides an overview of server connected storage environments where each server is connected or housed within a SAN fabric. Management of the SAN fabric should be integrated with out of band management network. From an e-government shared services perspective: This initial consolidated e-government Technical Architecture should be reviewed, amended as necessary, and baselined Design and implementation should be developed using a logical and physical design approach Operating System Operating Systems (OS) are the foundational computing control programs for computers ranging from desktops, PDAs, Servers and Mainframes. Standardizing OSs when possible and justified allows the Government of Liberia to focus support; provide higher levels of expertise; and create a common, repeatable environment resulting in effective management and reduce cost. Standardizing Operating Systems provides benefits that include: Ease of manageability Management of Security across Government Ease of future upgrades due to small, defined number of operating systems Reduced diversity and technology footprint Cost management due to reduced vendor set Skills management that allows the training and development of defined resources To reduce Infrastructure and improve resource utilization, the virtualization of computing resources (e.g., Servers) should be considered Virtualization Virtualization masks boundaries or physical features of IT resources by inserting a virtual layer between a resource and a resource-user (OS or application) to enable flexible use of resources which originated in the technologies developed to improve the hardware utilization efficiency 147

148 in 1960s, Virtualization has recently been gathering attention as one of the solutions for IT problems such as utilization-efficiency-decrease and cost-increase in infrastructure, costincrease in IT management, and increase in energy consumption. Note that there are two types of virtualization mechanisms: realized by hardware for virtualization; and realized by software for virtualization. Application OS, Middleware Hardware (Server, Storage, Network and Others) Virtual Layer Virtual Layer Types of Virtualization Network at the network level virtualization means that services normally delivered on separate boxes, such as firewalls, VPNs, load-balancers and switches, can be deployed on a single physical system, while still retaining all the characteristics of individual devices. Server virtualization pools and connects server resources in a way that hides the physical nature and boundaries of those resources from resources users. For example, in the mainframe world Virtualization is commonly used to support mixed-workload management and logical portioning of both users and applications. Application Application Guest OS Virtual Machine Guest OS Virtual Machine Application Guest OS Application Guest OS Management Tools Management OS Host-Type VMM Host OS Hardware Application Virtual Machine Virtual Machine Virtual Machine Hypervisor-Type VMM Hardware 148

149 Host-type VMM Hypervisor-type VMM Figure x: Two Types of Server Virtualization Storage - Various types of storage virtualizations are available: in dividing storage, one storage device such as a hard-disk drive has more than one virtual storage; in storage consolidation, more than one physical storage is consolidated into a huge virtual storage; and in storage-capacity virtualization, the storage-capacity that a server will know, is not limited by the physical capacity. Note that by storageconsolidation more than one physical server can be consolidated beyond the boundaries of its chassis, in comparison with the storage device consolidation enabled by RAID. Recommendations for Integration by Virtualization Design and assessment should be done for each unit of virtualized-resource allocation, physical resource, and resource-pool, instead of conventional hardware- resource sizing; Consider application, in the virtualized layer, of an N-to-N model covering the entire resource-pool for the server-availability requirement, instead of the conventional design based on one-to-one or N-to-one model in hardware layer; Consider monitoring and security of the management-layer of the hypervisor, virtualized server, and cloud, in addition to the conventional system design; Pay attention to the possible performance-degradation, invisibility of resources from the management side (difficult to view), and resource-conflicts in multi-tenant environments; Confirm the compatibility of the hardware products planned to be procured with the virtualization scheme to be employed; Confirm the compatibility of the software (program) products planned to be procured with the virtualization scheme to be employed; Note that there is a possibility, in the migration phase to the virtualized system, that the virtually realized functions especially those related to device drivers do not work in the same way as the originals. Prepare migration plans (of sizing, verification, data-migration, and others) for the migration from physical environments. 149

150 Cloud Platform Cloud generally refers to an information processing mechanism using networks through which information-services are provided or used on demand, which should be treated from the following two standpoints: Users' standpoints that a cloud is an environment through which information services are provided to be consumed by users; Service-Providers' standpoints that a cloud is a tool implemented by providers to deliver services. This section describes the points that cloud users should remember from the standpoints of users who use services delivered through the cloud. Categorization of Cloud Public Cloud Community Cloud Private Cloud Software-as-a- Service (SaaS) Ministry Cloud (Common Joboperation Platform-as-a- Service (PaaS) Infrastructure-as-a- Service (IaaS) Commercial Service Providing Web-mail Related Functions Commercial Service Providing CRM Related Functions, etc. Commercial Service Providing Business Application Environments Commercial Service providing Infrastructures Government Common Platform Local Government Cloud (Local Government ASP) Government Common Platform Local Government Cloud (Shared Service-Center) Government Common Platform Ministry Cloud Ministry Cloud Local Government Cloud (Shared Service-Center) Generally, clouds will contribute to cost reduction because of its scale merit, application of virtualization technologies, and on-demand-based charging. In the case of IaaS, improvement of the hardware-use-efficiency by the application of virtualization technologies is expected to reduce cost, compared to the cases of on-premise systems where the server-configuration is determined to ensure the availability of individual application systems at the peak load at an off-peak, plenty of resources are not utilized. In the case of PaaS, in addition to the effects by IaaS, cost-reduction is expected in system-operation / software-maintenance which can be eliminated by the employment of PaaS. In the 150

151 case of SaaS, in addition to the effects mentioned above, cost-reduction is expected in the development / maintenance of business applications in the same way as expected in the employment of job-packages. Although additional cost is required due to a lot of factors in the deployment of cloudbased systems, reduced cost surpassing such additional cost is generally expected. Recommendation on Selecting Cloud Services For utilizing clouds, providers of services should be selected through careful assessment. Points of the assessment are described below for each of the following factors: Server / Data locations, Management of Multi-Tenants, Information Security Measures, Business Sustainability, Services, SLA, Service Continuity, Service Cost, Continuity of System Environment in case of Changing Providers, and Evidence of Data-erasing on Service Termination Voice Telephony Voice telephony provides one of the key elements of the operational environment, which is replied upon by both internal and external users. An enabler within the technical infrastructure, it provides not only traditional information flow in terms of spoken conversation, but also allows for a variety of other media services which can be user-accessible (e.g. fax, voic , recorded announcements, etc.) Telephony services are deployed across all levels of Liberia s Government entities, with services and systems varying by user, environment, purpose, approach to provision, etc. A telephony service has five elements: Network(s): Connects and distributes incoming and outgoing communications to geographically diverse locations. Office telephony: Provides connectivity to the network(s) while allowing flexible configuration and service provision to individuals and user groups. Contact centre: Provides contact services via voice connectivity that generally fulfill criteria set for office telephony should have the ability to add functionalities for rulebased volume distribution of calls driven by business-defined processes. Enhanced services: Provide additional functionality at both the user and system levels. Network/operational management: Provides management statistics and interactive configuration at the service provider and user levels. 151

152 Public Voice Network Public voice services are provided by the Public Switched Telephone Network (PSTN), a worldwide distribution of voice networks with gateways and agreed addressing conventions between them. The public voice network connections provide a range of services that include: Basic PSTN telephony with access to national, international, mobile and advanced service networks Multi-line service for volume delivery of telephone traffic to a single published number across multiple physical lines Direct Dial In (DDI), which, eliminating the need for an operator, provides a large volume of national numbers delivered over shared network connections Delivery mechanisms for advanced services Private Voice Network Private voice services provide internal voice connectivity through private number plans, which are only available to users with relevant access rights to the network. Address (numbers) of most telephone extension ports are mapped directly to PSTN numbers to allow incoming telephony from external sources. These private voice networks may be further categorized into dedicated private networks and VPNs. Dedicated private voice networks should be constructed from leased dedicated private circuits because they have no intelligence, provide no switching function, and serve as conduits through which intelligent terminal Private Automatic Branch exchange (PABX) equipment passes telephone traffic. VPNs are provided by a number of network vendors and emulate the customer s own private network. The exhibit below highlights possible connectivity between public and private converged networks. 152

153 5.4. Network Domain Core to the technical reference model is the network domain. This domain refers to specific connectivity and security boundaries for both internal and external communications and consists of: Government Wide Area Network (GWAN): Network of communication infrastructure that typically covers several geographical areas Local Area Network (LAN): Computer (or Data Communications) networks that are confined in a limited area Wireless Local Area Network (WLAN): LAN communications technology in which radio, microwave or infrared links replaces physical connectivity media Voice and Video Networks: Enablers within the network domain that provide not only the traditional information flow of spoken conversation, but allows for variety of other media services Remote Access: Allowing authorized user access to certain applications and enterprise systems from a remote location (Home, Hotel etc.). A Government of Liberia owned and operated secure network is a primary requirement for a whole-government data communications. Such network infrastructure will connect all government entities to enable swift communication between them. Government Entity Government Entity Government Entity Government of Liberia Wide Area Network (WAN) (MPLS / WiMAX) 153

154 Government Wide Area Network (GWAN) Wide Area Network is a communications infrastructure that covers several geographical areas separated by distance. WANs are used to link multiple Local Area Networks (LANs) to enable systems in one location to communicate with systems in other remote locations. The GWAN is the technical infrastructure that will join Government agencies Local Area Networks (LANs) and citizens through WAN devices and technologies, in an organized and secure manner. Continuous performance improvements in Personal Computers and LAN infrastructure have made it easy for most MACs to deliver some applications within a building or offices. However most MACs do not have a WAN to link the various offices; even those with some WAN infrastructure find it challenging to maintain an acceptable level of application performance across the WAN. The MACs have been forced to propagate hosting facilities and server hardware around the country, install applications locally within branch offices, and endure the high cost of WAN bandwidth and applications that run slowly or simply cannot operate across the typically poor performing WAN links GWAN Architecture A number of devices and technologies can be used to connect remote clients and offices to a centralised data center or internet service providers. There are three types of transport use for WANs: Point-to-Point: Connection across carrier's network to a remote site via a preestablished link (leased line). Circuit Switching: Dedicated physical circuit placed in a carrier network by a service provider to handle two or more connections. Unlike point-to-point, which has exactly two sites connected to a single connection, multiple sites privately connect into a carrier's switched network to communicate with each other. ISDN is an example of a circuit switching WAN technology Packet Switching: Similar to circuit switching in that multiple sites privately connect to a carrier-switched network, but involves the statistical multiplexing of packets across shared circuits. Frame Relay, Asynchronous Transfer Mode (ATM), and Multi Protocol Label Switching (MPLS) are examples of this transport type. Wireless Wide Area Network (WWAN) A wireless WAN is a Wide Area Network characterized by the use of wireless communication technologies rather than physical connectivity. Examples of this include cellular network technologies such as Worldwide Interoperability for Microwave Access (WIMAX), Universal 154

155 Mobile Telecommunications System (UMTS), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Global System for Mobile communication (GSM), Cellular Digital Packet Data (CDPD), Mobitex, High-Speed Downlink Packet Access (HSDPA), and Third Generation Mobile Standards (3G). WWANs are becoming increasingly popular, as they can be easily deployed and leverage existing physical or wireless technologies from existing Wireless Service Providers. They provide broader network coverage and enable the very remote users to access the Internet, and Corporate Applications. Among the WWAN technologies mentioned, the WiMAX is ideally suited to deliver government applications based on its high bandwidth capacity, extensive reach, reliability, scalability, built-in security mechanisms and ease of deployment. Government Entity A WIMAX Government Entity C Government Entity B Government Entity D Data Centre MPLS - Based WAN MPLS is a network management protocol that integrates Layer 2 (data link layer) information into IP elements. The MPLS label is the foundation for label switching where a router makes forwarding decisions based on the MPLS label attached to an IP packet. It is designed to add a set of rules to IP that enables traffic to be classified, marked and policed. This means that MPLS traffic can offer the same QoS guarantees that data transport services such as ATM or frame relay, without requiring the use of dedicated leased lines. Virtual Private Network (VPN) VPN refers to private data network that makes use of public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. Using the VPN give the government entity the same capabilities of a private network at much lower cost by using the shared public infrastructure rather than a separate, private (leased line) one. 155

156 VPN offer three sets of connectivity: Site-to-Site: connects remote facilities with the corporate network. The remote site typically have multiple users sharing access to the corporate network. Remote User: Individual users gain access to the corporate network through a broadband network. Extranet: Similar to site-to-site, but connect separate companies, suppliers or third parties. Carries increased security concerns because both ends must protect their networks from each other. For future strategy and design, Multi Protocol Label Switching (MPLS) is recommended as being fit for purpose. MPLS is recommended as the WAN protocol as it delivers the following benefits: PLS can create any-to-any VPN without a full mesh of Permanent Virtual Circuits (PVCs); With MPLS achieving Fully-Meshed VPNs are simpler than many hub-and-spoke configurations; Support for voice and video by applying Quality of Service (QoS) to time sensitive packets; Switches traffic more rapidly than traditional routing protocols; Secure communication; Logically separates VPN traffic Connectivity is flexible and uncomplicated. 156

157 Government Entity LAN Managed Service Provider Government Managed Service The In Gov. Entity A Site 1 Gov. Entity A Site 2 VPN B VPN A GWAN Data Centre Gov. Entity B Disaster Recovery Site Figure x: Government WAN Architecture Government Entity LAN - Firewall Government Entities are protected by a firewall. This is to ensure that an attack of an individual entity does not lead to further attacks on other entities within the GWAN. A firewall is a combination of hardware and/or software in a network environment that controls communication between networks by a security policy. Firewalls protect trusted networks from untrusted networks by restricting the type of traffic that is permitted between the networks, and must maintain an audit log of all traffic. Typical zones of traffic includes the internet (no trust) and the internal network (fully trusted). 157

158 When using firewalls: Interconnection between fully trusted security zones should not attract a firewall protection Interconnection between partially trusted security zones should require additional firewall protection depending on the degree of trust. Preferably, the untrusted aspect in the partially trusted security zone should terminate in a Demilitarized Zone (DMZ). Interconnection with an untrusted zone would require additional firewall protection A firewall is only as good as the policy that is installed on them. Two types of dataflow exist: Data Flow Type Intra-Entity Flow Inter-Entity Flow Description Site-to-Site communication within the boundaries of a Government Entity (to remote offices of the same entity) using any connectivity technology (MPLS, ATM etc.) is managed by the entity itself. This includes all entity internet, intranet and extranet. Within the GWAN such communications should be protected by VPN. Where necessary, additional firewalls per the remote sites may be provided. Example, Communication between Government Entity A site 1 and site 2. Communications between different Government Entities is considered untrusted and is routed through the centralized Government network. Each Government Entity must maintain an Edge Firewall to the GWAN. Example, communication between Government Entity A and Entity B. Managed WAN Provider It is recommended that in choosing the WAN service provider the Government will look for suppliers who are positioned to deliver the right mix of services on a national basis, both in terms of breadth and depth and can deliver the following advantages to Government: Single point of contact for provision, billing and fault escalation; End-to-end management, service levels and reporting; Optimum choice of carrier and technology based business requirements; End-to-end QoS (Quality of Service) on a national basis. It should also provide the WAN to include all routers and links and where necessary encryption hardware. Internet-facing connectivity such as routing, content control, intrusion prevention, and virus scanning should be centrally managed by a Government held service agency. The Managed Service Provider should also be responsible for providing secure remote access, such as Virtual Private Network (VPN) and Secure Socket Layer (SSL). 158

159 Local Area Network Local Area Network (LAN) is an infrastructure network through which a variety of services is provided within the Ministries, Department and Agencies. A LAN consists of communications systems of multiple interconnected workstations, peripherals, data terminals, or other devices confined to a limited geographic area consisting of a single building or a small cluster of buildings. In line with the Open System Interconnection (OSI) model, LANs are created by connecting either multiple network hosts (PCs, printers etc) through a L2 LAN connectivity device or multiple network segments using a L3 LAN connectivity device. The speed of connectivity in a Local Area Network (LAN) is usually 10Mbps or higher. Currently, bandwidth size of 100Mbps is seen as a standard speed for normal distributed network connectivity whereas 1Gbps to 10Gbps is used for high speed application and backbone layer connectivity. The LAN can be segmented either physically or logically. Logically segmented LAN is normally referred to as Virtual LAN (VLAN). LAN VLAN VLAN1 Client VLAN2 Client VLAN2 Sever Sever MAC LAN Recommendations It is recommended that MACs undertake a LAN refresh programme following the guidelines detailed below. This should be a formally architected infrastructure and planned with consideration of changes elsewhere in the environment. The LAN architecture is based on building LAN networks using three layers: Core, Distribution and Access. The three layers separated mainly for design purposes, and are not necessarily implemented by separate hardware components. The following Four LAN architectures have been suggested as suitable for deployment at the Government of Liberia's locations. Site Scale Architecture Other Definition Small 0-50 Distributed and Access Layer Single VLAN; WAN Router if required (Layer 2) Medium Core (Layer 3) Single/Multiple VLAN depend upon exact 159

160 Distribution and Access (Layer 2) Large 200+ Core (Layer 3) Distribution (Layer 2) Access layers (Layer 2) number of users Multiple VLANs; Zones (building or collection of buildings) with each zone connecting to core via Layer 3 LAN Structured Cabling System A Structured Cabling System (SCS) is a set of cabling and connectivity products that integrates the voice data, video and management systems of a physical building. At a minimum, this consists of a modem, router/network switch and Ethernet cabling. But often, you need something more complex than just a computer connected to the Internet. Ethernet router is needed to handle internal network addressing and probably Ethernet switches to distribute traffic to many computers. The following recommendations should be considered: Cabling installations must comply with Telecommunications Industry Association/Electronic Industries Association (TIA/EIA) Commercial Building Telecommunications Standards 568, 569, 606, 607, and applicable electrical codes; Cabling categories before 5e do not provide the convergence principle required in the network design and should not be used for any new installation; The management of telecommunication infrastructure should comply with the TIA/EIA 606 standard; TIA/EIA 607 standard provides grounding and bonding requirements for telecommunications circuits and equipment; UTP shall be used unless specific issues exist, such as high EMI or long transport distances. Network Copper Cabling Structured Cabling System installations for new and/or renovated buildings without cabling shall be Category 6 Unshielded Twisted Pair (UTP) as specified by TIA/EIA 568-B.2.1 Commercial Building Telecommunications Cabling Standards, which is based on the following: UTP shall be used unless specific issues exist, such as high EMI or long transport distances; Category 6 cabling is certified to carry up to 10 Gbps of data up to 100 meters. The cabling industry, TIA, and International Organisation for Standardisation/International Electro technical Commission (ISO/IEC) support Category 6 cabling or better as the optimal choice to develop the Institute of Electrical and Electronics Engineers (IEEE) 10Gbps Ethernet standard based on the rapid growth of Category 6 cabling installations in the marketplace; 160

161 Category 5e cabling is acceptable when incremental additions to existing Category 5e cabling for major cable plant modifications and/or additions due to building renovations or remodelling are necessary; Category 6 link and channel requirements are backward compatible to Category 5e; Category 6 cabling, and existing Category 5e cabling, installed per TIA 568-B.2.1 standards, to the desktop allow most IP platform devices requiring power to operate without supplemental AC power in accordance with IEEE 802.3af Power over Ethernet (PoE) requirements; Fiber Network Cabling Structured Cabling System installations for new buildings, major cable plant additions or modifications, building renovations or remodelling shall be either multi-mode or single-mode, depending on business unit requirements, as specified by TIA/EIA 568-B.3 and ISO/IEC 11801:2002 Commercial Building Telecommunications Cabling Standards. TIA/EIA-568-B series standards specify 50/125 micron multi-mode fiber for horizontal subsystems. 50/125 micron multi-mode or single-mode (8/125 micron) fiber is specified for vertical subsystems. Multi-mode fiber transmits up to 10 Gbps Ethernet a distance of approximately 35 meters to 300 meters (50/125 micron), depending on the specific fiber and the Ethernet port characteristics. Single-mode (8/125 micron) transmits up to 10 Gbps Ethernet a distance of 2, 10, and 40 kilometres, depending upon specifications; Single-mode fiber network cabling subsystems between buildings allow up to 10-Gbps Ethernet transmission rates over greater distances, as specified by the International Telecommunication Union-Telecommunication Standardization Sector (ITU-T) Series G.652 and ISO/IEC standards Wireless LAN Architecture The WLAN architecture described in this document is based on wireless networks at the Government of Liberia MAC buildings and campuses. The main objective of this section is to assist MACs securely implement a wireless infrastructure. The architecture recommends two types of WLANs; Internal WLAN and Authorized Visitor WLAN. The business purpose of the internal WLAN is to allow employees and contractors present at the agency s building or campus to have wireless access to internal resources and services. Users connecting to this type of WLAN will be using approved agency equipment that meets a baseline set of security controls. Thus, an Internal WLAN is considered part of the internal network because the MAC has control over the applications, software, hardware, and the assessment of security control effectiveness on the wireless network. 161

162 The second type of wireless network addressed in this document is an Authorized Visitor WLAN. The business purpose of this WLAN is to allow authorized guests of the agency to have wireless, controlled Internet access. The MACs do not have control over the devices authorized visitors use when accessing this WLAN. Generally, these users do not have a business need to access the agency s internal network. Thus, an Authorized Visitor WLAN is considered an external network because the agency does not have full control over the applications, software, or hardware present in visitor devices. Internal WLAN Wireless Monitor Management Certificate Server with Digital Certificate Existing Wired Infrastructure WPA2 Enterprise (EAP-TLS Authentication) Wireless Controller & WDS Management System Devised with Authorized digital Certificate Access Point Encrypted User Traffic Unncrypted User Traffic Figure x: Internal WLAN WPA2-Enterprise provides both authentication (via EAP-TLS) to prevent unauthorized access to the network and FIPS compliant encryption (AES-CCMP) to ensure the confidentiality and integrity of WLAN traffic. EAP-TLS is an open authentication standard that leverages a Public Key Infrastructure (PKI) to provide strong mutual authentications. This authentication and encryption scheme also enables mutual authentication between authorized devices and the wireless infrastructure. It also secures distribution of per-device wireless encryption keys. These protections mitigate both man-in-the-middle attacks and impersonation attacks against the wireless network. This conceptual model allows agencies to implement additional security measures for restricting access to the WLAN and securing user traffic. A logically-separated management network is used for communicating with the authentication server, configuring and maintaining Access Points (APs), and transporting radio traffic received by wireless monitors to the WIDS/WIPS management system. This network is logically isolated, using a VLAN or IPSec tunnel, to prevent it from being used to access the Internet or resources on the existing agency wired network. Authorized Visitor WLAN Wireless Monitor Management Certificate Server with Digital Certificate Existing Wired Infrastructure 162 Wireless Controller &

163 WPA2-PSK (ESP-CCMP Encryption) Figure x: Internal WLAN Figure x shows a logical representation of network components and connections to enable authorized visitors to wirelessly access the Internet using visitor-owned devices. WPA2-PSK provides AES-CCMP encryption to offer a cost-effective way to limit WLAN traffic to authorized visitors. The Pre-Shared Key (PSK) is shared by all visitors, and may not protect traffic between visitors. Unlike WPA2-Enterprise, this scheme does not provide device authentication, and all devices with knowledge of the PSK share a common AES-CCMP encryption key. These protections, therefore, do not robustly mitigate the threats of man-in-the-middle and impersonation attacks against the WLAN. If desired, this conceptual model enables agencies to implement additional security measures for restricting access to the authorized visitor WLAN and securing user traffic. Password policies should be particularly stringent. It is recommended that agencies use reasonably strong passphrases to generate the PSK. Agencies are encouraged to frequently change the PSK to ensure that attackers, and formerly authorized visitors with knowledge of the PSK, cannot leverage it to maintain persistent access to the WLAN Voice over Internet Protocol (VoIP) Voice over Internet Protocol (VoIP) technology unites the worlds of telephony and data, by enabling the transfer of voice content (both phone calls and faxes) over the Internet, an Intranet or other packet-switched network. Using either a dedicated IP telephone set, or a networked computer running VoIP software, home and business users can use VoIP technology for direct voice communication. In VoIP technology, the voice signal is first separated into frames, which are then stored in data packets, and finally transported over IP network using voice communication protocol. Currently, most VoIP systems use either one of two standards; H.323 or the Session Initiation Protocol (SIP), although a few still use proprietary protocols like SCCP. 163