Gvernment f Malta Reference: GMICT X 0004-1:2014 Versin: 7.0 Effective: 07 January 2014 This dcument is part f the http://ictplicies.gv.mt Underlined terms are defined in the Vcabulary. Purpse The purpse f the fr the Gvernment f Malta is t regulate the intrductin and use f technlgy within the Public Sectr. Scpe and Applicability This dcument fcuses n the Gvernment f Malta s functin and its prcesses. The MITA Statute states that: It shall be a purpse f the Agency t... deliver and manage the executin f all prgrammes related t the implementatin f infrmatin technlgy and related systems in Gvernment with the aim f enhancing public service delivery. (Statement 3(1b)) Amngst such prgrammes being managed by MITA is the deplyment f an effective ICT Gvernance fr the adptin and use f infrmatin technlgy acrss the Public Sectr, cnsisting f Gvernment ICT Plicies (knwn as ). 1. Crprate Gvernance Effective crprate gvernance is intended t uphld a number f cmmn principles, including: Transparency f infrmatin and internal prcedures Accessibility f infrmatin, based n the premise that infrmatin that is nt easily accessible is n infrmatin at all Authenticity f infrmatin which calls fr the need t prtect integrity f infrmatin (infrmatin management) Third party audit t verify cmpliance t rules and practices Directrs respnsibility and accuntability t ensure legal cmpliance with the mandatry crprate gvernance framewrk Infrmatin technlgy enablement whereby technlgical tls, prcesses and practices are recgnized as reliable surces fr gd crprate gvernance. Since ICT permeates practically all aspects f business, the generatin and sustainability f infrmatin requires gvernance frm an ICT perspective. 2. ICT gvernance has been defined as: Page 1 f 11
and als as: the bard's ability t direct and cntrl the enterprise's use f IT resurces in line with strategic gals. (CObIT, 2010) addressing the definitin and implementatin f prcesses, structures and relatinal mechanisms 1 in the rganisatin that enable bth business and IT prfessinals t execute their respnsibilities in supprt f business-it alignment and the creatin f business value frm IT enabled business investments. (Van Grembergen and De Haes, 2009) The latter definitin extends the simpler CObIT definitin and fr the purpses f this ICT Gvernance in a Public Sectr cntext is adapted as fllws: ICT gvernance addresses the definitin and implementatin f prcesses, structures and relatinal mechanisms within the public sectr, that enable its prfessinals t execute their respnsibilities in supprt f the alignment f Gvernment business and Infrmatin and Cmmunicatins Technlgy (ICT) strategies and bjectives as well as the creatin f value frm ICT enabled investments. 3. Basis fr the This is based upn applicable adaptatins the Cntrl Objectives fr Infrmatin and related Technlgy (CObIT) framewrk. Reference t this framewrk shall facilitate a shared, cmmn understanding amng all stakehlders invlved. CObIT was develped by the IT Gvernance Institute (an ISACA research institute) which prvides a hlistic set f cntrl bjectives, prcesses, measures and best practices fr infrmatin technlgy management. It has emerged ut f anther framewrk develped by the Cmmittee f Spnsring Organisatins (COSO), which fcuses n internal and financial cntrls. The develpment f CObIT versins 3 and 4 had seen its increased alignment t ther internatinally recgnised standards and best practices such as Infrmatin Technlgy Infrastructure Library (ITIL), ISO 27001 and PRjects IN Cntrlled Envirnments (PRINCE2). In fact, in rganisatins where these last-mentined standards and framewrks are already implemented, it is recmmended that they are used in cnjunctin with CObIT. The latest versin f CObIT (versin 5) builds upn versin 4.1 and integrates int it the IT Gvernance Institute s wn Val IT 2.0 and Risk IT framewrks, and als aligns itself mre fully t the ISO/IEC 38500 dmains. CObIT has als evlved frm an audit framewrk in 1996 int a framewrk fr the gvernance and management f enterprise IT in 2012 that presents plicies as a fundamental factr fr influencing prper gvernance and management ver IT. CObIT 5 is based upn seven enablers as supprt tls fr the implementatin f gvernance and management f enterprise IT, ne f which is Principles, Plicies and s. Gd Practices, Gals and metrics, Stakehlders and Life Cycle are the fur enabler dimensins f a plicy framewrk. 4. Gd Practices 4.1 The delineatin f and Gvernance COBIT 5 delineates between management and gvernance. Gvernance ensures that stakehlder needs, cnditins and ptins are evaluated t determine balanced, agreed-n bjectives t be achieved, setting directin thrugh priritisatin and decisin making; and 1 Relatinal mechanisms refer, amngst thers, t plicies and prcedures Page 2 f 11
mnitring perfrmance and cmpliance against agreed n directin and bjectives 2 On the ther hand, management plans, builds, runs and mnitrs activities in alignment with directin set by the gvernance bdy t achieve the enterprise bjectives. 4.2 dcumentatin dcumentatin is rganised in the fllwing cntent types: dcumentatin type Scpe (in terms f the delineatin) Definitin Gvernance A directin, line, manifest, principle r stance f a strategic nature stating the fficial intentin f Gvernment. A lucid, vendr-neutral statement abut Gvernment's intentins in the Infrmatin and Cmmunicatins Technlgy (ICT) field. Statements intended t regulate Public Sectr behaviur with respect t the adptin and use f ICT in Gvernment. GMICT Specificatin / Standard A specificatin r cnfiguratin required fr ICT related prducts, services r peratins. GMICT Directive Instructins related t the implementatin f Plicies and Standards. GMICT Prcedure An fficial (and authrised) way f ding smething. This is nrmally expressed as a wrkflw. GMICT Frm Specifies varius items f infrmatin required, usually as part f a Prcedure. Table 1 4.3 Radmap The Radmap (GMICT X 0004-2) that accmpanies this utlines published and intended GMICT plicy activity ver a three year perid and which is updated every six mnths. Frm a COBIT perspective, the Radmap, reflects the management, and specifically the planning aspect f plicy. 5. Gals 5.1 Underlying Principles The fllwing principles fr the functin are drawn frm the Natinal ICT Strategy as reflected in the MITA Strategic Plan 2009-2012: Transfrmatin-driven apprach t allw fr mre value and lwer cst fr Gvernment Mnitring f emerging trends within the infrmatin sciety fields 2 www.isaca.rg/cobit/dcuments/cobit5-intrductin.ppt Page 3 f 11
Cntinuus imprvement in plicy management Independence frm peratinal functins that may impair bjectivity in plicy management Risk averse apprach with respect t Gvernment security interests Open standards and technlgy apprach Clse cllabratin with ther aspects f ICT gvernance, which include, but are nt limited t, Business, Infrmatin Security gvernance, Data gvernance and Cmpliance Cmmunicatin and invlvement f all stakehlders cncerned. 5.2 Terms f Reference Fllwing the underlying principles, the fllwing Terms f Reference are drawn fr the functin: 1. T identify new requirements and t recmmend apprpriate GMICT develpment t the Chief Technlgy Officer. 2. T act as the pint f reference with respect t interpretatin f published GMICT. 3. T versee the develpment f drafted by its primary plicy cntributr and be respnsible fr its review, leading t publicatin. 4. T fster further cllabratin with all stakehlders, including but nt limited t the Office f the CIOs, the Security Gvernance functin, the Data Gvernance functin and the Cmpliance functin. 5. T induce awareness f established amng the stakehlders cncerned. 6. Stakehlders The key stakehlders fr are: MITA (the Agent) that frmulates the principles n behalf f Gvernment, based upn Gvernment s technlgy directin and legislatin the Public Sectr that implements these principles. Page 4 f 11
Lifecycle Lifecycle Stakehlders (MITA & Public Sectr) (CTO) Cntributr functin External prcess/ dcument PHASE 1 - Plan (Plan Radmap) Including but nt limited t: (i) Existing GMICT (ii) MITA Strategic Plan (iii) Relevant Gvernment publicatins (iv) Relevant EU publicatins (v) Feedback frm Cmpliance (vi) Mandates Prvide feedback fr Radmap review Authrise Radmap Scheduled Radmap update Radmap update Publish Radmap D Fig. 3 Official Dcumentatin Radmap Schedule plicy wrk based n Published Radmap B Fig. 2, 3 Draft/Update Template Required cntent received? Escalatin Prcedure (Fig. 6) Vet plicy cntent PHASE 2 - Plan and Organise (Plan Cntent) It is the prergative f the Chief Technlgy Officer (CTO) t decide whether a draft plicy shuld be subject t external review r nt. Fr External Review? E Fig. 2 Further revisins required? Issue Draft fr Review A Fig. 2 Figure 1 Page 5 f 11
Lifecycle Stakehlders (MITA & Public Sectr) (CTO) Cntributr functin External prcess/ dcument PHASE 3 - Plan and Organise (Plan Cntent) leading t Delivery and Supprt ( implementatin upn publicatin) Feedback is t be prvided within timeframes as established by the functin. The Chief Technlgy Officer (CTO) shall be the first reference pint fr authrisatin. The CTO may refer the t the Chief Executive Officer (CEO) fr apprval, particularly in cases where a is deemed f critical imprtance. Prvide feedback E Authrise Cntribute t updates accrdingly A Changes Required? Majr changes required? Update plicy draft accrdingly Authrised? Finalise and Publish B PHASE 4 - Mnitr & Evaluate (Check implementatin) Includes but may nt be limited t Exemptin Trend Analysis Includes but is nt limited t nging feedback frm CIOs and MITA stakehlders C Cmpliance Audits Gauge plicy implementatin Feedback Figure 2 Page 6 f 11
Lifecycle Stakehlders (MITA & Public Sectr) (CTO) Cntributr functin External prcess/ dcument C Fig. 2 i.e. is this a new plicy nt factred in the radmap r a plicy that is included in the radmap but that needs t be repriritised in the radmap? Determine where changes need t be applied As planned in Radmap? B Mandate Frm Fill in Mandate frm Review mandate request Decide n Mandate Updates Necessary? Clarificatins Required? Escalate? May be required if the necessary updates are nt given accrdingly Escalatin Prcedure (Fig. 4) Authrised? PHASE 5 - Mnitr & Evaluate (Act) Infrm the requestr accrdingly D Figure 3 Page 7 f 11
Lifecycle: Escalatin Prcedure Stakehlders (MITA & Public Sectr) (CTO) Cntributr functin External prcess/ dcument Apart frm GMICT (drafting r update), may include GMICT Mandate fr further clarificatin Generally 2 weeks are allwed Take actin accrdingly Escalatin Prcedure Start Request (in writing) the required actin frm the Primary cntributr Required update received? N If this is nt the first reminder, escalate t Cntributr s Line fr pssible repriritisatin f tasks Initial grace perid? N Secnd grace perid? Y N Escalate t CTO, advising clsure f pending GMICT dcumentatin prcess Y Y Clse prcess? N Send a reminder (in writing) t the Cntributr Y Infrm Primary plicy cntributr accrdingly re. clsure Strike ff pending dcumentatin frm Register Escalatin Prcedure Clsure Figure 4 Page 8 f 11
6.1 Authrisatin The management lifecycle essentially calls fr management invlvement particularly during the plicy authrisatin prcess. dcumentatin shall therefre be authrised at the apprpriate management level within MITA, based upn criteria as indicated in Table 2, belw. Ptential Criteria Acrnym Meaning f Acrnym Further explanatin STR Strategic Imprtance f the t the Public Sectr Implies the significance f the plicy upn: the public, sciety, natinal interest, any ther matter which carries significant sensitivity t Gvernment interests e.g. security, Gvernment plicy OPR Degree f change expected t peratinal business practices in the Public Sectr (including MITA) thrugh intrductin f the Implies the degree f change required in current wrk practices / prcesses fr cnfrmance t the Table 2 7.2.3 Cmpliance Any dcument carries an Effective Date, which refers t the date frm when the prvisins f the particular dcument start t apply. Hwever, it is als understd that there may be instances when it is nt pssible fr the prvisins f a GMICT plicy dcument t be implemented with immediate effect as frm the Effective Date. Therefre, the functin addresses such a pssibility in tw ways, prir t dcument publicatin, specifically during the drafting and the review stages: (i) (ii) The template includes an ptinal Sectin related t Cmpliance. This Sectin is expected t prvide parameter(s) f applicability, transitin requirement(s) and crrespnding date(s) by which part r all f a dcument is expected t be cmplied with. The Transitin requirements are nt expected t be highly specific, particularly where varius implementatin scenaris are knwn t exist within the cntext under cnsideratin. Hwever they shuld at least be expected t utline the cmmn high level requirements expected acrss all f the varius ptential scenaris. The review prcess f draft dcuments is inherently expected t prvide first-hand feedback frm its effected stakehlders. The feedback is Page 9 f 11
mainly expected t fcus n the validity f the principles underlying statements as well as any ptential issues f enfrcement f the prpsed dcument. It shuld therefre serve as a mechanism fr assessing the impact f the and fr any cmpliance parameters r timelines t be established prir t the s publicatin. Please refer t the Cmpliance (GMICT X 0018). 7. References 1. Calder, A (2008), ISO/IEC 38500, The IT gvernance standard, IT Gvernance Publishing, UK, p. 19 2. Carill, J. (2013) IT based n COBIT 5, Gvernance and f Enterprise IT, ISACA Jurnal p.24 3. IT Gvernance Institute (2007), COBIT 4.1, www.itgi.rg 4. Lallana, E. (2010), ICT fr Develpment plicy, prcess and gvernance, Briefing te 2, United Natins Asian and Pacific Training Centre fr ICT fr Develpment, January 2010 5. MITA Strategic Plan 2009-2010 6. Pye, G. and Warren,M.J. (2006), Striking a balance between ethics and ICT Gvernance, Australasian Jurnal f Infrmatin Systems, 13, 2, 201-207 7. Queensland Gvernment - Department f Educatin and Training(2009), Summary,Versin 1.1, Trim 2009/95440 8. Mir, S.T.W. (2008), The Calder-Mir IT Gvernance Overview, Versin 2.0, July 2008 9. Zilkwski, R. and Clark, E. (2005), Standards f : The need fr strnger epistemlgical fundatins in shifting sands, The Asia Pacific Jurnal f Public Administratin, 26,1, 77-90 Mdificatin Histry Versin Effective Date Changes 1.0 08/11/2010 Initial Release 2.0 18/11/2010 Secnd Release 3.0 23/11/2010 Third Release - based n update t Lifecycle 4.0 13/06/2011 5.0 16/04/2012 Additin f the Lifecycle: Escalatin prcedure 6.0 06/12/2012 Additin f Scpe f Suite (Sectin 7.2) 7.0 07/01/2014 Simplificatin f general cntent and update f Lifecycle Issuing Authrity This dcument has been issued with the authrity f the Malta Infrmatin Technlgy Agency. Page 10 f 11
Cntact Infrmatin Gvernment ICT Plicies, Directives, Standards and assciated publicatins can be fund at http://ictplicies.gv.mt. Any suggestins, queries r requests fr clarificatin regarding Gvernment ICT Plicies, Directives and Standards may be frwarded t ictplicies@gv.mt. Page 11 f 11