The Department of Public Service and Administration recently released a circular that now compels all government departments and entities to adopt an ICT governance framework. In this context, a Corporate Governance of ICT (CGICT) Policy Framework has been issued by the department, which maps out how governance of ICT within government entities are to be applied, structured and implemented.
The development of the CGICT policy framework was primarily as a result of the assessments conducted by the Auditor General over the last couple of years. In 2010/11, the Auditor General concluded that only 21% of departments had implemented adequate governance controls, and that 79% of institutions did not have an ICT governance policy framework.
The CGICT policy framework depicts the COBIT Governance Framework as the core reference for the governance of ICT. COBIT is the internationally recognised business framework for the governance and management of enterprise IT, and is published by ISACA.
"This is a significant step by the South African government to ensure that ICT should be governed and managed at a political leadership and executive management level," said Winston Hayden, President of ISACA South Africa. "We are very pleased to see that COBIT is going to be used for the governance of IT within the public service. Not only will this assist government entities to respond to the various inherent IT risks, but it will also ensure value is derived from its IT investments and resources."
The overall policy framework is based on principles found in the King III Code, ISO/IEC38500 and COBIT5. It also goes as far as stipulating certain governance practices for a government entity's Executive Authority, the Head of Department, the Risk and Audit Committee, and the Executive Management. The policy framework also outlines the implementation approach to be used, and sets out the high-level activities in a three-phased approach.
Furthermore, an Assessment Standard and an Implementation Guide has also been released, which provides a more detailed plan to establish the necessary structures and processes. As a very minimum, the following COBIT processes need to be implemented:
* EDM01: Governance framework setting and maintenance
* APO01: Manage the ICT management framework
* APO02: Manage strategy
* APO03: Manage enterprise architecture
* APO05: Manage portfolio
* APO10: Manage suppliers
* APO12: Manage risk
* APO13: Manage security
* BAI01: Manage programmes and projects
* DSS01: Manage operations
* DSS04: Manage continuity
* MEA01: Monitor, evaluate and assess performance and conformance
Copies of the Policy Framework, the Assessment Standard, the Implementation Guide and the Directive to all heads of government departments are published on the DPSA Web site. (http://www.dpsa.gov.za/dpsa2g/psictm_documents.asp)
Share