In 2012 the Portuguese government has proposed the “Plano global estratégico de racionalização e redução de custos nas TIC, na Administração Pública” with the objective of improving the public service, at a lower cost. This plan is composed of a set of five important actions to be applied to Information and Communications Technology (ICT) resources in public administration: i) improvement of government mechanisms; ii) cost reduction; iii) use of ICT to promote change and government modernization; iv) implementation of common ICT solutions; v) stimulating economic growth. In the scope of information security, this plan indicates: i) ICT rationalization, organization and management; ii) information systems and technologies architecture, standards and guidelines; iii) definition and implementation of a
national information security strategy and, iv) definition and implementation of sectorial action plans to rationalize ICT. This paper aims to address some of these actions in context of information assurance and security specifically associated with local government. To achieve this goal, the creation of a “Governance Information Technologies Structure” (GEITS) is proposed. This proposal is based on existing good practices at a global level in the government and management of ICT, ICT (Information Technology) and security of information systems. Integrating ICT management in local governments as well as recognizing the role of the business partners in solutions achievement and new areas development to create public value stands for the supported transparency in the use of rules and frameworks internationally recognized. Thus, appreciating ICT as business partners and a source of value creation rather than purely as a source of support to the business itself is the intention. The effect of this appreciation will be the integration of ICT management into the local governance. The proposal for implementing the GEITS in the municipality is based on the CobiT 5 implementation guide. This guide also directs the implementation program and the method for incorporating each phase of the continuous improvement process, including how to use other tools such as ITIL or ISO/IEC 27000. A case study of its use appears in Appendix D. Example Business Case of the CobiT 5 implementation guide as well as the blueprints provided by the guide and the framework itself has led to some conclusions, such as i) the slowness of each program interaction; ii) the need to mitigate some risks, for example, the need of executive support; iii) the identification of relevant activities in the field of information security and assurance; iv) the security of the information is guaranteed according to the risk assumed thereby ensuring optimized resources with prioritization (through the GEITS) based on business cases; v) promote the desire to act when facing the results of the local government/processes capacity analysis. From an information security and assurance perspective, a series of relevant activities have been identified referring directly to risk management, information security and data security, namely: - To ensure that security incidents are managed properly the local government needs to assess suppliers for compliance with existing policies guaranteeing information security conditions and compliance with contracts and Service Level Agreement (SLA). - To minimize or even eliminate the impact for local government or stakeholders is essential the use of a methodology based on risk analysis to improve security incident. - The need for an Information Security Management System (ISMS) to provide a coordinated information security perspective for the local government and to enable the implementation of controls in a coherent manner. Information security is achieved through the implementation of an adequate set of controls, including policies, processes, procedures and organizational structures.
- Any organization must effectively prevent malicious manipulation of sensitive data. - Checking the process or the implemented controls ensures compliance with internal and external requirements. It is important to explain what an EGTIC is and how it contributes to better public governance. It is also important leveling the training proposals of solutions, systems or processes through the use of a strategic justification with comparable parameters, allowing the prioritization of investment. Frequently the assessment of the ICT services and information systems in the government is done ad hoc or uses external auditors, the work presented in this paper shows that the use of CobiT 5 tools to carry out this capacity analysis is quite effective. This opens a door to the first phase of implementation of EGTIC, creating the desire to act.
Santos, Pedro and Brito, Isabel Sofia Sousa, "ICT Governance in Local Government – Proposals for Information Security" (2017). CAPSI 2017 Proceedings. 32.