GOVERNMENT ICT STANDARDS - ICT Authorityicta.go.ke/pdf/tenders/standards/IT Governance Standard Revised.pdfIT Governance Standard GOVERNMENT ICT STANDARDS The ICT Authority is a State

IT Governance Standard

GOVERNMENT ICT STANDARDS

The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke

First Edition 2016

© ICTA 2016— All rights reserved

2

IT Governance Standard ICTA. 5.001: 2016

The ICT Authority is a State Corporation under the State Corporations Act 446 The ICT Authority is a State Corporation under the State Corporations Act 446www.icta.go.ke www.icta.go.ke

3



ICTA. 5.001: 2016

CONTENTS

FOREWORD ....................................................................................................................................................................... 8

1. Introduction ................................................................................................................................................................. 9

1.1 Description of standard ......................................................................................................................................... 10

2. Scope .............................................................................................................................................................................. 10

3. Application .................................................................................................................................................................... 10

4. Normative references ................................................................................................................................................ 11

5. Definitions ..................................................................................................................................................................... 11

6. Abbreviations ............................................................................................................................................................... 11

7 Sub- domains ................................................................................................................................................................ 12

7.1 IT service management .......................................................................................................................................... 12

7.2 Project Management .............................................................................................................................................. 12

7.3 Legal and regulatory ............................................................................................................................................... 12

7.4 Performance measurement to support IT governance .............................................................................. 12

7.5 Risk management .................................................................................................................................................... 12

7. 6 Resource management ........................................................................................................................................ 12

8 Requirements ................................................................................................................................................................ 13

ANNEX ................................................................................................................................................................................. 14

Annex A: IT Service Management ............................................................................................................................. 14

Annex B: IT Project Management .............................................................................................................................. 16

Annex C: Legal and Regulatory .................................................................................................................................. 17

Annex D: Performance management ...................................................................................................................... 18

Annex E: Risk management ......................................................................................................................................... 18

Annex F: IT Resource management .......................................................................................................................... 19

Appendix 1: Compliance Checklist for IT Service Management .................................................................... 20

Appendix 2: Compliance Checklist for IT Project Management ..................................................................... 23

Appendix 3: Compliance Checklist for IT Legal and regulatory ..................................................................... 24

Appendix 4: Compliance Checklist for Performance management ............................................................. 25

Appendix 5: Compliance checklist for Risk management ................................................................................ 26

Appendix 6: Compliance Checklist for IT Resource management ................................................................. 27

Appendix 7: GoK Project Management Governance Structure ...................................................................... 28

4



Appendix 8: Sample Project governance roles ....................................................................................................... 28

Appendix 9: Project management documentation ............................................................................................... 35

Appendix 10: Project management stages and activities ................................................................................... 35

Appendix 11: Project documentation development ............................................................................................ 36

Appendix 12: A generic project governance model for larger, more complex projects .......................... 37

Appendix 13: Sample Outcome Realisation data for the Project Business Plan .......................................... 38

Appendix 14: Stakeholder engagement process .................................................................................................... 38

Appendix 15: Stakeholder engagement process ................................................................................................... 39

Appendix 16: Elements of the risk management process ................................................................................... 40

Appendix 17:Risk matrix for grading risks ................................................................................................................. 41

Appendix 18:Recommended actions for grades of risk ........................................................................................ 41

Appendix 19: Issue management flowchart ............................................................................................................. 42

Appendix 20 Example of a Project Issues Register ................................................................................................. 43

Appendix 21: Project closure .......................................................................................................................................... 44

Appendix 22:Sample Service Management structure (ITIL) for Small organizations ................................ 45

Appendix 23: Sample Service Management structure (ITIL) for Large organizations ............................... 46

Appendix 24: Service desk 1st, level, 2nd level and 3rd level support definitions ..................................... 47

APPENDIX 25: Sample ICT Strategy Format .............................................................................................................. 48

APPENDIX 26: Who needs to be involved in Legal contracts ............................................................................. 54

Appendix 27: Risk management process .................................................................................................................. 55

Appendix 28: Accreditation of Contractors and Suppliers .................................................................................. 56

Appendix 29: Accreditation of IT Professionals ....................................................................................................... 58

Appendix 30: Government ICT Project Governance Structures ........................................................................ 59

Appendix 31: Audit for Outsourced Applications ................................................................................................... 61

Appendix 32: Related Documents ................................................................................................................................ 63

5



ICTA. 5.001: 2016

ICTA STANDARDS DESCRIPTION

S/No

Thematic Area Standards Brief Description

1 Infrastructure ICTA-2.001:2016Network Standard

Provides compliant requirements for design, installations and management of all categories of IT Networks to be deployed in government.

ICTA-2.001:2016Data Center Standard

Provides compliant requirements for design, installations and management of government data centers

ICTA-2.001:2016Cloud Computing Standard

Provides compliant requirements for design, installations and management of cloud computing infrastructures for government

ICTA-2.001:2016End-User Equipment Standard

Provides the minimum specifications for all computing devices being deployed in government

2 Systems & Applications

ICTA-6.001:2016Systems & Applications Standard

Provides compliant requirements for design, installations and management of all government Software and applications Systems.

3 IT Security ICTA-3.001:2016Information Security Standard

Provides compliant requirements for design, installations and management of Information Technology Security in government.

4 Electronic records management

ICTA-4.001: 2016Electronic records and Data Management Standard

Provides compliant requirements for management of government electronic records and data

5 IT Governance ICTA. 5.001: 2016IT Governance Standard

Provides compliant requirements for IT Governance in government. This includes compliance requirements for government IT service providers and Professional Staff.

6 ICT Human Capacity

ICTA.7.001:2016ICT Human Capital and Work force Development Standard

Provides compliant requirements for development of Human Capital capacity for deployment and support for government ICT infrastructure and services.

6



REVISION OF ICT STANDARDS

In order to keep abreast of progress in industry, ICTA Standards shall be regularly reviewed. Suggestions for improvements to published standards, addressed to the Chief Executive Officer, ICT Authority, are

welcome. The Standard Review Board will consider the requestsduring their quarterly meetings and if appropriate recommend them to be incorporated during

annual review of the Standard.

©ICT Authority 2016

Copyright. Users are reminded that by virtue of Section 25 of the Copyright Act, Cap. 12 of 2001 of the Laws of Kenya, copyright subsists in all ICTA Standards and except as provided under Section 26 of this Act, no Standard produced by ICTA may be reproduced, stored in a retrieval system in any form or transmitted by any means without prior permission in writing from the Chief Executive Officer.

7



ICTA. 5.001: 2016

DOCUMENT CONTROL

Document Name: IT Governance Standard

Prepared by: IT Governance Standard Technical Committee

Edition: First Edition

Approved by: Board of Directors

Date Approved: 11th August 2016

Date of Operationalization: 1st January 2017

Next Review Date: After 3 years

8



FOREWORD

The ICT Authority has express mandate to, among others, set and enforce ICT standards and guidelines across all aspects of information and communication technology including systems, infrastructure, processes, human resources and technology for the public service. The overall purpose of this specific mandate is to ensure coherence and unified approach to acquisition, deployment, management and operation of ICTs across the public service, including state agencies, in order to promote service integration, adaptability and cost savings through economies of scales in ICT investments.

In pursuit of achievement of this mandate, the Authority established a Standards Committee to identify the critical standards domain areas as well as oversee the standards development process. A total of Nine Standards falling under six different domain areas were identified by the committee to be relevant for government ICT Standards. The development of all the identified standards was done through a process which took into consideration international requirements, government requirements, stakeholder participation as well as industry/sector best practices. In order to conform to the format of other existing national standards, the committee adopted the Kenya Bureau of Standards (KEBS) format and procedure for standards development. In addition, through Memoranda of Understanding, KEBS has made invaluable contribution to the development of ICT Authority standards.

The ICTA IT Governance Standard, which falls under the overall Government Enterprise Architecture (GEA), has therefore been prepared in accordance with KEBS standards development guidelines.

The Authority has the oversight role and responsibility for management and enforcement of this standard. The review and approval of the standard is done by the ICTA Board upon recommendation of Standard Review Board. The Authority shall be carrying out quarterly audits in all the Ministries, Counties, and Agencies (MCA) to determine their compliance to this Standard.

The Authority will issue a certificate of compliance to agency upon completion of the audit assessment. For non-compliant agencies, a report detailing the extent of the deviation and the prevailing circumstances shall be tabled before the Standards Review Board who will advise on action to take.

All government agencies are required to ensure full compliance to this standard for effective and efficient service delivery to the citizen. The compliance period is six months from the effective date.

\Kiprono Rono P., Director, Programmes and Standards,

9



ICTA. 5.001: 2016

1. Introduction

IT Governance is part of the wider Corporate Governance activity but with a specific focus to IT. IT Governance covers the culture, organization, policies and practices that provide oversight and transparency of IT. For organizational investment in IT to deliver full value, IT has to be fully aligned to business strategies. The benefits of good IT risk management, oversight and clear communication not only reduce the cost and damage caused by IT failures – but also engenders greater trust, teamwork and confidence in the use of IT itself and the people trusted with IT services.

The biggest risk and concern to government today is failing to align IT to real business needs, and a failure to deliver, or be seen to be delivering, value to the business. Since IT can have such a dramatic effect on MCA performance and competitiveness, a failure to manage IT effectively can have a very serious impact on the organization as a whole.

The current climate of cost reduction and budget restriction has resulted in new norm – there is an expectation that IT resources should always be used as efficiently as possible and that steps are taken to organize these IT resources ready for the next cycle of growth and new IT developments. A key aspect of these factors is the increasing use of third party service providers and the need to manage these suppliers properly to avoid costly and damaging service failures.

In addition it recognized the critical role IT functions play in organization and the need to place it at bar with other core functions in terms of reporting lines.

IT governance shall assist MCAs to:

• Be sure that that they are aware of all IT related risks likely to have an impact on the irorganization;• Know how to improve the management processes within IT to manage these risks;• Ensure there are manageable relationships with suppliers, service providers and with the business (customers);• Contract and managed IT suppliers with expect level of performance • Ensure there is a transparent and understandable communication of these IT activities and management processes to satisfy interested stakeholders.• Ensure IT function report directly to the Chief executive officer• Recruit and maintain IT Professionals who are competent and regulated

IT Governance is not a one-time exercise or something achieved by a mandate or setting of rules. It requires a commitment from top management of the organization to instill a better way of dealing with the management and control of IT. IT Governance is an ongoing activity that requires a continuous improvement mentality and responsiveness to the fast changing IT environment.

IT governance shall result in:

a. Transparency and accountability

- Improved transparency of IT costs, IT process, IT portfolio (projects and services).

- Clarified decision-making accountabilities and definition of user and provider relationships.

b. Return on investment

- Improved understanding of overall IT costs and their input to ROI cases.

- Combining focused cost-cutting with an ability to reason for investment.

- Stakeholders allowed seeing IT risk/returns.

c. Opportunities and Partnerships

- Provide route to realize opportunities that might not receive attention or sponsorship.

10



- Positioning of IT as a business partner (and clarifying what sort of business partner IT is).

- Facilitate joint ventures with other organizations.

- Facilitate more business like relationships with key IT partners (vendors and suppliers).

- Achieve a consistent approach to taking risks.

- Enables IT participation in business strategy (which is then reflected in IT strategy) and vice versa.

- Improve responsiveness to challenges and opportunities.

d. External Compliance

- Enables an integrated approach to meeting government legal and regulatory requirements.

1.1 Description of standard

IT governance is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.

2. Scope

IT Governance spans the culture, organization, policy and practices that provide for IT management and control across five key areas:

• Alignment – Provide for strategic direction of IT and the alignment of IT and the business with respect to services and projects.• Value delivery – Confirm that the IT/Business organization is designed to drive maximum business value from IT. Oversee the delivery of value by IT to the business, and assess ROI.• Risk Management– Ascertain that processes are in place to ensure that risks have been adequately managed. Include assessment of the risk aspects of IT investments.• Resource management – Provide high-level direction for sourcing and use of IT resources. Oversee the aggregate funding of IT at enterprise level. Ensure there is an adequate IT capability and infrastructure to support current and expected future business requirements. Ensure competent human resource with desired ethical behaviors and norms.• Performance – Verify strategic compliance, i.e. achievement of strategic IT objectives. Review the measurement of IT performance and the contribution of IT to the business (i.e. delivery of promised business value). Ensure that IT service providers are regulated and managed so as to maintain expected level of performance in delivery of their services to government.

3. Application

This standard applies to: • Central Government of Kenya• County Governments• Constitutional Commissions• State Corporations• Government Institutions

4. Normative references

The following standards contain provisions which, through reference in this text, constitute provisions of this standard.

11



ICTA. 5.001: 2016

All standards are subject to revision and, since any reference to a standard is deemed to be a reference to the latest edition of that standard, parties to agreements based on this standard are encouraged to take steps to ensure the use of the most recent editions of the standards indicated below. Information on currently valid national and international standards can be obtained from Kenya Bureau of Standards.

• COBIT 5• PRINCE2• ITILManagers of projects dealing with software products or software-intensive systems may find the contents of the PMBOK®1 Guide and ISO 10006:2003 helpful, in managing their projects to a successful conclusion.

5. Definitions

5.1 Entreprise Architecture

An enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of an organization. The intent of anenterprise architecture is to determine how an organization can most effectively achieve its current and future objectives.

5.2 Service desk

A Service Desk is a primary IT function within the discipline of IT service management. It is intended to provide a Single Point of Contact to meet the communication needs of both users and IT staff.

6. Abbreviations

EA Entreprise Architecture

WAN Wide area Network

LAN Local Area Network

SLA Service Level Agreement

MCA Ministry, County and agency

ICTA ICT Authority

ROI Return on Investment

NEMA National Environment Management Authority

CIO Chief Information Officer

QOS Quality of Service

COBIT Control Objectives for IT

PMBOK Project Management Book

SWOT Strength Weakness Opportunity and Threat

12



7. Sub- domains

7.1 IT service management

- IT service strategy- IT service design- IT service transition- IT service operations- IT continuous service improvement

7.2 Project Management

- Project governance- Project initiation- Project planning- Analysis and design- Project building and testing- Project implementation- Project completion and commissioning

7.3 Legal and regulatory

- Kenya laws on ICT- Responsibilities and Authorities- ICTA Legal Notice No. 183

7.4 Performance measurement to support IT governance

- IT service management- Project management- Legal and regulatory- Risk and resource management

7.5 Risk management

- Develop a framework

- Identify risk

- Indentify risk owners

- Evaluate the risk

- Identify and enforce possible response to the risk

7. 6 Resource management

- Management of IT resources

- Capacity building

- Tools

- Change management

- Innovation

13



ICTA. 5.001: 2016

8 Requirements

Sub domain Description Requirement

IT service management

IT shall be governed to ensure alignment and support to business goals. MCAs shall ensure that IT function report directly to the accounting officer.

Annex A

IT Project management

IT projects shall be governed to ensure value delivery. MCAs shall ensure established Project Steering Committee and Project Technical Committees to manage IT Projects.

Annex B

Legal and regulatory

Every MCA shall identify the specific regulations affecting them and respond accordingly, and ensure that the roles and responsibilities for understanding legal and regulatory matters are properly defined for each group of stakeholder so that each group can apply its specific expertise effectively.

Annex C

Performance measurement to support IT governance

Performance measurement shall be conducted to verify the achievement of strategic IT objectives and provide for a review of IT performance and the contribution of IT to the business (i.e. delivery of promised business value).MCAs shall ensure that suppliers of IT services to government have a valid certificate from ICT Authority

Annex D

Risk management MCAs shall put processes in place to ensure that risks have been adequately managed.

Annex E

Resource Management

MCAs shall provide high-level direction for sourcing and use of ITresources. They shall oversee the aggregate funding of IT at enterprise level and ensure there isan adequate IT capability and infrastructure to support current and expected futurebusiness requirements. They shall ensure that staff working in IT function has a valid license from ICT Authority.

Annex F

14



ANNEX

Annex A: IT Service Management

Subject Requirement

IT Service Strategy

IT strategy management

MCAs shall ensure that IT function report directly to accounting officer and have an approved ICT strategy.

MCAs shall establish their Enterprise Architecture [EA] framework which gives detail of all the IT services and their integrations.

IT shall be a strategic objective in the overall strategic plan of the MCAs

The strategy shall have IT vision and mission

The strategy shall define how the MCA plans to improve internal services, services to business and citizens

The strategy shall be developed with input from internal and external stakeholders.

The strategy shall include a SWOT assessment

The strategy shall define specific tasks and responsibilities for achieving service improvement

The strategy shall be implemented to create new and improved services

Service portfolio management

MCA shall have a service charter for IT enabled services

The charter shall define the desired outcomes of the services

The charter shall define the assets required to offer the services

MCA shall annually review the usage volume of the IT enabled services and customer satisfaction and ensure they are economically viable

Financial management for IT services

The MCA shall allocate funds for ICT activities through the annual budget. The ratio of ICT to institutional budget shall be at 5%

The budget shall be linked to the ICT strategy

The budget shall be allocated for development and recurrent purposes

The development budget shall cover WAN, LAN, acquisition of end user devices, software acquisition and ICT training

The recurrent budget shall cover ICT infrastructure maintenance and servicing?

Business Relationship Management

MCA shall conduct and document customer satisfaction surveys on IT enabled services annually for internal and external customers

MCAs shall have a system to track customer complaints, compliments and resolution

MCA shall conduct training and awareness programs annually to sensitize internal and external customers on IT enabled services

IT Service Design

Service level management

MCA shall develop and sign service level agreement (SLA) with service providers (internet, systems support, maintenance e.t.c) to ensure availability and reliability of IT enabled services

The SLA shall define service level targets.

15



ICTA. 5.001: 2016

Subject Requirement

MCA shall monitor achievement of service levels and compare them with agreed service level targets in the SLA

SLA shall have accountability mechanisms for failure to meet service levels

MCA shall monitor and report on achievement of service levels and compare them with agree service levels

Availability management

MCAs shall develop and implement quarterly preventive maintenance plans for IT equipment

MCAs shall develop and maintain manuals on how to operate and maintain systems and equipment

MCAs shall develop a disaster recovery plan for all services including recovering data

IT infrastructure Capacity management

MCAs shall annually evaluate the capacity of IT infrastructure to understand and document the current environment. The ICT Authority shall assist in this evaluation

MCAs shall establish a framework for IT infrastructure improvement

MCAs shall set realistic targets for IT infrastructure improvement, prioritize gaps and propose achievable solutions

Information security management

MCAs shall establish an information security management framework as guided by the information security standard

Architecture management

MCAs shall define enterprise architecture for the MCA aligned to the Kenya Government Enterprise Architecture. The architecture is the blueprint for future development of the technological landscape in the MCA

Supplier management

All ICT suppliers and contractors providing ICT services to Government shall be registered by ICT Authority as per Appendix 28 of the standard

Preference will be given to local suppliers and contractors in the spirit of buy Kenya build Kenya

Volume licenses/ bulk procurement of ICT services/goods shall be negotiated by ICT Authority

IT Service Transition

IT service change management

MCAs shall develop a policy to ensure that any changes to IT enabled services are conducted with minimal disruption to services

IT project management

IT projects shall be conducted as per the project management standards on Annex B.1

Application development

Application acquisition, development and maintenance shall be done as per the standard on systems and applications

Asset and management

MCAs shall develop and update an inventory of all ICT assets. The inventory system shall be automated to show relationships between these assets

Knowledge management

MCAs shall acquire and utilize an IT service management system that shall contain a database of common IT service problems and how to solve them

IT Service operations

Service desk MCAs shall establish an IT service desk management system to handle all requests from end users

The service desk shall have 1st, 2nd and third level support

The service desk shall develop and document standard operation procedures for IT services

16



Subject Requirement

IT operations control

MCAs shall designate staff to manage the day to day operational activities in IT e.g back up, routine maintenance, print and output management, installations to ensure they are done in a reliable and timely manner

ITContinuous serviceimprovment

Service and process performance review

MCAs shall conduct annual performance reviews of IT processes and IT enabled services and develop a report. The review shall include suggestions for improvement. MCA s may seek assistance from ICT Authority

MCAs shall conduct benchmarking with the aim of identifying shortcoming and developing plans for improvement

MCAs shall in collaboration with ICT Authority, conduct regular system audits for all systems to ensure compliance with ICTA security standard (ICTA 3.001:2016). For outsourced systems, the audit on Appendix 31 shall be done.

Annex B: IT Project Management

Subject RequirementProject Governance

MCAs shall ensure that governance of all ICT projects comply with the governance structures as per Appendix 7 and Appendix 30The project shall be implemented based on an agreed project methodology

Project initiation The project shall have an objective and documented business case/ project proposal

The proposal shall define expected benefits/outputs and outcomes

The project shall have appropriate approval

Project planning The project shall have a project management plan with activity schedules

The project shall have risk management and communication plan

The project shall have an implementation, testing and training strategy

The Project shall have a stakeholder management plan

Analysis and design

The project shall have user requirements

The project shall have user systems and technical specifications

The project shall have system acceptance test plan

Project Building and testing

There shall be a development and test environment

There shall be operational and training procedures

There shall be detailed test plans

Project Implementation There shall be a system installation and migration plan

There shall be a data conversion plan

There shall be a training and contingency plan

Completion There shall be a post implementation review report

There shall be a documented system support group

There shall be project closure sign off

17



ICTA. 5.001: 2016

Annex C: Legal and Regulatory

Subject Requirements

Kenya laws on ICT

MCA shall identify the specific regulations affecting IT in their organizations and respond accordingly. The Kenya laws on ICT include:

i. Data and privacy protection Bill- Information security, E-records management

ii. Intellectual Property, Trademarks and Copyright act- End user devices standard, Systems and applications, cloud computing, information security

iii. Kenya Electronic Communication act 2012- E- records management, Systems and applications

iv. NEMA guidelines on E-waste- End user devices standard

v. Cyber security legislations- Information security

vi. Critical infrastructure legislations- Infrastructure standards

vii. PPOA- End user devices standard, cloud computing, systems and applications, infrastructure

viii. Government contracts act- IT governance, Information security, Systems and applications, Cloud computing

ix. Constitution of Kenya

x. Cyber crime and computer related crimes bill- Information security, systems and applications

xi. Information privacy laws- Information security, Cloud computing

xii. Public officers ethics act- End user devices standard, IT governance, Systems and applications

xiii. Government proceedings act- End user devices, information security, cloud computing

xiv. Official secrets act- Information security

xv. Public archives and documentation service act- E-records management

xvi. Employment and employee liability- End user devices standard, Information security, Systems and applications,

xvii. Evidence act- E-records management

xviii. Records disposal act- E-records management

xix. Physical planning act- Network Standard

xx. Occupiers liability act- Network standard

xxi. Occupational safety and health act- E-records management

Roles and responsibilities

IT in MCAs shall seek advice from HR, Legal, and Audit, and if necessary whenever legal contracts are challenging, risky or complex.

External advice shall also be sought as per Appendix 22.

MCAs shall build in the need for third party testing (ICT Authority) as required.

18



Annex D: Performance managementTo support IT Governance the following top fifteen areas shall be measured by MCAs.

Area of measurement Requirement IT service management

Business & IT alignment

Overall financial performance (costs v. budgets)

Performance with respect to reliability and availability of critical services

Complaints (QOS) and customer perception

Number of significant reactive fixes to errors

SLA performance by third parties

Relationships with suppliers (quality & value)

Capability e.g. process maturity

Internal and external benchmarks

Business continuity status

Project management Major project delivery performance (objectives, time and budget)

ROI for IT investments (business benefit)

Risk management Status of critical risks

Audit weaknesses

Resource management Human Resource measures for people involved in IT activities

Annex E: Risk managementTo support IT Governance, MCAs shall ensure that new risks are timely identified and handled by doing the following.

Subject RequirementDefine a framework

MCAs shall ensure the following staff are trained in risk management in their specific areas :(e.g CobiT, ISO17799, ITIL, ISO9000,

PMBOK and Prince2)

• IT Auditors• IT Project Managers• IT Risk Managers• Business Analysts• Infrastructure Management• Procurement/Contract Management• IS Strategy – alignment with the business• Quality Management• Business Relationship Management• Programme ManagersMCAs shall conduct benchmarking to compare how risk management is being addressed within the organization inrelation to best practice, industry peer groups and other organizations.

19



ICTA. 5.001: 2016

Subject RequirementIdentify risks MCA shall ensure that new risks are identified in a timely manner and provide

adviceThe following risks shall be identified• Business specific risk (e.g. Operational risk of mandate not being delivered)• Generic common IT risk (e.g. IT availability risk)• Specific IT risk (e.g. Denial of service attack on Internet customer request system)

Identify probable risk owners

Auditors shall provide initial momentum by highlighting to senior management inadequate risk management practices orspecific risks that are not being adequately addressed

Responsibility shall be allocated at a senior level for managing key risks

Every risk shall have an owner; there may be separate owners for the actionsto mitigate the risks. Anyone allocated ownership shall have the authority to take on the responsibility and they shall be aware that they are the designated owner

MCAs shall adopt a mechanism for reporting issues – ultimately to the individual who has toretain overall responsibility

Evaluate the risks

MCAs shall set acceptable levels of riskMCAs shall develop a risk register. The risk register shall have a prioritized list of risks which must be subsequently addressed.

Identify suitable response to risk

Dependent on the type of risk and its significance to the business, management and the board may choose to:

• Mitigate, by implementing controls• Transfer, by sharing risk• Accept, by formally acknowledging that the risk exists and monitoring it

Annex F: IT Resource management

To support IT Governance, MCAs shall establish structures to manage IT resources


Accreditation of IT professionals

All IT professionals in the public service shall be accredited by ICT Authority as per requirements on Appendix 29

Management of ICT services

The MCAs shall have an ICT department

The ICT department shall have a Chief Information officer (CIO)

The ICT function shall report to the CEO of the institution

The ICT function shall utilize ICT standards to ensure optimal IT resource and service management

20




Capacity building

MCAs shall have an IT staff establishment and scheme of service which shall be fulfilled

The IT establishment shall cover all the relevant IT technical categories i.e Basic support, Network, systems and database administration, IT service management, IT project management, Web administrators, information security officers, other contextual IT roles

Effective recruitment, retention and training programmes shall be established to ensure that the MCA has the skills to utilise IT effectively to achieve the stated objectives

MCAs shall develop and implement ICT training policy in line with ICT human resource development standard

The policy shall define required ICT qualifications for different cadres of staff as per the ICT human capacity standard

IT education, training and development needs shall be fully identified and addressed forall staff regularly

IT staff shall be trained on professional courses, ethics and code of conduct outlined in the ICT Human Capacity Development Standard

Tools ICT personnel shall be issued the relevant software and hardware tools to manage IT resources (e.g for user support, hardware maintenance, IT service and project management, application development)

Change management

Change management shall be handled as per the information security standard Annex A.4MCAs shall establish mentorship programs to ensure transfer of knowledge

Innovation MCAs shall establish a resource centre for IT research and innovation

The resource centre shall manage knowledge through databases and online resources to spur innovation

Appendix 1: Compliance Checklist for IT Service Management

Subject Requirement Compliance

Yes/No Comment

IT Service Strategy

IT strategy management

MCAs has IT function reporting directly to accounting officer and have an approved ICT strategy.

MCAs has Enterprise Architecture [EA] framework which gives detail of all the IT services and their integrations?

IT is a strategic objective in the overall strategic plan of the MCAs?

The strategy has an IT vision and mission?

The strategy defines how the MCA plans to improve internal services, services to business and citizens?

21



ICTA. 5.001: 2016


Yes/No Comment

The strategy was developed with input from internal and external stakeholders?

The strategy includes a SWOT assessment?

The strategy defines specific tasks and responsibilities for achieving service improvement?

Service portfolio management

MCA has a service charter for IT enabled services?

The charter defines the desired outcomes of the services?

The charter defines the assets required to offer the services?

MCA annually reviews the usage volume of the IT enabled services and customer satisfaction and ensure they are viable?

Financial management for IT services

The MCA allocates funds for ICT activities through the annual budget? The ratio of ICT to institutional budget is 5%?

The budget is linked to the ICT strategy?

The budget is allocated for development and recurrent purposes?

The development budget covers WAN, LAN, acquisition of end user devices, software acquisition and ICT training?

The recurrent budget covers ICT infrastructure maintenance and servicing?

Business Relationship Management

MCA conducts and documents customer satisfaction surveys on IT enabled services annually for internal and external customers?

MCA has a system to track customer complaints, compliments and resolution?

MCA conduct training and awareness programs annually to sensitize internal and external customers on IT enabled services?

IT Service Design

Service level management

MCA has developed and signed service level agreement (SLA) with service providers (internet, systems support, maintenance e.t.c) to ensure availability and reliability of IT enabled services?

The SLA defines service level targets?

MCA monitors achievement of service levels and compares them with agreed service level targets in the SLA?

SLA has accountability mechanisms for failure to meet service levels?

22




Yes/No Comment

MCA monitors and reports on achievement of service levels and compare them with agree service levels?

Availability management

MCA has developed and implemented quarterly preventive maintenance plans for IT equipment?

MCA has developed and maintained manuals on how to operate and maintain systems and equipment?

MCA has developed a disaster recovery plan for all services including recovering data?

IT infrastructure Capacity management

MCA annually evaluates the capacity of IT infrastructure to understand and document the current environment

MCA has set realistic targets for IT infrastructure improvement, prioritized gaps and proposed achievable solutions

Information security management

MCA has established an information security management framework as guided by the information security standard

Architecture management

MCA has defined enterprise architecture aligned to the Kenya Government Enterprise Architecture

Supplier management

All ICT suppliers and contractors providing ICT services to Government shall be registered by ICT Authority as per Appendix 28 of the standard

Preference will be given to local suppliers and contractors in the spirit of buy Kenya build Kenya

Volume licenses / bulk procurement of ICT services shall be negotiated by ICT Authority

IT Service Transition

IT service change management

MCA has developed a policy to ensure that any changes to IT enabled services are conducted with minimal disruption to services

IT project management

IT projects are conducted as per the project management standards on Annex B.1

Application development

Application acquisition, development and maintenance is done as per the standard on systems and applications?

Asset and management

MCAs has developed and updated an inventory of all ICT assets? The inventory system is automated to show relationships between these assets?

Knowledge management

MCAs has acquired and utilized an IT service management system that contains a database of common IT service problems and how to solve them?

23



ICTA. 5.001: 2016


Yes/No Comment

IT Service operations

Service desk MCAshas establish an IT service desk management system to handle all requests from end users?

The service desk has 1st, 2nd and third level support?

The service desk has developed and documented standard operation procedures for IT services?

IT operations control

MCAs has designated staff to manage the day to day operational activities in IT e.g back up, routine maintenance, print and output management, installations to ensure they are done in a reliable and timely manner?

IT Continuous service improvement

Service and process performance review

MCAs has conducted annual performance reviews of IT processes and IT enabled services and develop a report. The review includes suggestions for improvement?

MCA has conducted benchmarking with the aim of identifying shortcoming and developing plans for improvement?

MCAs conducts regular system audits to ensure compliance with security standards and regulatory requirements

Appendix 2: Compliance Checklist for IT Project Management

Subject Requirement ComplianceYes/No Comments

Project Governance

The Project governance structure complies with Appendix 7 and Appendix 30 of the standard.The project has an implementation methodology

Project initiation

The new project has an objective and documented business case/ project proposal?

The proposal defines expected benefits/outputs and outcomes?

The project has appropriate approval?Project planning

The project has a project management plan with activity schedules?The project has a risk management and communication plan?

The project has an implementation, testing and training strategy?The Project has a stakeholder management plan?

Analysis and design

The project has userrequirements?The project has user systems and technical specifications?The project has system acceptance test plan?

Project Building and testing

There is a development and test environment?There are operational and training procedures?There are detailed test plans?

24



Subject Requirement ComplianceYes/No Comments

Project Implementation

There is a system installation and migration plan?

There is a data conversion plan?

There is a training and contingency plan?Completion There is a post implementation review report?

There is a documented system support group?There is project closure sign off

Appendix 3: Compliance Checklist for IT Legal and regulatory

Subject Requirements Compliance

Yes/No Comments

Kenya laws on ICT

MCA has identified the specific regulations affecting IT in their organizations and sensitized personnel. The Kenya laws on ICT include:

i. Data and privacy protection Bill- Information security, E-records management

ii. Intellectual Property, Trademarks and Copyright act- End user devices standard, Systems and applications, cloud computing, information security

iii. Kenya Electronic Communication act 2012- E- records management, Systems and applications

iv. NEMA guidelines on E-waste- End user devices standard

v. Cyber security bill- Information security

vi. Critical infrastructure bill- Infrastructure standards

vii. PPOA- End user devices standard, cloud computing, systems and applications, infrastructure

viii. Government contracts act- IT governance, Information security, Systems and applications, Cloud computing

ix. Constitution of Kenya

x. Cyber crime and computer related crimes bill- Information security, systems and applications

xi. Information privacy laws- Information security, Cloud computing

xiii. Public officers ethics act- End user devices standard, IT governance, Systems and applications

xiv. Government proceedings act- End user devices, information security, cloud computing

xv. Official secrets act- Information security xvi. Public archives and documentation service act-

E-records management xvii. Employment and employee liability- End user

devices standard, Information security, Systems and applications,

xviii. Evidence act- E-records management xix. Records disposal act- E-records management xx. Physical planning act- Network Standard xxi. Occupiers liability act- Network standard xxii. Occupational safety and health act- E-records management

25



ICTA. 5.001: 2016

Subject Requirements Compliance

Yes/No Comments

Roles and responsi-bilities

IT in MCAs seeks advice from HR, Legal, and Audit, and if necessary whenever legal contracts are challenging, risky or complex?

MCAs have build in the need for third party testing (ICT Authority) as required?

Appendix 4: Compliance Checklist for Performance management

Do you agree with the following statements?

Area of measurement

Requirement Compliance

Yes/No Comments

IT service management

Business & IT are aligned?

Costs are within budget?

Criticalservices are reliability and available?

Customers are satisfied with the quality of services?

Number of significant reactive fixes to IT errors are down?

Third parties adhere to SLAs

There is quality and value in relationships with suppliers

IT process capabilities are mature?

Internal and external benchmarks are done?

Business continuity status is optimal?

Project management

Projects are deliveredwithin objectives, time and budget?

There is ROI for IT investments (business benefit)?

MCA has established Project Steering Committee as per standard?

MCA appoints Project Technical Team to run IT Projects?

Risk management

Critical risks are resolved?

Audit weaknesses are minimized?

Resource management

HR appraisal for people involved in IT activities is positive?

26



Appendix 5: Compliance checklist for Risk management

To support IT Governance, MCAs shall ensure that new risks are timely identified and handled by doing the following.


Yes/No Comments

Define a framework

MCAs has ensured the following staff are trained in risk management in their specific areas :(e.g CobiT, ISO17799, ITIL, ISO9000, PMBOK and Prince 2)

• IT Auditors• IT Project Managers• IT Risk Managers• Business Analysts• Infrastructure Management• Procurement/Contract Management• IS Strategy – alignment with the business• Quality Management• Business Relationship Management• Programme ManagersMCAs shall conduct benchmarking to compare how risk management is being addressed within the organization inrelation to best practice, industry peer groups and other organizations.

Identify risks MCA has ensured that new risks are identified in a timely manner?

The following risksare identified

• Business specific risk (e.g. Operational risk of mandate not being delivered)• Generic common IT risk (e.g. IT availability risk)• Specific IT risk (e.g. Denial of service attack on Internet customer request system)

Identify probable risk owners

Auditors provide initial momentum by highlighting to senior management inadequate risk management practices orspecific risks that are not being adequately addressed?

Responsibility is allocated at a senior level for managing key risks?

Every risk has an owner?

MCAs has adopted a mechanism for reporting issues – ultimately to the individual who has toretain overall responsibility?

Evaluate the risks

MCAs hasset acceptable levels of riskMCA has developed a risk register. The risk register has a prioritized list of risks which must be subsequently addressed?

Identify suitable response to risk

MCA has implemented suitable response to risks

27



ICTA. 5.001: 2016

Appendix 6: Compliance Checklist for IT Resource management

Compliance

Subject Requirements Yes/No Comment

Accreditation of IT professionals

IT staff are accredited by ICT Authority as per the standard?

Management of ICT services

The MCA IT function report to Accounting Officer?

The ICT department has a Chief Information officer (CIO)?

The Chief Information Officer (CIO) reports to the CEO of the institution?

The CIO has implemented ICTA standards to ensure optimal IT resource and service management?

Capacity building MCAs has an IT staff establishment and scheme of service which is fulfilled?

The IT establishment covers all the relevant IT technical categories i.e Basic support, Network, systems and database administration, IT service management, IT project management, Web administrators, information security officers, other contextual IT roles?

Effective recruitment, retention and training programmeshave been established to ensure that the MCA has theskills to utilise IT effectively to achieve the stated objectives?

MCA has developed and implemented ICT training policy in line with ICT human resource development standard?

The policy defines required ICT qualifications for different cadres of staff as per the ICT human capacity standard?

IT education, training and development needs are fully identified and addressed forall staff regularly?

IT staff are trained on professional courses, ethics and code of conduct outlined in the ICT Human Capacity Development Standard?

Tools ICT personnel are issued the relevant software and hardware tools to manage IT resources (e.g for user support, hardware maintenance, IT service and project management, application development)?

Change management

Change management is handled as per the information security standard Annex A.4?

MCAs has established mentorship programs to ensure transfer of knowledge?

Innovation MCAs has established a resource centre for IT research and innovation

The resource centre manages knowledge through databases and online resources to spur innovation?

28



Appendix 7: GoK Project Management Governance Structure

Source: ICT master plan

Appendix 8: Sample Project governance roles

Project Role Accountabilities, responsibilities and tasks

Corporate Client - Has ultimate authority in large, complex or politically driven projects. - Is the champion of the project, promotes the benefits of the project to

the community and may be viewed as the ‘public face’ of the project. For example, the Corporate Client may be the Premier, Minister of the State or Head of Agency.

- May also be the Project Funder. In a small, less complex project, there would be no Corporate Client, but the Proj-ect Sponsor would act as the champion of the project, and fulfil the role of the Project Champion.

29



ICTA. 5.001: 2016


Project Sponsor - Ultimately accountable and responsible for the project, and is sometimes referred to as the Project Owner.

- Responsible for attainment of the agreed Project Target Outcomes. The Target Outcomes should be secured before the project is closed formally.

- Member of the Steering Committee, and is usually the Committee Chair. For projects where there is no Steering Committee, the Sponsor assumes responsibility for approving the project scope and all subsequent deci-sion-making.

- Oversight of the business management and project management issues that arise outside the formal business of the Steering Committee.

- Provides support by advocacy at senior levels, and ensures that the nec-essary resources (both financial and human) are available to the project.

- May also be the Business Owner for the project and can also be the Funder, but it varies within government, depending on the budgetary arrangements and decisions about whom will be managing the Outputs after the project closes. In the case of large whole-of-government proj-ects, the project funds may be managed by one Agency on behalf of the government, but there may be several Business Owners.

The Corporate Client and Project Sponsor may be the same person for some projects. The Project Sponsor must be identified for all projects, no matter what the size or complexity. Accountable to: Corporate Client (where applicable)

Steering Committee - Responsible and accountable for policy and resourcing decisions es-sential to delivery of project Outputs and the attainment of project’s Target Outcomes.

- Accountable to the Corporate Client and/or Sponsor for providing the Project Manager and Team with effective management and guidance in the development of the project Outputs and implementation of required organisational change, in order to attain the project’s Out-comes.

- Responsible for ensuring appropriate management of the project components outlined in the endorsed Project Business Plan, which usually includes approving the initial Project Proposal or Business Case and then the Project Business Plan.

- Responsible for assessing, approving or rejecting changes to the scope as documented in the Project Business Plan as the project pro-gresses.

- Responsible for monitoring progress (not just activity) and scrutinis-ing the project’s budget.

- Ultimately accountable for ensuring appropriate risk management processes are applied, which may include responsibility for under-taking specific risk management activities.

- Must also consider how (or if( the project’s objective(s(, Outcomes, Target Outcomes and longer-term business benefits align with the organisational strategic agenda and direction, and making the hard decisions to re-scope or terminate the project if there is little or no alignment.

- Should develop an agreed Terms of Reference for how the Steering Committee will operate.

30




The composition of the Steering Committee may change as the project moves through its various phases or stages, to ensure the best expertise and expe-rience are available when required. Not all projects require a Steering Committee. The need for a Steering Com-mittee is dependent on the complexity and nature of the project and is deter-mined by the Corporate Client and/or Project Sponsor. Accountable to: Corporate Client (where applicable) or Project Sponsor (Refer to Appendix 3 Steering Not Rowing: A Charter for Project Steering Committees and Their Members.)

Business Owner(s) - Responsible for managing the project Outputs for utilisation by the Project Customers.

- Responsible for ongoing maintenance (including costs) of the project Outputs after the project closes.

- Accountable to the Project Sponsor and/or Corporate Client (or their dele-gate(s)) following formal project closure for the achievement of and report-ing against the project’s Target Outcomes and realisation of the longer term business benefits.

- Must be satisfied that the project’s Outcomes (including Target Outcomes( and longer term business benefits are meaningful in the context of the Busi-ness Unit’s operational environment and forward strategic agenda.

- Contracted by the Project Sponsor and/or Steering Committee to implement the change management described in the Outcome Realisation Plan, and thereby achieve the project’s Outcomes, Target Outcomes and realise the business benefits.

- May be required to contribute resources to the project to ensure the change management described in the Outcome Realisation Plan is implemented ef-fectively.

- ‘Owns’ the Project Outcome Realisation Plan, although the Project Manager may assist in its development.

- Must be satisfied that the project scope includes all of the Outputs necessary for the realisation of the project’s Target Outcomes and agreed business benefits.

- May be required to contribute resources to the project to ensure that the Out-puts are developed satisfactorily and ‘fit for purpose’.

- Responsible after project closure for ensuring the project’s Target Outcomes and agreed longer term business benefits are used to revise the Business Unit’s relevant performance measures. Agency or Divisional Corporate or Annual Business Plans should be updated appropriately. Reporting lines and requirements may also need to be updated post-project.

- Responsible after project closure for ongoing ownership and maintenance of the project Outputs, which may require revised budget forecasts to accom-modate maintenance costs and staffing implications.

Project Customers The person or entities that will utilise the project Outputs to undertake their own activity, and therefore unconsciously generate the project Outcomes and business benefits as a by-product of this utilisation. For example, the Tasmanian public, who transacts business with Service Tasmania, would have been classed as Proj-ect Customers when the entity was set up. Project Customers are sometimes de-scribed as Beneficiaries

31



ICTA. 5.001: 2016


Project Observer - May be a role in a large, complex or politically driven project, possibly involv-ing whole-of-government or more than one Agency where potential learnings through observation of project processes are possible.

- Usually present at Steering Committee meetings or Project Team meetings to act as an information channel to the Agency/organisation they are representing.

- The Observer’s Agency may not necessarily be represented on the Steering Committee if they are not Business Owners.

- Cannot participate in decision-making while attending meetings. - May raise issues for discussion on the understanding that those issues may

or may not be addressed or resolved as part of the meetings. The issues may be considered outside of the formal meeting structure.

- Accountable to the Agency they are representing. If issues arise that may have implications for the Agency/organisation, they have a responsibility to report these issues back to their Agency/organisation. The Agency/organisation may then wish to raise these issues formally with the Project Sponsor.

Please note: The Project Sponsor and/or Steering Committee Chair should agree to the role of the Project Observer before that role is implemented.

Quality Consultants - Work independently of the Project Team. - Often contracted from outside the Agency/organisation. - May be contracted to undertake formal Quality Review of the project as a

whole in terms of structure, processes and progress toward Outputs. - May be contracted to undertake formal Quality Review of the quality of prod-

ucts or services (Outputs) being produced within a project in a technical field (eg law, IT, construction).

(Refer to Appendix 4 A Charter for Project Management Quality Advisory Consultants and Appendix 5 A Charter for Project Management Quality Review Consultants.) Accountable to: Project Sponsor and/or Steering Committee

Project Director - Usually created to manage a large, complex or politically sensitive project or

program of projects in partnership with one or several Project Manager(s).

- Responsible for the implementation of the Project/Program Business Plan following its approval by the Steering Committee.

- Directs and monitors project/program activity through quality management, detailed plans and schedules, and reports progress to the Steering Commit-tee.

- Provides expert and authoritative advice to various Ministers, Heads of Agency and senior representatives of the public and private sectors and key community stakeholders on a wide range of sensitive issues associated with the project/program.

- Provides highest-level leadership by articulating the project/program vi-sion, and negotiating and defining objectives and developing and nurturing highest-level relationships with stakeholders and end users, to facilitate the effective delivery of a major government initiative.

Accountable to: Project Sponsor and/or Steering Committee

32




Project Manager - Contracted by the Project Sponsor and/or Steering Committee to deliver the defined project Outputs as articulated in the approved Project Business Plan.

- Works in partnership with and reports to the Project Director to implement the Project Business Plan.

- Responsible for engaging the Project Sponsor, Business Owner(s) and/or Steering Committee in order to clarify the project Objectives, Outcomes, Target Outcomes, required Outputs and stakeholders within agreed time, cost and quality parameters.

- Develops and maintains the Project Business Plan, Project Work/Execution and Implementation Plan(s) and related schedules.

- Responsible for organising the project into one or more sub-projects, man-aging the day-to-day aspects of the project, resolving planning and imple-mentation issues, and monitoring progress and budget.

- Reports to the Project Sponsor and/or Steering Committee at regular intervals.

- Manages (client/provider/stakeholder) expectations through formal spec-ification and agreement of the project objective(s), Outcomes, Target Out-comes, Outputs, quality requirements, resources required, budget, sched-ule, project structure, roles and responsibilities.

- Requires demonstrated high-level project management skills. A Project Manager cannot lead effectively unless they have credibility. For most proj-ects, it means the Project Manager must have knowledge of how the Out-puts will be created, and how the Target Outcomes will be realised from the utilisation of those Outputs as described in the Outcome Realisation Plan.

The Project Manager must be identified for all projects, no matter what the size or complexity. Accountable to: Project Director (where applicable), Project Sponsor and/or Steering Committee

Project Team - Led by the Project Manager or Project Team Leader.

- Responsible for completing tasks and activities required for delivery of the project Outputs, as outlined in the Project Business Plan and elaborated in the Project Execution and/or Implementation Plan(s).

- Usually includes representatives from the Business Unit(s) impacted by the project.

- Must include the requisite skills for each phase of a project to ensure suc-cess. The skills should be explicitly identified as a part of the project plan-ning process.

The composition of the Team may change as the project moves through its various phases.Accountable to: Project Manager and/or Project Team Leader.

Project Team Leader - Usually appointed in large and/or complex projects to work under the direc-tion of the Project Manager.

- May be a representative of a Business Unit impacted by the project.

- Responsible for completing the required tasks and activities as defined in the Project Execution and/or Implementation Plan(s) for delivering the proj-ect Output(s).

Accountable to: Project Manager

33



ICTA. 5.001: 2016


Project Officer - Responsible for completing tasks and activities required for delivering proj-ect Outputs, as determined by the Project Manager or Project Team Leader.

- Most common responsibilities are related to project coordination (eg ad-ministration, including development and/or maintenance of project doc-umentation, assisting with status reporting and follow-up), stakeholder liaison (eg secretarial support to the project reference group or project communications) and general administrative support activities (eg sched-uling and meeting preparations).

- May also be directly involved in the development and quality assurance of specific Outputs.

Accountable to: Project Manager or Project Team Leader

Reference Groups - Provide forums to achieve consensus among groups of stakeholders.

- Do not do the work of Output production, but may ratify/endorse Output quality on behalf of the stakeholders they represent.

- The group may already exist, have an indefinite life span or may continue for the life of the project.

- May be a general reference group delegated by the Steering Committee to monitor or modify the Project Business Plan for approval by the Steering Committee.

- May consist of collection of people with like skills to address a particular set of issues.

- May report to the Steering Committee or Project Manager, depending on who has appointed them and what they are requested to achieve.

- Members provide an excellent channel to assist the project communicate information to and from their stakeholder group(s) who may be impacted by, or impact on, the project.

Accountable to: Project Sponsor and/or Steering Committee via the Project Manager or Project Director (where applicable)

Advisory Groups - Forums of stakeholders, usually experts to provide specific advice or tech-nical expertise to the project.

- Do not do the work of Output production, but may advise the Project Man-ager on Output quality (‘fitness-for-purpose’( on behalf of the stakeholders they represent.

- Members provide an excellent channel to assist the project communicate information to and from their stakeholder group(s) who may be impacted by, or impact on, the project.

- Able to advise the project of any emerging issues from a stakeholder per-spective.

- Members may also be willing to play an ongoing role in Output mainte-nance after the project has closed, to ensure the Outputs remain relevant and retain their practical utility.

- May report to the Steering Committee or Project Manager, depending on who has appointed them and what they are requested to achieve.

- The group may already exist, have an indefinite life span or may continue for the life of the project. An information technology advisory group is an example.

Accountable to: Project Sponsor and/or Steering Committee via the Project Man-ager or Project Director (where applicable)

34




Working Groups - Small specialist work groups, each dedicated to producing a well-defined Output within a specific timeframe, appointed by the Project Manager.

- Report directly to the Project Manager. May also report to the Reference/Advisory Group on Output development progress.

- Membership may be drawn from Reference or Advisory Groups, or the Busi-ness Unit(s) where Output implementation will occur.

- May have no life beyond the delivery of that Output.

- Probably involve one or more members of a Project Team to support activity.

- Members provide an excellent channel to assist the project communicate in-formation to and from their stakeholder group(s) who may be impacted by, or impact on, the project.

- Members may also be willing to play an ongoing role in Output maintenance after the project has closed, to ensure the Outputs remain relevant and retain their practical utility.

Accountable to: Project Manager or Project Director (where applicable)

Consultants - Are employed from outside the organisation to provide independent, high-lev-el specialist expertise or professional advice unavailable from internal re-sources, to assist project decision-making.

- Typically Project Consultants may include:

o Information technology specialists who define and manage the techno-logical aspects of the project

o Representatives employed by stakeholders to ensure their interests are represented and managed

o Legal advisers who assist in the development and review of the contrac-tual documentation

o Auditors who ensure compliance with internal and external audit requirements

May report directly to the Chair of the Steering Committee (or perhaps the Chair of a general Reference Group).

Please note: The Head of Agency or Deputy Secretary (or equivalent) must ap-prove any decision to engage a consultant prior to the Agencyundertaking the appropriate procurement process.

Accountable to: Project Sponsor and/or Steering Committee via the Project Man-ager or Project Director (where applicable)

Contractors Are employed, external to the business area, to provide a specified service in re-lation to the development of project Outputs. Examples include developing guides and/or manuals, business application software, develop and deliver marketing programs, prepare and deliver training to staff in the business area. May be engaged to undertake work as part of the Project Team.

35



ICTA. 5.001: 2016

Appendix 9: Project management documentation

PHASE Key documents Other documents Proformas

INITIATE Project Proposal Feasibility Study Report Project Business Case

Business Needs Analysis Project Brief

MANAGE Project Business Plan Project Execution Plan Project Review and Evaluation Report Project Phase Review Report

Risk Management Plan Stakeholder Engagement Plan Organisational Change Management (or Transition) Plan Implementation Plan Project Communication Strategy and Action Plan Marketing Strategy Training Strategy

Project Status Report Project Risk Register Project Issues Register

FINALISE Outcome Realisation Plan Project Closure Report Project Review and Closure Report

Handover Plan Project Output Management Plan

Appendix 10: Project management stages and activities

Key Element INITIATE SET UP MANAGE FINALISE

1. Planning and scoping ü ü ü

2. Governance ü ü ü ü

3. Outcome Realisation ü ü ü ü

4. Stakeholder engagement ü ü ü ü

5. Risk management ü ü ü ü

6. Issues management ü ü ü

7. Resource management ü ü ü ü

8. Quality management ü ü ü

9. Status reporting ü ü ü

10. Project review and evaluation ü ü ü

11. Project closure ü ü

36



Appendix 11: Project documentation development

37



ICTA. 5.001: 2016

Appendix 12: A generic project governance model for larger, more complex projects

38



Appendix 13: Sample Outcome Realisation data for the Project Business Plan

Target Outcome

Performance Indicator

Measure Baseline Target Level Target Date Accountability

The measurable benefits that are sought from undertaking a project (ie what we want to achieve)

A description of the type of change that will indicate performance towards the achievement of the Target Outcomes

The actual mechanism for measuring the level of the performance indicator

The current level of the performance indicator as at [date]

The targeted level of performance (ie how success is defined

The date by when the target levels are to be achieved

Who is accountable for the achievement of the targeted outcomes and reports on the progress towards the target?

Appendix 14: Stakeholder engagement process

39



ICTA. 5.001: 2016

Appendix 15: Stakeholder engagement process

Verbal Electronic Written Visual

• Presentations/briefing sessions (one-to-one, one-to-many) • Telephone (one-to-one)/Teleconferences (one-to-many) • Forums • Networking facilitation • Staff meetings • Seminars/workshops • Community meetings • Launches • Specific events • Social gatherings • Visitation programs • Radio/television

• Personal email to identified stakeholders (one to one, one to many) • Broadcast email (one to many) • Internet/intranet including online forums, fact sheets, newsletter, Sharepoint – web sharing of ongoing project planning with internal and/or external stakeholders • SMS messaging • Weblog • Facebook, MySpace, YouTube • Twitter • RSS Feed • CD-ROM/DVDs • Fax stream, faxback

• Mailouts of important documentation (letter, memorandum, factsheet, FAQs) • Newsletter • Advertising – newspaper, magazine, web • Pamphlets and brochures (consider shelf life issues) • Information in agency newsletters etc • Media release • Ministerial • Request for Tender (RFT) • Contract • Project planning documentation

• Display – workplace, conference • Transport advertising • ‘Roadshow’ • ‘Parody’ presentation – play, puppet show • 3D presentation

40



Appendix 16: Elements of the risk management process

41



ICTA. 5.001: 2016

Appendix 17: Risk matrix for grading risks

Seriousness

Likelihood Low (Insignificant adverse impact, note only)

Medium (Reasonable adverse impact, needs monitoring)

High (Will have significant adverse impact)

Extreme

Low (Unlikely to occur during project)

N D C Extreme

Medium (May occur at some stage in project)

D C B Extreme

High (Probably will occur during project)

C B A Extreme

Appendix 18: Recommended actions for grades of risk

Grade Risk Mitigation Actions Who

A & Extreme Mitigation actions to reduce the likelihood and seriousness to be identified, costed and prioritised for implementation before the project commences or immediately as they arise during project execution.

Project Steering Committee and/or Project Sponsor

B Mitigation actions to reduce the likelihood and seriousness to be identified costed and prioritised. Appropriate actions implemented during project execution,

Project Steering Committee and/or Project Manager

C Mitigation actions to reduce the likelihood and seriousness to be identified and costed for possible action if funds permit.

Project Manager

D & N To be noted; no action is needed unless grading increases over time.

Project Manager

42



Appendix 19: Issue management flowchart

43



ICTA. 5.001: 2016

Appendix 20: Example of a Project Issues Register

Issue Number

Description Raised By Date Priority Responsible Officer

Actions & Progress Notes

Status Date Resolved

1.1 Lack of agency representation on Project Working Group

Working Group

1/09/08 High Jane Letter of invitation from Project Sponsor (ie Director) to agencies which are not represented

Open

2.1 Lack of registrants for next forum

Project Manager

1/11/08 High Senior Project Officer

Send out reminder via email to the project management community of practice.

Open

1.3 How to show links between PM documents

Project Team member

10/09/08 Medium Senior Project Officer

Matrix to be developed and published

Closed 30/11/08

44



Appendix 21: Project closure

45



ICTA. 5.001: 2016

Appendix 22: Sample Service Management structure (ITIL) for Small organizations

46



Appendix 23: Sample Service Management structure (ITIL) for Large organizations

47



ICTA. 5.001: 2016

Appendix 24: Service desk 1st, level, 2nd level and 3rd level support definitions

GENERAL DEFINTIONS

First Level Support•Dedicated and managed Support area/telephone access•Routine call and incident taking, logging and classification•Initial fast resolutions to Routine Incidents – e.g. password resets•Short term support to keep lines open and provide access to IT•Calls within target guidelines before escalation – e.g. 5 - 10 minutes•Generally at least 40% - 50% of calls resolved

Second Level Support•Dedicated and managed Support area •Longer resolution Incidents – e.g. more than 5-10 minutes•Incidents that require greater technical knowledge or system access•Fast Response and Target resolution times – support is highest priority•Task to build Knowledgebase to ensure future response in Incident Management/1st Level•Involvement in the technical analysis and resolution of underlying Problems•Generally 40% - 50% of calls resolved

Third Level Support•Long Term Problem resolution•Incidents/Problems that require high level of technical knowledge or system access•Task to build Knowledgebase to ensure future response in Incident Management/1st or 2nd Level•Generally less than 10% of calls handled

48



AP

PEN

DIX 25: SA

MP

LE ICT STRATEG

Y FOR

MAT

49



ICTA. 5.001: 2016

Note: All Strategic plan proposals should be accompanied with a ‘Table of Contents’ and should be in the order depicted below.

Executive Summary

Give brief outline of the (Org/Dept).

Environmental Analysis

Internal Environment

[Internal Assessment: Organizational assets, resources, people, culture, systems, partnerships, suppliers, etc]

50



External Environment

[External Assessment: Marketplace, competitor’s, social trends, technology, regulatory environment, economic cycles, etc]

Tools for comparison analysis

[It involves specifying the objective of the institution or project and identifying the internal and external factors that are favorable and unfavorable to achieving that objective.]

Examples:

SWOT Analysis; Six Forces Model; VRIO; PEST analysis; Porter’s Four Corners Model

Benchmarking

[Benchmarking is the process of comparing one’s business processes and performance metrics to industry bests and/or from other industries. Dimensions typically measured are quality, time, and cost. Improvements from learning mean doing things better, faster, and cheaper.

Benchmarking involves management identifying the best institutions in their industry, or any other industry where similar processes exist, and comparing the results and processes of those studied (the “targets”) to one’s own results and processes to learn how well the targets perform and, more importantly, how they do it.]

51



ICTA. 5.001: 2016

Best practices

[A bestpractice is a technique, method, process, activity, incentive, or reward that is believed to be more effective at delivering a particular outcome than any other technique, method, process, etc. when applied to a particular condition or circumstance. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications. Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people.]

Gap Analysis

[Identify the gap between the optimized allocation and integration of the inputs, and the current level of allocation. This helps provide the institution with insight into areas which could be improved. The gap analysis process involves determining, ‘where you are now’ and ‘where you want to be’.]

Strategic PlanThe strategic plan should be communicated to all relevant individuals, including stakeholders and sponsors. It should include the following:

Vision

[What the org/dept wants to be; it should be compelling, vivid and concise,, challenges everyone to reach for something significant – inspires a compelling future; it is time bound. An organization’sVision sets out its aspirations for the future. The Vision is the ‘dream’ of the future, a picture painted in words, which is intended to inspire people by appealing to the heart as well as the head.]

Mission

[Our purpose of existence; should be brief and to the point; it provides context for major decisions and capable of infinite fulfillment; it is not time bound].

52



MISSION FormulationAnswer each of these questions.

What services and/ or products will the organization/department offer?

Who are the people who may use or benefit from this services or products?

What are the reasons for the organization/ department?

Why will the organization/ department exist?

Now combine all the answers into one statement of purpose.

Values

[Values will guide every major decision making; it embodies the spirit of the org/ dept; revisit Vision and Mission statement.]

Strategic Objectives

List specific actionable results needed to support the vision and the mission. Use the mnemonic SMART/ER

S SpecificM MeasurableA AttainableR RelevantT Time boundAnd E EvaluateR Reevaluate

Initiatives

[These are actions that will lead to achievement of your objectives, often taking the form of projects or programs]

53



ICTA. 5.001: 2016

Measures (KPI(s), Timeline and Deliverables

[These are objective, quantifiable methods for measuring success. Indicators and monitors of success. It includes; performance measurement, initiatives and projects and action plans.]

[Each Initiative has a supporting Action Plan(s) attached to it. Action Plans are geared toward operations, procedures, and processes They describe who does what, when it will be completed, and how the organization knows when steps are completed Like Initiatives; Action Plans require the monitoring of progress on Objectives, for which measures are needed]

Quick wins

[These are improvement which is expected to provide a Return on Investment in a short period of time with relatively small cost and effort.]

Organization Structure

[Organizational structure allows the expressed allocation of responsibilities for different functions and processes to different entities such as the department, workgroup and individual. Please provide a diagram]

ResourcePersonnel

Finance/ Budget

Facilities/ equipment

Summary (include a 5 by 5 year timeline towards 2030

54



APPENDIX 26: Who needs to be involved in Legal contracts

Investors Providers Controllers• The Board• IT Council/Management Team• Senior business unit managers e.g. key customers of IT services• Business Partners• External investors/shareholders – as part of corporate governance

• Project and change managers (IT and Business)• Project and change managers (IT and Business)• Programme managers• Business managers and users• Technical delivery and support teams• Key players e.g. Business sponsors, Projectchampions• Relationship managers and internalcommunications teams• Suppliers (especially outsourced service providers)• Contract and procurement management• Peripheral players/influencers/Policy ownerse.g. HR, Facilities Management, Legal

• Internal audit and external audit (due diligence)• External regulators• Corporate governance coordinator• Risk managers• Compliance – regulatory and internal• Finance/Project Managers/IT and businessmanagers – reviewers of benefits/ROI• Post investment appraisal/Post projectreview teams

Legal and regulatory Responsibilities• Understand requirements (what regulations are to be complied with)• Set the mandate• Set priorities and expectations• Establish and ensure the expected degree of compliance• Based on advice concerning risk and cost:• Assess impact on business• Provide resource and funding to ensure issues are addressed• Define who is accountable• Obtain internal or external assurance as required that issues have been addressed and controls established• Monitor and evaluate complianceprogrammes and significant commercial contracts• Sign off specific compliance programmes• Provide approvals when required forsignificant legal or regulatory decisions

• Advise on IT related technical andcommercial risks that could impact legal and regulatory requirements• Provide proposals and business cases forlegal and regulatory programmes, projects or action plans• Formulate solutions for compliance or commercial contracts• Identify best practices for ongoing good control of legal and regulatory requirements• Exploit technology and tools whereappropriate for ensuring compliance (e.g.asset registers)• Execution of compliance and contractual processes, and operation of elated controls• Provide compliance framework to ensure a sustainable “business as usual” approach to compliance• Provide evidence of compliance• Provide information relating to the cost of compliance and also cost of any incidents• Evaluate impact on business environment together with business units• Ensure vendors, service providers, and subcontractors are involved properly andintegrated within the overall complianceapproach

• Maintain awareness of current and emerging laws, and regulations affecting IT to assess their impact on the organisation’s business• Develop an understanding of their impact onthe organisation and advise accordingly on “what is needed” - not necessarily “how”• Monitor adequacy of controls andcompliance processes• Monitor the business and IT functionsfor performance in meeting legal andregulatory requirements and report back to management with advice regarding any shortcomings• Provide independent assurance tomanagement that adequate controls are in place to deal with legal and regulatoryrequirements

55



ICTA. 5.001: 2016

Appendix 27: Risk management process

Appendix 28: Accreditation of Contractors and Suppliers

A. REGISTRATION i. An application for registration as a contract or/ supplier shall be made in the prescribed form

(ICTA/STD/CTR/F001) and shall be accompanied by-

a. Certified copies of certificates and other relevant documents as are necessary to prove qualification for registration:

b. Certified copies of the shareholders’ certificates of the company;

c. in the case of a trust, a copy of trust deed; and

d. Financial statements of the person or firm for the period immediately preceding the application, or proof of existence of a bank account in the name of the systems development company.

ii. ICT Authority may call for further particulars of the person or firm, including but not limited to-

a. certified copies of the identity documents of the principal or principals of the firm;

b. where there are more than twenty principals, certified copies of the identity documents of twenty principals of the firm;

c. in the case of a foreign contractor-

d. proof of current registration status from their country of domicile or origin,

e. Sufficient proof of financial capability of the contractor; (d) .proof of registration with an association of contractors;

56



iii. proof of employment of qualified persons by the contractor and

iv. in the case of anapplication relating to specialized software, a certified copy of the current license issued by the relevant statutory regulatory or Authority or organization.

v. If an application in relation to this standard is made electronically, the supporting documents shall be submitted to the Authority by registered mail or by hand delivery.

vi. An application shall not be considered duly completed for purposes of this regulation, unless all documents are received by the Authority.

vii. The Authority shall make adecision on an application by a person or firm within thirty days of receiving such application including rejection if such person does not fully comply with requirements set by the Authority, and shall in form the applicant accordingly giving reasons for such rejection.

viii. An application form for registration may be made in English or Kiswahili.

ix. A register of registered contractors shall be kept.

x. A person who qualifies for registration in a specialized area shall be issued with a Certificate of Registration in the specialized area of ICT by the Authority.

xi. A person or firm shall submit an annual application for renewal of the certificate of registration to the Authority in the prescribed form accompanied by the prescribed fee (See schedule B) and the Authority shall process the application in accordance with the provisions of the standard.

xii. A person who is aggrieved by the decision of the Authority in relation to the category of registration may submit a written petition indicating the reasons of such grievance, sufficient to justify review or the assessment by Authority.

xiii. The Authority shall within thirty days of receiving a petition under notify the person of the Authority’s decision on both applications.

xiv. Registration of contractors under ICTA - I (See schedule B) category shall be open to both local and foreign contractors.

xv. Any registrations that fall between ICTA -5 to ICTA -8 as set out in the standard shall be restricted to local contractors only.

xvi. A contractor may make an application for upgrading to the Authority in a form to be prescribe by the Authority accompanied by the prescribed fee, and the Authority shall process the application in accordance with the provisions of the standard.

xvii. Application for renewal of the license shall be submitted to the Authority in writing at least thirty days before the expiry of such license.

xviii. In each year during which a contractor holds a license, the contractor or, in the case of a firm or company; the partner or director who possesses technical qualifications, skills or experience shall attend atleast one Continuous Professional Development event recognized by the Authority and the Authority shall consider the attendances while determining an application to renew or upgrade the Contractor.

xix. During the vetting and verification of contractor’s documents, the Authority / representative may visit contractor’s premise to ascertain the information provided.

xx. The Authority shall published list of contractors with valid licenses in their websites.

57



ICTA. 5.001: 2016

SCHEDULE B. CLASSIFICATION OF WORKS

CATEGORY POINTS LOCAL CONTRACTOR FOREIGN CONTRACTORREGISTRATION FEE (ksh.)

ANNUAL FEE(ksh.)

REGISTRATION FEE(ksh.)

ANNUAL FEE(ksh.)

ICTA 1 81-100 10,000 5,000 100,000 20,000

ICTA 2 66-80 9,000 4,000 80,000 15,000

ICTA 3 56-65 7,000 3,000 60,000 10,000

ICTA 4 46-55 6,000 2,000 50,000 5,000

ICTA 5 36-45 4,000 1,000

ICTA 6 21-35 2,000 500

ICTA 7 10-20 1,000 500

ICTA 8 Below points 500 200

SCHEDULE C. ENFORCEMENT

i. There shall be payable to the Authority such fees for its services as the Authority may determine from time to time.

ii. The Authority may remove the name or a contractor from the register of contractors if the contractor has been debarred from participating in a procurement process under any legislation or received written complaints from any government agency in regards to the contractors’ performance;

iii. The registration of a contractor shall be suspended after investigations into his conduct have been concluded and it is established that the contractor has engaged in misconduct.

iv. Fails to comply with the provisions in regard to the payment of the fees;

v. The Authority shall conduct an inquiry in to the conduct or the contractor before removing the name of the contractor from the register.

SCHEDULE D. Mandatory Requirements for the various Sections

REFERENCE PARTICULARS MAX POINTS REMARKSA Directors Qualification 15 Technical Directors [10mks], 5 mks for other

directors

B Staff qualification 25 Technical staff in specialized area [20mks], other staff [5mks]

C Financial status 30 Turnover 12 marksLargest projects in area of specialization 12 marksCash flow 6 marks

D Office and service facilities

10 10 mks for adequate office space

E Firms experience 20 Details of development projects undertaken in area of specialization

TOTAL 100

58



Appendix 29: Accreditation of IT Professionals

Applicant should be compliant with the ICTA-7.001:2016 standard on ICT capacity development, both ethically and in terms of professional qualifications in the area of expertise. ICT Authority shall issue a certificate of accreditation on compliance with the standard;

Schedule A. Procedure of application for IT Technician

Submit:-

1. A duly filled Registration Application form for IT Technician (ICTA/STD/TECH/F001)

2. Diploma certificate in IT/Engineering related field from accredited institution of learning; or

Diploma certificate in any field from accredited institution of learning with proof of two years’ experience practicing IT;

3. A Copy of the individual PIN Certificate

4. Copy of National ID/Passport.

5. 2 colored passport photos of the applicant.

Fees as per (part D below)

Schedule B. Procedure of application for IT Graduate

Submit:-6. A duly filled Registration Application form for IT Graduate (ICTA/STD/GRAD/F002)

7. Graduate certificate in IT/Engineering related field from accredited institution of higher learning


9. Copy of National ID/Passport.

10. 2 colored passport photos of the applicant.

11. Fees as per (part D below)

Schedule C. Procedure of application for IT Practitioner:-

Submit:-1. A duly filled Registration Application form for IT Practitioner (ICTA/STD/PRACT/F003)

2. Graduate Certificate from accredited institution of higher learning

3. Copy of the individual PIN Certificate

4. Proof to show that the applicant has been practicing IT either through employment or private engagement for atleast 2 years..

5. Copy of National ID/Passport

6. 2 colored passport photos of the applicant..


59



ICTA. 5.001: 2016

Schedule C: Procedure of application for accreditation as an IT Professional

Submit:-1. A duly filled Registration Application form for IT Professional (ICTA/STD/PROF/F004)

2. A Copy of the Registration Certificate for either IT Graduate/Practitioner from ICTA.


4. Professional Certificate in the specific area from accredited institution by ICTA/government body

5. Letters of reference from employer(s) covering the previous two years confirming professional integrity

6. Statements of two referees detailing their knowledge of the applicant.


Schedule D. SCHEDULE OF FEE PAYMENTS

Thematic REGISTRATION FEE(ksh.) ANNUAL FEE(ksh.)

1 IT TECHNICIAN 600 5002 IT GRADUATE 1000 1,0003 IT PRACTITIONER 2000 1,0004 IT PROFESSIONAL 5000 3,000

Appendix 30: Government ICT Project Governance Structures

A. National ICT Project Governance Structures

Name of Commit.

Membership Terms of Reference

1 The ICT Oversight Committee

1. His Excellency the President – Chair

Members

Cabinet Secretary-;

Ministry of Land Housing & Urban Development Ministry of interior and Coordination Ministry of Education Science and Technology Ministry of ICT

Ministry of Devolution and Planning

Ministry of National Treasury Chief Executive Officer,

ICT Authority-Secretary

1. Review and approve projects for initiation

2. To provide oversight of flagship ICT Projects

3. To receive and consider reports from inter-ministerial Steering Project Committee

4. To resolve inter-ministerial Project challenges.

Appointing Authority: H.E. The President

Meeting: Bi-annual

60



Name of Commit.

Membership Terms of Reference

2. Inter-Ministerial Project Steering Committee

Principal Secretary Ministry of ICT – Chair

Members

Permanent Secretary -; Ministry of Lands, Housing and Urban development The National Treasury Ministry of interior and Coordination Ministry of Education Science & Technology Ministry of Devolution and Planning Chief Executive officer , ICTA –Secretary

1.Champion Implementation of Key Projects

2. Monitor and Evaluation Projects and take necessary action for the success of the project.

3. Prepare and report Projects status to oversight Committee

4. Resolve inter-ministerial Project challenges. 5. Receive and review quarterly reports from Project Implementation and Monitoring Committee. 6. Co-opt the ministry that own the key project(s)

Appointing Authority: H.E.The President

Meetings: Quarterly

B: Ministries, Agencies and Counties

1.0 Project Implementation and Monitoring/Steering Committee

Role Person Terms of Reference

Project champion (Chair)

A top-ranking officer from the organ

Ps for Ministry and CEO for Agencies

1. Initiate projects within Ministries, Agencies & Counties

2. Review and approve project concepts and implementation plans

3. Resolve project challenges to ensure smooth implementation

4. Review and approve project budget

5. Monitor and evaluate projects at implementation stage

6. Prepare and present quarterly progress report to inter-ministerial project Steering committee

7. Appoints Project implementing team[s]

8. Co-opt stakeholder’s representatives or other members

Meetings: Regularly

Appointing Authority: Cabinet Secretary/Governor/CEO appropriately

Project owner The user of the system

Chair of Technical committee

This is the person who is responsible for the implementation of the system.

[Head of ICT]

Project Management Office

Project Manager ICT Authority

61



ICTA. 5.001: 2016

2.0 Project Technical CommitteeRole PersonProject owner and Chair The user of the system

Project manager (Secretary) The person who is responsible for the execution of the project

Beneficiaries representative Stakeholder’s representative(s)

PMO Liaison officer An officer from the ICTA PMO

Consultant / Systems integrator Representative(s) of any third party who is involved in the development of the project

Standard Liaison officer A Standard officer from ICTA

Technical liaison Selected technical expert(s) in line with the technical requirements of the project

APPENDIX 31: AUDIT FOR OUTSOURCED APPLICATIONS

SYSTEM LYFECYCLE STAGE/ AUDIT AREAS

Quality Product On Time and On Budget

Project Initiation - Appropriate stakeholders are in-volved.

- Project champion represents the key stakeholders.

- Project is consistent with the organi-zation’s strategic plans.

- Budget was properly determined.

- Timeline is realistic given project magnitude and past organization-al experience.

- Appropriate metrics and reporting schemes are developed.

Business Requirements Definition

- Appropriate stakeholders are repre-sented.

- Security requirements are defined.

- Automated and manual controls are considered.

- Project plan and budget remain real-istic given business requirements.

- Business requirements do not overly rely on new and/or unproven technologies (e.g., a requirement that all transactions will process over the intranet).

Technical Requirements Definition

- Technical requirements support the business requirements.

- Members of all impacted technical units represented.

- Technology assumptions are properly validated through internal experience or external site visits.

- Links to existing applications are defined and controlled (e.g., control totals)

- Project plan and budget remain realistic given technical require-ments.

- Lead times for purchasing, receiving, installing and testing new hardware have been proper-ly reflected in the timeline.

62





Software Selection/Coding Software Selection/Coding

- RFP and vendor assessments come directly from business and technical requirements.

- Selected vendor has experience in your industry, with companies your size, and with similar setups.

- Vendor is financially stable and will be around for long term support (al-ternatively, the source code could be owned by your organization).

- Proper change management and secu-rity controls are set up for the coding environment.

- Vendor contract terms are favor-able, and include clauses on cost overruns.

- Vendor contract includes re-wards/penalties for project timeliness.

- Project plan appropriately reflects the resources and time necessary to install, code and modify.

Testing - All testing is performed in an appro-priate environment with adequate security.

- All issues noted during testing are communicated to the proper owner within the project.

- Test cases reasonably reflect the envi-ronment as it will appear in production.

- Change management controls are in place as system elements progress through the testing cycle.

- Resolution of test issues is fo-cused on items that are nec-essary to achieve business or technical requirements (not all issues must be solved prior to going live!).

- Project plans are properly up-dated to reflect issues noted in testing that must be resolved.

Data Conversion - Data is accurately mapped from the old system to the new.

- Key data elements are screened using software (or manually in some cases) to ensure anomalies are removed.

- After conversion, sample data reflects accurate transfer.

- Control totals of key data fields/ta-bles show consistency in the old and new data structure.

- Project plans are properly up-dated to reflect issues noted in data conversion that must be resolved.

63



ICTA. 5.001: 2016



Training and Documentation

- Training addresses both system usage and business process.

- Training includes all affected parties.

- Training is provided close enough to implementation to allow participants best retention.

- Documentation (online and paper) is organized in a way to be useful to users and operators.

- Training and documentation are properly included in the project plan and budget.

Final Implementation

- Promotion to production environment follows established change manage-ment procedures.

- Parallel processing with old system(s) commences.

- Help desk and “swat teams” are in place.

- System backup procedures are estab-lished.

- Final costs are captured and summarized (watch out for implementation problems being defined as “on-going mainte-nance”).

- Project teams are closed down as the implementation continues.

Appendix 32: Related Documents

Code Number: TitleICTA. 1.001: 2016 Government Enterprise Architecture

ICTA. 2.001: 2016 Infrastructure Standard (Networks, Cloud, End user Computing, Data Centre)

ICTA. 3.001: 2016 Information Security Standard

ICTA. 4.001: 2016 Electronic Records and Data Management Standard

ICTA. 5.001: 2016 IT Governance Standard

ICTA. 6.001: 2016 Systems and Application Standard

ICTA. 7.001:2016 ICT Human Capital and Work force Development Standard

64



65



ICTA. 5.001: 2016

ICT Authority

Telposta Towers, 12th Floor, Kenyatta Ave

P.O. Box 27150 - 00100 Nairobi, Kenya

t: + 254-020-2211960/62

Email: [email protected] or [email protected] or [email protected]

Visit: www.icta.go.ke

Become a fan: www.facebook.com/ICTAuthorityKE Follow us on twitter: @ICTAuthorityKE