WorldbankAddressing Technology Risks for Successful E-Government Initiatives

January 30, 2007

Werner Lippuner, Ernst & Young LLP, Washington D.C.

2

Overview

E-Government Challenges & Expectations IT Risk Management Lesson’s Learned

3

E-Government

e-Government uses of information and communication technology (ICT) to exchange information and services with citizens, customers, businesses, and other governmental organizations to

improve efficiency, provide convenience, and enable accessibility.

Delivery Models Government-to-Citizen /

Government-to-Customers (G2C) Government-to-Business (G2B) Government-to-Government (G2G)

Technologies WWW, E-Mail, Instant Messaging, Online

Communities, RSS, XBRL PDA, SMS / MMS, 3G, GPRS WiFi, WiMAX, Bluetooth RFID, Biometrics, Smart Cards Many others

4

Government to Citizens, Customers, and BusinessesConduct Transactions / Exercise RightsPurchase and pay for products and servicesPay taxesRepay loansElectronic Voting

Submission/Filing of InformationReport complaints, fraud, corruption, or accidents Apply for a government positionApply for grants and loansFile taxes online

Access to General InformationAccess public information provided by the Government (Laws,

rules, regulations, forms, statistics, etc.)

Other ServicesE-mail eLearning, a program for people to

learn online (Taiwan) mySchool offers e-assistance, help

with homework, test prep (Luxembourg)

Dating service Pen-pal service

Access to Personalized InformationUser account registrationAccess benefits statementsReview process status (e.g. Visa processing, court

cases, etc)

Exchange of InformationFinancial InformationHealth Information

5

Government-to-Government

Sharing of Information The E-Vital initiative establishes common electronic

processes for Federal and state agencies to collect, process, analyze, verify and share death record information.

GeoData.gov, makes it easier, faster, and less expensive to find, share, and access geospatial information across all levels of government.

Streamlining of Communication Disaster Management provides Federal, state, and local

emergency managers online access to disaster management related information, planning, and response tools.

SAFECOM serves as the umbrella program within the Federal government to help local, tribal, State, and Federal public safety agencies improve public safety response through more effective and efficient interoperable wireless communications.

Sharing of Processes and Resources E-Training Initiative the Federal government is migrating on-line

training services from over 40 agencies to one. The Enterprise Human Resource Integration (EHRI) Initiative

is providing HR managers and specialists with a data warehouse and workforce planning and analysis capabilities such that trends for retirement, promotions, and reassignments can be accurately and efficiently forecast.

E-Payroll, through the efforts of multi-agency teams, is continuing the migration of agencies from the present 26 providers to 2 payroll partnerships, with a projected lifecycle cost savings/cost avoidance of $1.1 billion.

Integrated Acquisition Environment (IAE) has resulted in an agency-shareable single vendor-performance file; a single vendor registration area that makes it easier to do business with the Federal government.

Sharing of Information to Provide access convenient and continuous access to up-to-

date information Eliminate redundancies and data quality problems

Streamlining of Communication to Enable interoperability Ensure timely and accurate exchange of information

Sharing of Processes and Resources Eliminate redundant functions Reinforce consistency of processes and procedures.

Source: eGov.gov

6

EXPECTATIONS

Challenges & ExpectationsSTAKEHOLDERS Citizens Visitors Regulators Government Agencies Others

DRIVERS Mission & Objectives Trust & Reputations Asset & Capital Management Expenditures & Budget Regulations

CHALLENGES Digital Divide Social, Cultural and Educational Issues Existing Infrastructure Legacy Systems, Decentralization, and Interoperability

Delivering ValueAvailabilityAccessibilityInfrastructureReliabilityGovernanceInnovation

Managing CostProject

ManagementProgram

Management

Managing RiskConfidentialitySecurityData IntegrityApplicationsPrivacyIdentity & Access

ManagementIncident Response

Facilitating ChangeProgram

ImplementationChange

ManagementInteroperabilityControl Monitoring

Supporting Compliance

Regulatory Compliance

Vendor Risk Management

Monitoring Outsourced Operations

Volume Cost Management Regulatory Requirements

Governance - IT Governance – IT Risk Management

7

IT Governance

IT Governance Supports the effective and efficient management of information resources (e.g.,

people, funding, and information) Helps facilitate the achievement of agencies’ missions and objectives. Measures and manages IT performance Ensures IT risks and costs are appropriately controlled

IT Risk Management Assesses risk Develops risk mitigation strategies Monitors risk

8

Components of Risk

VulnerabilityOpen to attack, damage, or loss

ThreatAn event that could cause loss

ResourcesAvailable means

exploits

impacts

Impact

Like

lihoo

d

Loss of a data center

Hardware Failure

Risk

ControlSafeguard,

Countermeasure

protects

reduces

9

Risk Management Process

Risk AssumptionRisk AvoidanceRisk Limitation Risk TransferRisk Sharing

Identify & Prioritize Risk

Mitigate Risk

MonitorReport

GovernanceDecision MakingAccountability

Continuous alignment with:- Agency Environment- Agency Mission & Objectives

Risk AwarenessEarly Detection of ProblemsManaging Resources / Spending

Risk Management Goals

Achieve Agency Objectives

Protect Stakeholders

Control Expenditures

10

Regulatory Environment

Legislation Federal Managers'

Financial Integrity Act (FMFIA)

Federal Information Security Management Act (FISMA)

eGovernment Act Health Insurance

Portability & Accountability Act (HIPAA)

Gramm Leach Bliley Act (GLB)

Others

Standards & Guidelines Office of Management &

Budget (OMB) National Institute of

Standards & Technology (NIST)

Others

Frameworks COSO COBIT ITIL ISO Others

Leads to…. Extensive set of defined IT security and

controls requirements (and options) Various reporting requirements Multiple owners and stakeholders

Requires…Focus on risk from an enterprise

perspective to align resources with riskCoordination among involved partiesSharing of risk informationChange management

11

Control Requirements

Regulatory Requirements Business Requirements Stakeholder Expectations Inherent Risk

IT Management Process Planning & Organization Maintenance & Acquisition Delivery & Support Monitoring

Confidentiality Integrity Availability

IT Infrastructure Datacenters Networks Operating Systems Databases

Business Process Initiation Authorization Recording Processing Reporting

Drive requirements regarding …..

Which drive control objectives within….

To define or assess controls, these components need to be linked

12

Linking Resources

Functional Owner

DBAProgram Developers

UsersAudit

Legal

Processing Organization

Security

People

LANs

WANs

Transactions

Systems

Platforms

ApplicationProcesses

TechnologyInfrastructure

Business ProcessCriteria• Confidentiality• Availability• Integrity

Procurement

Sub Process

Confidentialit

y Integrity

Availability

People Data Application Database Operating system

Telcom Facility

Ordering Program Manager

Contracting Officer

Goods

Pricing

Ariba

PeopleSoft

Oracle Unix T-1 Dedicated

Facility 1

Functions

Data

13

Control Baseline Approach

Threat Vulnerability Analysis

Threat List

Safe-guards

Vulnerability

Resource Threat Vulnerability Risk

Hardware Fire Lack of fire suppression Loss of Hardware

Data Virus Lack of Anti-Virus Software Loss of Data

Controls Baseline Analysis

Baseline Controls Control Gap

Control Objective Control Technique Control Gap Risk

Hardware is protected from environmental hazards Fire suppression system is installed

Fire detection system is in stalled

Personnel are appropriately trained

Only a fire detection system is installed. Handheld extinguishers are available, team in not trained.

Loss of Hardware

System is protected from malicious software Anti-virus software is installed Antivirus software is not installed. Loss of Data

14

Control Objectives

Controls Entity-level Infrastructure-level Transaction-level

Controls Prioritization Focus on controls that cover key control objectives

Controls Rationalization Consider controls that cover multiple control objectives

Controls Automation Optimize the use of automated controls

Control Objectives Automated Manual Hybrid

Prevent Detect

15

Lifecycle of a Control

Design

Improve

Assess

Monitor

Implement

Test

Report

Controls design is not a focus during new systems implementations

Controls often need to be retrofitted to meet business and compliance needs

Disconnect between application and manual controls

Controls not properly document Controls assessed for multiple

purposes Controls dependencies often not

transparent Controls automation and monitoring

technologies not fully used

Reporting process not effectively designed to satisfy all stakeholders’ needs

16

Risk Considerations – New System Initiative

Are risk management and regulatory requirements spelled out in the Statement of Work? Is there sufficient contract oversight to ensure that contractual specifications are being met? Are controls to mitigate risks and provide compliance clearly defined and assigned? Does the systems and process documentation include the documentation of controls? Are controls subject to review for their design effectiveness? Are control features in systems fully utilized? Are manual controls in business processes aligned with the automated controls provided by

the system to prevent control gaps and overlaps? Are measures in place to maintain the control posture during the system replacement phase? Are controls periodically tested to assess their operating effectiveness? Are provisions in place to keep the documentation up-to-date? Are standard processes and configurations followed at all locations? ……

17

Risk Management Challenges

Identification of resources in a decentralized environment Linkage between IT infrastructure, applications, and business processes Linkage between managerial, operational, and technical control Consideration of outsourced processes, including development and operations Risk assessment viewed as a compliance requirement rather than a management function Complexity of regulatory requirements Dynamics in technology and demands Coordination of assessment activities Documentation and sharing of assessment results

These challenges could lead to risk being assessed: in a vacuum and in a fragmented fashion and not linked to the agencies mission at a point-in-time versus period over time

18

Defining a Framework

Co-development

Approach and Methodology

InternalAudit

Risk Manager

Milestones

Team composition

Tools

Goals and Objectives

Information Criteria

Timing

Project Sponsor Reporting

Executive Management

19

Risk Assessment Approaches

Approaches

Point-in-Time

Continuous

Baseline

Self Assessment

Quantitative Qualitative

Evaluation

Timing Identification

Team

Independent Collaborative

Threat Vulnerability

20

Risk Management CultureRisk Management Process

Driver

Ad-HocReactiveBottom-UpIsolatedFragmentedInformal

RepetitiveMeasurable

ValidatedContinuousEntity-Wide

Aligned w/ Agency ObjectiveTop Down

IncidencesFailures

Agency ObjectivesRisk Culture

AuditLegal Requirement

Regulatory RequirementsIsolated Initiatives

21

Risk Management Program – Lessons Learned

Organization & Accountability Clarification and delineation of responsibilities between various functions (agency

management, program management, IT management, internal review, inspector general, etc)

Linking decentralized activities to a enterprise-wide framework Top-down planning Bottom-up reporting Facilitate coordination among various risk management functions

IT Governance Multi-disciplinary review boards for strategy, investments, risk, etc. Align risk management efforts to agency needs

22

Risk Management Program – Lessons Learned

Driving a Culture of Risk Management Tone at the top Awareness Training

Policies & Procedures Documentation of risk management policies and procedures Standards and practices Communication protocols and reporting requirements

23

Risk Management Program – Lessons Learned

Staffing Skill set Capacity

Training Common language Standardized approach

Technology Documentation of processes, controls, and assessments Controls automation / Controls monitoring

24

Risk Management Program – Lessons Learned

Performance Measures Definition of metrics and performance measures to assess risk management efforts

Monitoring Continuous monitoring of risk management activities and its results Reporting structure, accountability

25

Conclusion

Risk management activities are, consciously or unconsciously, executed by various functions

within an agency. Linking these activities through coordination and communication vastly enhances

the effectiveness of the overall risk management program.

26

Contact Information:

Werner LippunerErnst & Young LLPWashington, D.C.

202-327-8389Werner.Lippuner@ey.com

© 2007 Ernst & Young LLP.

All Rights Reserved.

Ernst & Young is a registered trademark.

www.ey.comERNST & YOUNG LLP