ICT Ops Assurance Plan Example

Department of Public Service Delivery (DPSD)
ICT Operations Assurance Plan
2015
Version 0.9
31 May 2015
IMPORTANT: This document provides an illustrative example of a populated ICT operations

assurance plan and does not reflect the actual risks or controls of a particular agency.
Agencies using this template must determine what assurance activities are required based on
their own assessment. Sample text in this document should not be used in actual assurance
plans unless it reflects the true position of the agency. All names of individuals in this
document are fictional.
Document Approval
Name / Title Sign-off Date
Recommended by Chief Information
Officer
Recommended by Head of Agency
Risk / Assurance
Approved by Chief Executive
Received and filed by GCIO ICT
Assurance
DOCUMENT CONTROL
Document History
Version Issue Date Author Description of Changes
0.1 31/1/15 Jim Riskowner Initial draft
0.2 15/2/15 Jim Riskowner Inserted risks and ratings
0.3 18/2/15 Jim Riskowner Populated schedule
0.4 20/2/15 Jim Riskowner Updated schedule
0.5 3/3/15 Jim Riskowner Updated schedule
0.6 3/4/15 Robert Chackitout Updated schedule
0.7 1/5/15 Paul Schmidt Updated schedule
0.8 15/5/15 Maria Veracruz Inserted references to attachments
0.9 31/5/15 Jim Riskowner Draft to GCIO
Key Contacts
Name Title Contact Details
Robert Chackitout Chief Information Officer 04 000 0000
Jen Locktight Chief information Security 022 000 000
Officer
Jude Gardner Head of Risk / Assurance 022 000 001
Jim Riskowner Principal IT Risk Advisor 04 000 0000, 027 000 0000
FY 2016 Assurance Plan Version 0.9 (Web SAMPLE) 31 May 2015 Page 2 of 24
This is an illustrative example only it should not be taken as a benchmark or government policy
Table of Contents
1. CONTEXT ......................................................................................................... 4
1.1 Key Objectives and Outcomes ....................................................................... 4
1.2 Scope and Approach....................................................................................... 4
1.3 Key Risks ......................................................................................................... 5
1.4 Roles, Accountability and Responsibilities Overall Plan .......................... 6
1.5 Monitoring and Reporting Process ................................................................ 7
1.6 Referenced Documents .................................................................................. 8
2. ASSURANCE SCHEDULE OVERVIEW ........................................................... 9
2.1 Assurance Approach ...................................................................................... 9
2.2 Lessons Learned............................................................................................. 9
2.3 Decisions / Assumptions .............................................................................. 10
2.4 Roles, Accountability and Responsibilities Individual Activities ............ 10
2.5 Assurance Budget ......................................................................................... 11
2.6 Assurance Schedule ...................................................................................... 11
3. DETAILED ASSURANCE SCHEDULE ........................................................... 12
1. CONTEXT
1.1 Key Objectives and Outcomes
The objective of this document is to outline how over the course of FY16 our agency will obtain
confidence that ICT operations will support and enable our agencys key business objectives.
In order to carry out its mandate of managing key risks and system-wide risks, the Government
Chief Information Officer (GCIO) has required that all departments and agencies submit ICT
operations assurance plans covering significant risk areas by 30 June 2015.
ICT risks are business risks
In fulfilling our mandate to deliver services to the public, we depend on the effective, secure and
reliable operation of our ICT systems. In addition, opportunities frequently arise to leverage
technology to improve our business outcomes. We must be able to both maintain the operation of
our existing ICT systems, and be in a position where our agencys leaders can confidently take
advantage of technology-enabled opportunities.
Our business, operational, and support functions face a number of risks due to their reliance on ICT
to both support and enable their objectives. Some risks have negative consequences, and some
are clear opportunities. Good management of risks, embedded in all business decisions, helps
ensure we are efficient, effective, and focussed on the outcomes that matter most to those we
serve.
Following our organisations risk management framework and methodology, we continually assess
our ICT operations risks and apply mitigations to bring risk within an acceptable tolerance.
This ICT Operations Assurance Plan outlines the assurance activities planned for FY15/16 to
provide objective evidence that controls and other mitigations are working. These activities may
include, for example: analysis of information obtained through monitoring, routine or special reviews
by management or governance bodies, and audits / reviews by internal or external parties.
In the area of ICT security, our agency has been responding to surveys by the GCIO which have
sought information on our governance, policy, and controls for securing publicly accessible systems.
In our responses to these surveys we have committed to achieving a 3 on the surveys maturity
scale by March 2015. A 3 indicates:
A structured IT security assurance programme is in place. The programme is approved and

regularly reviewed by an independent governance group.
This plan, with its strong focus on ICT security, will fulfil our commitment to having a structured
programme of assurance in place.
1.2 Scope and Approach

This assurance plan is part of the agencys overall risk management and assurance approach, and
specifically covers ICT operations risk areas: i.e. business-as-usual (non-project) risks related to the
technology with which we manage and transmit our information.
The GCIO has informed us of the top 5 system risk areas self-identified by agencies in its ICT
Operations Risk Survey, which took place in March 2014. These are:
Information Security Management (including the security aspects of Privacy)
Service Continuity Management
Service Portfolio Management
Capacity Management
Supplier Management.
Our Senior Leadership Team has confirmed that these top 5 risk areas are indeed the significant
risk areas for our organisation. We have over 30 critical operational systems, including 15 public-
facing systems, and our reputation and ability to deliver services depends on these systems being
secure and available. In addition, we can increase our effectiveness and return on investment by
strategically managing our service portfolio and the capacity of our systems and people. Finally,
with more of our systems and support being outsourced, including to the cloud, we need to have
confidence in our own ability to confirm that our suppliers meet expectations, and to obtain
assurance from them.
Our assurance planning process will continue to evolve over at least the next three years. As we
proceed along the journey toward risk management and assurance maturity, we will bring other
areas of ICT operations into our formal annual plans. While this year we have prioritised and are
including the highest risk areas in the formal plan, there are many other assurance activities
occurring regularly across other ICT operational areas.
As described in Section 2.1, in collaboration with stakeholders, we have arrived at this plan by:
Identifying our specific risks within each of the top 5 risk areas
Determining what assurance activities were already planned
Identifying where there were assurance gaps
Deciding which assurance activities would be most valuable to add or revise over the coming
year.
We then created a schedule of assurance activities for FY15/16 that is achievable and, most
importantly, will be of value to decision makers.
1.3 Key Risks

As a result of the process described in Section 1.2, at a high level, and within the top 5 risk areas,
we identified the following key risks:
Key Risks Current Risk Rating

1. Information may be accessed / accessible by unauthorised person. High
2. Our ICT services could be providing greater value. High
3. Capability / capacity to provide IT services may be lost following a disaster High
/ outage.
4. Suppliers may not be protecting our information (including DR). High
5. Suppliers may not perform and/or opportunities to increase value may be High
missed.
6. We may not have enough staff with the right skills to meet our objectives Moderate
related to ICT.
7. Staff may be using unlicensed software and this may result in a legal Moderate
penalty or security breach.
8. Current suppliers may not be able to continue to meet business needs into Moderate
the future.
9. ICT systems may not provide sufficient storage and performance. Moderate
1.4 Roles, Accountability and Responsibilities Overall Plan

The table below outlines the key roles and responsibilities in developing and managing this plan.
1. Accountability
Overall accountability for the assurance plan. Chief Executive

Acceptance of the residual business risk. Helen Beck
2. Responsibility
2i. Preparation
Preparation /sign-off of the assurance plan Chief Information Officer
(annually). Robert Chackitout
Recommendation of the assurance plan to the Chief Chief Information Officer

Executive. Robert Chackitout
Head of Risk / Assurance
Jude Gardener
2ii. Monitoring
Ongoing monitoring of progress against this plan, Chief Information Officer
and the consolidated results of the assurance Robert Chackitout
activities.
Ongoing monitoring of progress against this plan,

and the consolidated results of the assurance
activities.
Updating the plan mid-cycle in response to changing Chief Information Officer, in consultation with
priorities. Head of Risk / Assurance
Jude Gardener
Tracking of action items (such as control Chief Information Officer to be provided status
improvement initiatives and remediations). updates monthly by assigned action owners.
Robert Chackitout
2iii. Reporting
Approval of monthly assurance summary report (see Chief Information Officer
Section 1.5) Robert Chackitout
Jude Gardener
Preparation and distribution of monthly assurance Principal IT Risk Advisor
summary report (see Section 1.5)
Reporting of assurance results to the Risk and Audit Head of Risk / Assurance
Committee. Jude Gardener
2iv. Quality
Quality of plan and monthly assurance reporting. Chief Information Officer
Robert Chackitout
3. Contributing
Contributing to the plan, confirming the scope / Chief Information Officer

timing of assurance activities they sponsor. Robert Chackitout
Chief Information Security Officer
Jen Locktight
Privacy Officer
Tina Flavell
Chief Operating Officer
Simon Weyland
Jude Gardener
Manager, Internal Audit
Cynthia Cho
1.5 Monitoring and Reporting Process

The results of each assurance activity will be reported to stakeholders as detailed in the terms of
reference, standard operating procedure, or other document that defines each activity. A list of
those to receive the results must be agreed for each activity.
In addition, assurance providers must send the results of completed assurance activities to the CIO
and Principal ICT Risk Advisor as soon as the results are finalised, or sooner if the results indicate a
serious issue or urgent opportunity. On a monthly basis, the Principal ICT Risk Advisor (in the
Office of the CIO) will compile these results into a Monthly ICT Operations Assurance Summary
for the CIO.
The Monthly ICT Operations Assurance Summary will include at a minimum:
Progress against the plan (are the assurance activities on schedule? on budget?)
Key results from the previous month (summary)
Indication of increasing or decreasing confidence in controls over each key risk from Section
1.3 (key risk dashboard)
Any new risks identified (with a summary of how these were escalated / recorded)
Any new adjustments needed to assurance or controls (with action plans)
Challenges and successes.
The CIO and Head of Risk / Assurance will review and approve the Monthly ICT Operations
Assurance Summary, directing where necessary on any new risks or adjustments to the plan.
Copies will then be made available to the Senior Leadership Team and the Chief Executive.
The Head of Risk / Assurance will report quarterly to the Risk and Audit Committee on the progress
of the ICT Operations Assurance plan, and escalate to the Risk and Audit Committee any critical
risks. Protocols for this reporting have been added to the Internal Audit and Risk charters, and
supporting procedures documents.
Notwithstanding the above process, any significant new risks or assurance information must be
escalated immediately to the appropriate level. In some cases it will be appropriate to communicate
assurance results and/or key risks (including opportunities) to the GCIO to support its system-wide
view; the scope of this reporting will be agreed with the GCIO.
The results of the assurance activities, and lessons learned from the process, will be used to inform
the development of the FY16/17 Annual ICT Operations Assurance Plan, which will be developed
beginning in February 2016 and completed by 30 June 2016.
1.6 Referenced Documents
Appendix 1 Final Risk and Mitigation Register, May 2015
Appendix 2 Risk Appetite statement, January 2015
2. ASSURANCE SCHEDULE OVERVIEW
2.1 Assurance Approach
To develop the assurance schedule for FY15/16, we first sought to understand the relevant risks
within each of the top 5 areas. We liaised with Risk, Internal Audit, managers, the Senior
Leadership Team and other stakeholders to collect information on risks and controls they had
already identified. For new risks or risks that were not yet rated, we worked with stakeholders to
evaluate the risks, with due consideration of the risk appetite of our agency, and identified controls.
Next, we sought to determine what activities were already planned or underway to give us
assurance the controls are managing the risks. Through this process, we identified some areas
where we felt there was not enough assurance in place, and other areas where different assurance
providers would be duplicating assurance effort.
Where there were gaps, we worked with assurance providers to identify new activities to give us the
assurance we need. We also identified actions for further improving controls. Throughout the
process, we consulted key internal and external stakeholders to understand their assurance
expectations.
We then created a schedule of assurance activities for FY15/16 that is achievable and, most
importantly, that will be of value to decision makers.
2.2 Lessons Learned

As this is our first annual plan, we are not carrying over lessons learned from a previous year.
However, our Chief Information Officer and Head of Risk / Assurance attended several GCIO
workshops in which other agencies shared the lessons they had learned in developing and
implementing formal assurance plans.
Agencies reported that key to the success of an operations assurance plan is good engagement
between ICT and the business on risks. Those responsible for implementing this plan should help
the business and ICT understand and agree to the linkage between business objectives and ICT
risks. In this way ICT staff will have greater appreciation for the business goals ICT supports, and
business managers will have a better appreciation of how ICT risks impact their goals. If this is
done well, it will be clear that assurance planning is not a compliance exercise, but a driver of value
for the organisation.
In developing this plan we held three workshops with business and ICT management stakeholders
and team leaders to discuss the linkage between business goals and ICT risks. These were
valuable discussions that helped those who will direct ICT assurance activities better understand the
current priorities of business managers. The discussions also helped shape the focus, frequency
and scope of assurance activities for the upcoming year. The business managers who participated
obtained a better understanding of the ICT risks and opportunities that underlay the initiatives and
deliverables that are top of mind for them. Following the workshops, we saw increased engagement
and more frequent discussions between ICT and the business at multiple levels, reflecting a new,
common understanding of risk and the value of assurance.
2.3 Decisions / Assumptions
Due to a limited assurance budget, we were not able to include in our FY15/16 schedule assurance
activities covering all the controls and other mitigations that work to keep our risk within an
acceptable level.1
For example, we were only able to schedule limited coverage of the moderate risk areas in scope
(areas 6-9 in Section 1.3). However, we have planned at least one assurance activity in each area.
We note that in many areas of ICT, new controls are being embedded to bring the level of risk within
the risk appetite expressed by the Senior Leadership Team (Appendix 2). Implementing these
controls has a cost, as does providing for continued assurance over them. Some of this cost can be
recovered through efficiencies identified through the assurance activities themselves (e.g. some
assurance activities pay for themselves).
Better management of the service portfolio and supplier management are two areas in scope where
the assurance investment is most likely to result in tangible cost savings and direct financial value to
ICT and the agency in the near and long term.
2.4 Roles, Accountability and Responsibilities Individual Activities

As discussed above, many parties will be involved in providing the required assurance, including:
Front line staff Routine checks.

Management Monitoring and upward reporting of KPIs, risks and issues.
Service desk Aggregate reporting on events, incidents, and problems.
Risk team Risk registers, operational monitoring reports and deep-dive reviews to help us
manage risk.
Security team Oversight on patch levels, vulnerabilities, security incidents, and other areas.
Privacy team Breach reporting and analysis by which we can assess our privacy controls.
Internal audit Scheduled ICT audits according to the three-year internal audit plan.
External audit External audit procedures which may provide assurance.
Security contractor Services such as independent controls testing and penetration testing to
help us identify exposures.
Data centre provider Monitoring reports, notifications, and SLA reporting as agreed. Also
provides annual SOC2 assurance reports which independently confirm its controls are in
place.
Supplier managerMonitoring the performance of suppliers, including obtaining assurance
from them.
Management consultants Assessments of where we can achieve more value for our ICT
investment, and better align our initiatives to our strategic and operational goals.
External agencies / regulators Views on compliance and risk within the context of their
mandates.
GCIO Shared information on system-wide risks, lessons learned, assurance guidance.
For each activity, there will be two primary functional roles as follows:
1 This response is to illustrate that GCIO expects agencies to report any difficulties in meeting assurance requirements,
including resource constraints. A statement like this would likely be followed up with discussions with GCIO as to whether
the decision to delay the needed assurance is reasonable.
The activity owner, or sponsor, will be the management-level employee or executive who must
ensure that the assurance activity is carried out and that the results are delivered according to a
terms of reference or similar agreement.
The assurance provider is responsible for carrying out the activity according to the terms of
reference, and delivering results in timely manner.
Specific activities and deliverables are listed in the Assurance Schedule (Section 3).
2.5 Assurance Budget

The estimated cost of the FY15/16 assurance activities is as below. This amount comes from
various departmental budgets, including Risk, Internal Audit, and other functional teams, in addition
to ICT, and is a rough estimate of the cost only. The estimate does not include assurance costs
borne by suppliers.
Although risk and assurance are ultimately part of everything we do, the amount below does not
include the cost of all controls or routine risk management activities embedded in business-as-usual
operational processes. It includes only the assurance activities that report upward to give us
confidence that our controls and mitigations are working.
NZD $
Estimated Assurance Cost $xxx,xxx
2.6 Assurance Schedule

Refer to Section 3 for the schedule of assurance activities planned for FY16.
3. DETAILED ASSURANCE SCHEDULE
Below are the assurance activities that will occur in FY16 over ICT Operations:
Risk Assurance Control Objective Specific Activity and Deliverable Owner Assurance Provider Frequency / Key Risk
Area Activity Timing High / Medium
(see
Legend)
1, 3 User access Access to network / ICT sends list of current users to CIO Department heads, Quarterly Information may be
reviews system / folders is department heads and supplier Supplier managers accessed / accessible
authorised managers, also noting users with ITSM reviews for by unauthorised
remote access. Department completeness person.
heads review and sign off Staff may be using
attesting that access for users in unlicensed software
their area is appropriate. and this may result in
Exceptions must be noted with a legal penalty or
evidence of follow-up attached. security breach.
ITSM reviews for completeness.
1 Remote Remote access is Physical stocktake of remote ITSM Security team Q2 Information may be
access token authorised. access tokens and comparison (Annual) accessed / accessible
audit with token register maintained by by unauthorised
ICT. person.
1 User access Logical access is Review of the design and Manager, Internal audit Q3 (Tri- Information may be
controls audit generally well- effectiveness of user access Internal annual) accessed / accessible
controlled. controls. Internal Audit produces Audit by unauthorised
a report with recommendations. person.
Management (department heads)
Department
are responsible for providing a
heads
response and remedial actions for
(response
any findings.
and
actions)
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 12 of 24

(see
Legend)
1 Encryption Data is encrypted as Security staff run a series of tests ITSM Security team Q1, Q4 Information may be
testing per our security on network segments or functions (Twice accessed / accessible
standards where encryption is required. yearly) by unauthorised
person.
1 Review of Super-user access to Risk team reviews system activity Risk Risk team Q4 Information may be
privileged user the network, operating logs on a sample basis to Manager (Annual) accessed / accessible
access (logs) system and direct determine whether activity by by unauthorised
access to the privileged users is appropriate. person.
databases is
authorised and
monitored.
1 Review of Super-user access to Internal Audit reviews the design Manager, Internal Audit Q3 Information may be
privileged user the network, operating and effectiveness of controls Internal (Annual) accessed / accessible
access system and direct related to super user and direct Audit by unauthorised
(controls) access to the data access. person.
databases is Suppliers may not be
authorised and protecting our
monitored. information (including
DR).
1 Sensitive data Super-user access to Internal audit tests alerts on ITSM Internal Audit Monthly Information may be
alert review. the network, operating sensitive data tables to ensure accessed / accessible
system and direct triggers are working, and reviews by unauthorised
access to the a sample of historical alerts to see person.
databases is whether appropriate follow-up
authorised and was done.
monitored.
1,5 Site alarm Data centre is alarmed Service provider tests alarms, and Supplier Data centre Weekly, Information may be
testing and at perimeter and at the data centre manager reviews manager provider reported in accessed / accessible
report review internal doors. and reports on the results of data centre by unauthorised
testing, and on alerts and alarms providers person.
raised during the week. monthly
report

(see
Legend)
1,5 Review of door Data centre door Data centre manager reviews Supplier Data centre Weekly, Information may be
/ server rack access is limited to access logs for doors and server manager provider reported in accessed / accessible
access logs authorised staff. racks and compares against data centre by unauthorised
authorised access list. Signs providers person.
check sheet to evidence review. monthly
report
1 Inspections of Sensitive ICT Security team members inspect ITSM Security team Q1 Information may be
locks, cabling, equipment and access for physical security exposures at (Annual) accessed / accessible
network jacks points at our offices all sites using a good practice by unauthorised
at all offices are secured. checklist. person.
1,5 Review of site Visitors to the data Supplier manager compares Supplier Supplier manager Monthly Information may be
visitor logs centre are authorised. visitor access log and system- manager (Based on accessed / accessible
generated logs to the list of pre- documentation by unauthorised
authorised visitors. Supplier provided by data person.
manager signs off that all visitors centre manager)
were authorised.
Suppliers may not be
protecting our
information (including
DR).
1,3,4,5 SOC 2 report Physical access is ISAE (NZ) 3000 Service ITSM Data centre Q1 Information may be
on data centre generally well- Organisation Controls Report on provider orders (Annual) accessed / accessible
controls controlled. AICPA Trust Service Principles. report by an by unauthorised
The report follows the SOC 2 independent person.
model (USA/Canada). service auditor Suppliers may not be
Devices / processes
(Data centre protecting our
ensure uninterruptible
provider funds the information (including
power.
review) DR).

(see
Legend)
1,5 External Network perimeter is Set of tests run by a security Supplier Security contractor Q1 Information may be
penetration secured against contractor simulating an attack via manager (Annual) accessed / accessible
test intrusion. the Web. Security contractor by unauthorised
provides a report with findings person.
and recommendations.
1 Internal Systems are secured Set of tests run by a security ITSM Security contractor Q1 Information may be
penetration against internal attack. contractor simulating an attack (Annual) accessed / accessible
test from within the agency. Security by unauthorised
contractor provides a report with person.
findings and recommendations.
1 Fraud Risk Systems are secured Fraud risks are assessed and CISO (with Internal audit Q3 Information may be
Review against internal attack. ranked, possibly identifying ICT regard to (Annual) accessed / accessible
exposures. Report produced, and the ICT- by unauthorised
actions identified. related person.
risks)
1 Critical and Important software Security team reports on ITSM, Security team Monthly Information may be
high security patches are applied. outstanding critical and high Technical provides report. accessed / accessible
patch level security patches, noting any leads by unauthorised
reporting approved exemptions and (response person.
Technical leads are
timetable for patching. and assigned to
actions) complete
remediation.
1 Vulnerability Vulnerabilities are Security team reports on known ITSM Security team Monthly Information may be
mitigation managed. vulnerabilities and mitigations. (requires input from accessed / accessible
reports Report is updated monthly. technical leads) by unauthorised
person.

(see
Legend)
1 Privacy breach Privacy breaches are Privacy officer reviews and Privacy Privacy officer Monthly Information may be
reporting and reported and reports on breaches reported officer accessed / accessible
analysis assessed. during the previous month, by unauthorised
identifying trends, internal control person.
weaknesses, and lessons
learned.
1 Privacy Privacy controls are Internal audit assesses the Chief Internal audit Q1 (Bi- Information may be
controls review being followed. privacy controls in place, testing executive annual) accessed / accessible
to for control effectiveness. by unauthorised
person.
1 Privacy impact Privacy risks are Triggered by CAB flagging of Privacy Privacy team in Upon Information may be
analysis (PIA) revisited when changes that might have a privacy officer collaboration with changes to accessed / accessible
updates systems undergo impact, systems are re-assessed system owner and systems by unauthorised
changes impacting for privacy. Artefacts are technical leads that could person.
privacy. produced that supplement the impact
original PIA. privacy
1 Privacy Our privacy maturity is Privacy specialists conduct high- Privacy Privacy contractor Q4 (Bi- Information may be
maturity known and level maturity assessment of officer annual) accessed / accessible
assessment continuously improved. privacy practices, assessing by unauthorised
against the Privacy Act. person.
1 Security Employees and Security team verifies all new ITSM Security team Monthly Information may be
training / contractors are starters during the previous month accessed / accessible
induction inducted and (employees and contractors) have by unauthorised
summary periodically trained on received security induction and person.
reporting. their security have signed off on acceptable use
responsibilities. policy.
1 Internal We use learnings from Roll-up analysis of any internal ITSM Security team Q2 and Q4 Information may be
security internal security security breaches that occurred (Twice accessed / accessible
breach breaches to strengthen during the previous two quarters, yearly) by unauthorised
analysis our security to include instances of security person.
programme. policy / acceptable use violations.

(see
Legend)
1 System Systems are Systems are formally accredited Chief CISO Upon Information may be
accreditation accredited. and the residual risk accepted, executive renewal of accessed / accessible
following a robust certification accreditatio by unauthorised
process. (Cost estimate includes n person.
certification)
1 Accreditation Systems are Monthly updates from CISO to CIO CISO Monthly Information may be
status accredited. CIO on the certification and accessed / accessible
reporting accreditation status of systems. by unauthorised
person.
2 Application We know where our Complete the GCIO Application CIO / GCIO CIO Q2 (One Our ICT services could
portfolio systems are providing Portfolio Management (APM) off, but be providing greater
analysis value and where they survey, which will give insights other value.
are not. into our application portfolio, related
We know what options including risks and opportunities assurance
are available in the to increase value. activities
market. will follow)
2 Ageing Software that is no Quarterly tracking of outdated CIO ICT Operations Quarterly Our ICT services could
systems report longer supported and software and infrastructure to give Manager be providing greater
outdated infrastructure visibility on status of systems. value.
is replaced. Report to the CIO.
2,4 Infrastructure Infrastructure is well Current and target state of CIO Infrastructure Q1 Our ICT services could
status and managed to ensure it infrastructure is reported and Manager (Annual) be providing greater
strategy is providing business linked to current business strategy value.
report. value. /objectives. Report to the CIO.
2,4 Network The network is well Performance reporting to CIO with CIO Network Monthly ICT systems may not
monitoring managed and meets commentary on linkage to Administrator provide sufficient
summary business needs. changing business requirements. storage and
performance.

(see
Legend)
2,4 User survey The network is well Users complete a survey on a CIO ICT Operations Q1 Our ICT services could
managed and meets number of areas such as network Manager (Annual) be providing greater
business needs. latency, download speeds, value.
application crashes. Users are
asked to identify how IT
We track and follow up ICT systems may not
applications and infrastructure
on incidents related to provide sufficient
can better help them achieve their
storage and storage and
goals.
performance. performance..
Other objectives
2 Storage Storage is well Performance reporting to CIO with CIO Network Monthly ICT systems may not
monitoring managed and meets commentary on linkage to Administrator provide sufficient
summary business needs. changing business requirements. storage and
performance.
2 Software All our software is Compliance review and report of CIO Risk team Q3 Our ICT services could
license audit properly licensed. software licenses across the be providing greater
application portfolio. value.
Staff may be using
unlicensed software
and this may result in
a legal penalty or
security breach.
1,2 Unapproved Staff are installing only Compliance review of installed ITSM Security team Monthly Information may be
software audit approved software. software using automated tools. accessed / accessible
by unauthorised
person.
1,2 Unapproved Staff are not using Compliance review of installed ITSM Security team Monthly Information may be
cloud / web unapproved cloud software using automated tools. accessed / accessible
service audit services (Dropbox, by unauthorised
Gmail). person.

(see
Legend)
3 Disaster Disaster recovery can Test of disaster recovery plan, CISO ICT Operations Quarterly Capability / capacity to
recovery test restore systems in and report of results with analysis Manager provide IT services
and report accordance with and recommendations. may be lost following a
business requirements disaster / outage.
protecting our
DR).
3 Independent Disaster recovery Review of disaster recovery plans CISO Internal audit Q3 (Tri- Capability / capacity to
review of BCP plans and controls are and comparison to recognised annual) provide IT services
/ DR plans robust and fit for good practice controls and may be lost following a
purpose. procedures. disaster / outage.
3,5 Reporting on Devices / processes Results of power testing included Supplier Data centre Monthly Capability / capacity to
success of ensure uninterruptible in monthly SLA reporting pack. Manager provider provide IT services
power tests power may be lost following a
disaster / outage.
protecting our
DR).
3,5 Test restore of Our data can be Test restore of data, with ITSM ICT Operations Quarterly Capability / capacity to
data from restored from backup. summary report and Manager provide IT services
backup recommendations. may be lost following a
disaster / outage.
3 Verification of Details in our disaster Administrator verifies and updates ITSM ICT administrator Monthly Capability / capacity to
DR plan key recovery plans are up details. and as provide IT services
contact to date. needed may be lost following a
numbers disaster / outage.

(see
Legend)
3 Business Disaster recovery Critical functions are assessed in CIO Business continuity Q4 Capability / capacity to
Impact plans are aligned with a BCP / DR context and RPO and response team (Annual) provide IT services
Analysis business RTO are reconfirmed. leads, with may be lost following a
requirements. business input disaster / outage.
4,5 Performance / We track and follow up Performance and storage ICT Service desk Monthly ICT systems may not
storage on incidents related to summary, including metrics and Operations provide sufficient
incident storage and incident summary. Manager storage and
reporting performance. performance.
1,3,5 GCIO cloud Cloud systems can Complete risk assessment and Chief CIO One per Information may be
assessment provide sufficient related tool as per the GCIO Executive cloud accessed / accessible
tool storage and publication Cloud Computing: supplier. by unauthorised
performance Information Security and Privacy For new person.
Considerations. systems Suppliers may not be
this will be protecting our
We have considered
done information (including
good practice in
alongside DR).
managing cloud
certification
suppliers.
. For
existing
systems,
refer to
schedule.

(see
Legend)
4 Operational We have sufficient Analysis of current staffing levels CIO ICT Operations New We may not have
staffing needs operations and vs. forecasted needs, considering Manager updates enough staff with the
analysis management staff with existing skill sets. Reporting to monthly right skills to meet our
the right skills. CIO. following objectives related to
last years ICT.
big review.
Q4
(Annual
major
review,
monthly
updates)
5 Supplier We have considered Analysis of the framework and CIO Internal Audit Q1 (One- Suppliers may not
Management good practice in templates for supplier off) perform and/or
Framework managing cloud management plans. opportunities to
Review suppliers. increase value may be
missed.
1,3,4,5 Key supplier We monitor and SLA reports from suppliers rolled CIO ICT Operations Monthly Suppliers may not
SLA assess the reports up into monthly report on key Manager perform and/or
dashboard provided by suppliers. KPIs with additional analysis. opportunities to
increase value may be
missed.
1,3,5 Supplier We track important Incident and breach reporting CIO ICT Operations Monthly Suppliers may not be
issues / supplier issues to from suppliers rolled up into Manager (Based on protecting our
breach report resolution. monthly summary with additional ongoing monitoring information (including
analysis. of breach / incident DR).
register).

(see
Legend)
1,5 Verification of Supplier independent Review of current status of any ITSM Security team Q1 Suppliers may not be
supplier certifications / reports relevant third-party certifications (Annual) protecting our
certifications are sufficient and claimed by suppliers. information (including
current. DR).
4,5 Strategic Supplier strategy is Check-up on alignment of CIO CIO Q3 Current suppliers may
analysis of aligned with longer business strategy, ICT strategy, (Annual) not be able to continue
projected term business goals. and supplier capability projected to meet business
needs vs. to 1, 2 and 5 years. needs into the future.
supplier
capability

The following activities have been deferred to FY17 for the reasons stated in Section 2.3:
Risk Assurance Activity Control Specific Activity and Owner Assurance Frequency Key Risk
Area Objective Deliverable Provider High / Medium
(see
Legend)
5 Review of supplier Controls and Internal audit assessment of a ICT Operations Internal Bi-annual Suppliers may not be
management plans procedures are in sample of plans to see if they Manager audit protecting our
place to manage align with the supplier information (including
suppliers management framework. DR).
consistently and Suppliers may not
effectively. perform and/or
opportunities to
increase value may
be missed.
5 Supplier health Suppliers are Analysis of factors that could CIO ICT Annual Current suppliers
checks reviewed for their impact future performance key of Operations may not be able to
viability. suppliers. Manager continue to meet
business needs into
the future.
4 ICT governance Our governance Survey of ICT and non-ICT CIO External Bi-annual We may not have
review groups have governance groups that impact consultant enough staff with the
sufficient ICT ICT. Do they need more training right skills to meet
understanding. to better inform decisions related our objectives related
to ICT? to ICT.

Risk Assurance Activity Control Specific Activity and Owner Assurance Frequency Key Risk
Area Objective Deliverable Provider High / Medium
(see
Legend)
4 Functional staffing We have Input is solicited from ITSM, CIO Functional Annual We may not have
needs analysis sufficient second Privacy Officer, Risk and Internal (Other functional Managers, enough staff with the
and third line Audit on the state of their current leads retain reporting to right skills to meet
(functional) staff skill sets with regard to ICT. accountability for CIO our objectives related
with the right ICT their staffing) to ICT.
skills. (e.g.
Security, Risk,
Internal Audit).
4 Capacity planning We forecast Using modelling tools, update CIO ICT Quarterly ICT systems may not
demand to plan capacity forecast, applying Operations provide sufficient
strategically for scenario analysis. Report. Manager storage and
capacity. performance.


ICT Ops Assurance Plan Example

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ICT Ops Assurance Plan Example

Încărcat de

Drepturi de autor:

Formate disponibile

Department of Public Service Delivery (DPSD)

ICT Operations Assurance Plan

IMPORTANT: This document provides an illustrative example of a populated ICT operations

ICT risks are business risks

A structured IT security assurance programme is in place. The programme is approved and

1.2 Scope and Approach

1.3 Key Risks

Key Risks Current Risk Rating

1.4 Roles, Accountability and Responsibilities Overall Plan

Overall accountability for the assurance plan. Chief Executive

Recommendation of the assurance plan to the Chief Chief Information Officer

Ongoing monitoring of progress against this plan,

Contributing to the plan, confirming the scope / Chief Information Officer

1.5 Monitoring and Reporting Process

The Monthly ICT Operations Assurance Summary will include at a minimum:

Appendix 2 Risk Appetite statement, January 2015

2.2 Lessons Learned

2.4 Roles, Accountability and Responsibilities Individual Activities

Front line staff Routine checks.

2.5 Assurance Budget

2.6 Assurance Schedule

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 12 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 13 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 14 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 15 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 16 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 17 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 18 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 19 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 20 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 21 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 22 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 23 of 24

FY 2016 ICT Operations Assurance Plan (SAMPLE) May 2015 Page 24 of 24

S-ar putea să vă placă și