Department of Public Service Delivery (DPSD)
ICT Operations Assurance Plan
2015
Version 0.9
31 May 2015
IMPORTANT: This document provides an illustrative example of a populated ICT operations
assurance plan and does not reflect the actual risks or controls of a particular agency.
Agencies using this template must determine what assurance activities are required based on
their own assessment. Sample text in this document should not be used in actual assurance
plans unless it reflects the true position of the agency. All names of individuals in this
document are fictional.
Document Approval
Name / Title
Recommended by Chief Information
Officer
Recommended by Head of Agency
Risk / Assurance
Approved by Chief Executive
Received and filed by GCIO ICT
Assurance
Sign-off Date
DOCUMENT CONTROL
Document History
Version
Issue Date
Author
Description of Changes
0.1
31/1/15
Jim Riskowner
Initial draft
0.2
15/2/15
Jim Riskowner
Inserted risks and ratings
0.3
18/2/15
Jim Riskowner
Populated schedule
0.4
20/2/15
Jim Riskowner
Updated schedule
0.5
3/3/15
Jim Riskowner
Updated schedule
0.6
3/4/15
Robert Chackitout
Updated schedule
0.7
1/5/15
Paul Schmidt
Updated schedule
0.8
15/5/15
Maria Veracruz
Inserted references to attachments
0.9
31/5/15
Jim Riskowner
Draft to GCIO
Key Contacts
Name
Title
Contact Details
Robert Chackitout
Chief Information Officer
04 000 0000
Jen Locktight
Chief information Security
Officer
022 000 000
Jude Gardner
Head of Risk / Assurance
022 000 001
Jim Riskowner
Principal IT Risk Advisor
04 000 0000, 027 000 0000
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 2 of 24
Table of Contents
1.
CONTEXT ......................................................................................................... 4
1.1 Key Objectives and Outcomes ....................................................................... 4
1.2 Scope and Approach....................................................................................... 4
1.3 Key Risks ......................................................................................................... 5
1.4 Roles, Accountability and Responsibilities – Overall Plan .......................... 6
1.5 Monitoring and Reporting Process ................................................................ 7
1.6 Referenced Documents .................................................................................. 8
2.
ASSURANCE SCHEDULE OVERVIEW ........................................................... 9
2.1 Assurance Approach ...................................................................................... 9
2.2 Lessons Learned............................................................................................. 9
2.3 Decisions / Assumptions .............................................................................. 10
2.4 Roles, Accountability and Responsibilities – Individual Activities ............ 10
2.5 Assurance Budget ......................................................................................... 11
2.6 Assurance Schedule ...................................................................................... 11
3.
DETAILED ASSURANCE SCHEDULE ........................................................... 12
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 3 of 24
CONTEXT
1.
1.1
Key Objectives and Outcomes
The objective of this document is to outline how over the course of FY16 our agency will obtain
confidence that ICT operations will support and enable our agency’s key business objectives.
In order to carry out its mandate of managing key risks and system-wide risks, the Government
Chief Information Officer (GCIO) has required that all departments and agencies submit ICT
operations assurance plans covering significant risk areas by 30 June 2015.
ICT risks are business risks
In fulfilling our mandate to deliver services to the public, we depend on the effective, secure and
reliable operation of our ICT systems. In addition, opportunities frequently arise to leverage
technology to improve our business outcomes. We must be able to both maintain the operation of
our existing ICT systems, and be in a position where our agency’s leaders can confidently take
advantage of technology-enabled opportunities.
Our business, operational, and support functions face a number of risks due to their reliance on ICT
to both support and enable their objectives. Some risks have negative consequences, and some
are clear opportunities. Good management of risks, embedded in all business decisions, helps
ensure we are efficient, effective, and focussed on the outcomes that matter most to those we
serve.
Following our organisation’s risk management framework and methodology, we continually assess
our ICT operations risks and apply mitigations to bring risk within an acceptable tolerance.
This ICT Operations Assurance Plan outlines the assurance activities planned for FY15/16 to
provide objective evidence that controls and other mitigations are working. These activities may
include, for example: analysis of information obtained through monitoring, routine or special reviews
by management or governance bodies, and audits / reviews by internal or external parties.
In the area of ICT security, our agency has been responding to surveys by the GCIO which have
sought information on our governance, policy, and controls for securing publicly accessible systems.
In our responses to these surveys we have committed to achieving a “3” on the survey’s maturity
scale by March 2015. A “3” indicates:

A structured IT security assurance programme is in place. The programme is approved and
regularly reviewed by an independent governance group.
This plan, with its strong focus on ICT security, will fulfil our commitment to having a structured
programme of assurance in place.
1.2
Scope and Approach
This assurance plan is part of the agency’s overall risk management and assurance approach, and
specifically covers ICT operations risk areas: i.e. business-as-usual (non-project) risks related to the
technology with which we manage and transmit our information.
The GCIO has informed us of the top 5 system risk areas self-identified by agencies in its ICT
Operations Risk Survey, which took place in March 2014. These are:

Information Security Management (including the security aspects of Privacy)
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 4 of 24




Service Continuity Management
Service Portfolio Management
Capacity Management
Supplier Management.
Our Senior Leadership Team has confirmed that these top 5 risk areas are indeed the significant
risk areas for our organisation. We have over 30 critical operational systems, including 15 publicfacing systems, and our reputation and ability to deliver services depends on these systems being
secure and available. In addition, we can increase our effectiveness and return on investment by
strategically managing our service portfolio and the capacity of our systems and people. Finally,
with more of our systems and support being outsourced, including to the ‘cloud’, we need to have
confidence in our own ability to confirm that our suppliers meet expectations, and to obtain
assurance from them.
Our assurance planning process will continue to evolve over at least the next three years. As we
proceed along the journey toward risk management and assurance maturity, we will bring other
areas of ICT operations into our formal annual plans. While this year we have prioritised and are
including the highest risk areas in the formal plan, there are many other assurance activities
occurring regularly across other ICT operational areas.
As described in Section 2.1, in collaboration with stakeholders, we have arrived at this plan by:




Identifying our specific risks within each of the top 5 risk areas
Determining what assurance activities were already planned
Identifying where there were assurance gaps
Deciding which assurance activities would be most valuable to add or revise over the coming
year.
We then created a schedule of assurance activities for FY15/16 that is achievable and, most
importantly, will be of value to decision makers.
1.3
Key Risks
As a result of the process described in Section 1.2, at a high level, and within the “top 5” risk areas,
we identified the following key risks:
Key Risks
Current Risk Rating
1. Information may be accessed / accessible by unauthorised person.
High
2. Our ICT services could be providing greater value.
High
3. Capability / capacity to provide IT services may be lost following a disaster
/ outage.
4. Suppliers may not be protecting our information (including DR).
High
5. Suppliers may not perform and/or opportunities to increase value may be
missed.
High
6. We may not have enough staff with the right skills to meet our objectives
related to ICT.
Moderate
7. Staff may be using unlicensed software and this may result in a legal
penalty or security breach.
Moderate
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
High
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 5 of 24
8. Current suppliers may not be able to continue to meet business needs into
the future.
Moderate
9. ICT systems may not provide sufficient storage and performance.
Moderate
1.4
Roles, Accountability and Responsibilities – Overall Plan
The table below outlines the key roles and responsibilities in developing and managing this plan.
1. Accountability
Overall accountability for the assurance plan.
Acceptance of the residual business risk.
Chief Executive
Helen Beck
2. Responsibility
2i. Preparation
Preparation /sign-off of the assurance plan
(annually).
Chief Information Officer
Recommendation of the assurance plan to the Chief
Executive.
Chief Information Officer
Robert Chackitout
Robert Chackitout
Head of Risk / Assurance
Jude Gardener
2ii. Monitoring
Ongoing monitoring of progress against this plan,
and the consolidated results of the assurance
activities.
Chief Information Officer
Robert Chackitout
Ongoing monitoring of progress against this plan,
and the consolidated results of the assurance
activities.
Updating the plan mid-cycle in response to changing
priorities.
Chief Information Officer, in consultation with
Head of Risk / Assurance
Jude Gardener
Tracking of action items (such as control
improvement initiatives and remediations).
Chief Information Officer to be provided status
updates monthly by assigned action owners.
Robert Chackitout
2iii. Reporting
Approval of monthly assurance summary report (see
Section 1.5)
Chief Information Officer
Preparation and distribution of monthly assurance
summary report (see Section 1.5)
Reporting of assurance results to the Risk and Audit
Committee.
Principal IT Risk Advisor
Robert Chackitout
Head of Risk / Assurance
Jude Gardener
Head of Risk / Assurance
Jude Gardener
2iv. Quality
Quality of plan and monthly assurance reporting.
Chief Information Officer
Robert Chackitout
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 6 of 24
3. Contributing
Contributing to the plan, confirming the scope /
timing of assurance activities they sponsor.
1.5
Chief Information Officer
Robert Chackitout
Chief Information Security Officer
Jen Locktight
Privacy Officer
Tina Flavell
Chief Operating Officer
Simon Weyland
Head of Risk / Assurance
Jude Gardener
Manager, Internal Audit
Cynthia Cho
Monitoring and Reporting Process
The results of each assurance activity will be reported to stakeholders as detailed in the terms of
reference, standard operating procedure, or other document that defines each activity. A list of
those to receive the results must be agreed for each activity.
In addition, assurance providers must send the results of completed assurance activities to the CIO
and Principal ICT Risk Advisor as soon as the results are finalised, or sooner if the results indicate a
serious issue or urgent opportunity. On a monthly basis, the Principal ICT Risk Advisor (in the
Office of the CIO) will compile these results into a Monthly ICT Operations Assurance Summary
for the CIO.
The Monthly ICT Operations Assurance Summary will include at a minimum:






Progress against the plan (are the assurance activities on schedule? on budget?)
Key results from the previous month (summary)
Indication of increasing or decreasing confidence in controls over each key risk from Section
1.3 (key risk dashboard)
Any new risks identified (with a summary of how these were escalated / recorded)
Any new adjustments needed to assurance or controls (with action plans)
Challenges and successes.
The CIO and Head of Risk / Assurance will review and approve the Monthly ICT Operations
Assurance Summary, directing where necessary on any new risks or adjustments to the plan.
Copies will then be made available to the Senior Leadership Team and the Chief Executive.
The Head of Risk / Assurance will report quarterly to the Risk and Audit Committee on the progress
of the ICT Operations Assurance plan, and escalate to the Risk and Audit Committee any critical
risks. Protocols for this reporting have been added to the Internal Audit and Risk charters, and
supporting procedures documents.
Notwithstanding the above process, any significant new risks or assurance information must be
escalated immediately to the appropriate level. In some cases it will be appropriate to communicate
assurance results and/or key risks (including opportunities) to the GCIO to support its system-wide
view; the scope of this reporting will be agreed with the GCIO.
The results of the assurance activities, and lessons learned from the process, will be used to inform
the development of the FY16/17 Annual ICT Operations Assurance Plan, which will be developed
beginning in February 2016 and completed by 30 June 2016.
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 7 of 24
1.6
Referenced Documents
Appendix 1 – Final Risk and Mitigation Register, May 2015
Appendix 2 – Risk Appetite statement, January 2015
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 8 of 24
2.
2.1
ASSURANCE SCHEDULE OVERVIEW
Assurance Approach
To develop the assurance schedule for FY15/16, we first sought to understand the relevant risks
within each of the top 5 areas. We liaised with Risk, Internal Audit, managers, the Senior
Leadership Team and other stakeholders to collect information on risks and controls they had
already identified. For new risks or risks that were not yet rated, we worked with stakeholders to
evaluate the risks, with due consideration of the “risk appetite” of our agency, and identified controls.
Next, we sought to determine what activities were already planned or underway to give us
assurance the controls are managing the risks. Through this process, we identified some areas
where we felt there was not enough assurance in place, and other areas where different assurance
providers would be duplicating assurance effort.
Where there were gaps, we worked with assurance providers to identify new activities to give us the
assurance we need. We also identified actions for further improving controls. Throughout the
process, we consulted key internal and external stakeholders to understand their assurance
expectations.
We then created a schedule of assurance activities for FY15/16 that is achievable and, most
importantly, that will be of value to decision makers.
2.2
Lessons Learned
As this is our first annual plan, we are not carrying over lessons learned from a previous year.
However, our Chief Information Officer and Head of Risk / Assurance attended several GCIO
workshops in which other agencies shared the lessons they had learned in developing and
implementing formal assurance plans.
Agencies reported that key to the success of an operations assurance plan is good engagement
between ICT and the business on risks. Those responsible for implementing this plan should help
the business and ICT understand and agree to the linkage between business objectives and ICT
risks. In this way ICT staff will have greater appreciation for the business goals ICT supports, and
business managers will have a better appreciation of how ICT risks impact their goals. If this is
done well, it will be clear that assurance planning is not a compliance exercise, but a driver of value
for the organisation.
In developing this plan we held three workshops with business and ICT management stakeholders
and team leaders to discuss the linkage between business goals and ICT risks. These were
valuable discussions that helped those who will direct ICT assurance activities better understand the
current priorities of business managers. The discussions also helped shape the focus, frequency
and scope of assurance activities for the upcoming year. The business managers who participated
obtained a better understanding of the ICT risks and opportunities that underlay the initiatives and
deliverables that are top of mind for them. Following the workshops, we saw increased engagement
and more frequent discussions between ICT and the business at multiple levels, reflecting a new,
common understanding of risk and the value of assurance.
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 9 of 24
2.3
Decisions / Assumptions
Due to a limited assurance budget, we were not able to include in our FY15/16 schedule assurance
activities covering all the controls and other mitigations that work to keep our risk within an
acceptable level.1
For example, we were only able to schedule limited coverage of the moderate risk areas in scope
(areas 6-9 in Section 1.3). However, we have planned at least one assurance activity in each area.
We note that in many areas of ICT, new controls are being embedded to bring the level of risk within
the “risk appetite” expressed by the Senior Leadership Team (Appendix 2). Implementing these
controls has a cost, as does providing for continued assurance over them. Some of this cost can be
recovered through efficiencies identified through the assurance activities themselves (e.g. some
assurance activities pay for themselves).
Better management of the service portfolio and supplier management are two areas in scope where
the assurance investment is most likely to result in tangible cost savings and direct financial value to
ICT and the agency in the near and long term.
2.4
Roles, Accountability and Responsibilities – Individual Activities
As discussed above, many parties will be involved in providing the required assurance, including:














Front line staff – Routine checks.
Management – Monitoring and upward reporting of KPIs, risks and issues.
Service desk – Aggregate reporting on events, incidents, and problems.
Risk team – Risk registers, operational monitoring reports and deep-dive reviews to help us
manage risk.
Security team – Oversight on patch levels, vulnerabilities, security incidents, and other areas.
Privacy team – Breach reporting and analysis by which we can assess our privacy controls.
Internal audit – Scheduled ICT audits according to the three-year internal audit plan.
External audit – External audit procedures which may provide assurance.
Security contractor –Services such as independent controls testing and penetration testing to
help us identify exposures.
Data centre provider – Monitoring reports, notifications, and SLA reporting as agreed. Also
provides annual “SOC2” assurance reports which independently confirm its controls are in
place.
Supplier manager—Monitoring the performance of suppliers, including obtaining assurance
from them.
Management consultants – Assessments of where we can achieve more value for our ICT
investment, and better align our initiatives to our strategic and operational goals.
External agencies / regulators – Views on compliance and risk within the context of their
mandates.
GCIO – Shared information on system-wide risks, lessons learned, assurance guidance.
For each activity, there will be two primary functional roles as follows:
This response is to illustrate that GCIO expects agencies to report any difficulties in meeting assurance requirements,
including resource constraints. A statement like this would likely be followed up with discussions with GCIO as to whether
the decision to delay the needed assurance is reasonable.
1
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 10 of 24


The activity owner, or sponsor, will be the management-level employee or executive who must
ensure that the assurance activity is carried out and that the results are delivered according to a
terms of reference or similar agreement.
The assurance provider is responsible for carrying out the activity according to the terms of
reference, and delivering results in timely manner.
Specific activities and deliverables are listed in the Assurance Schedule (Section 3).
2.5
Assurance Budget
The estimated cost of the FY15/16 assurance activities is as below. This amount comes from
various departmental budgets, including Risk, Internal Audit, and other functional teams, in addition
to ICT, and is a rough estimate of the cost only. The estimate does not include assurance costs
borne by suppliers.
Although risk and assurance are ultimately part of everything we do, the amount below does not
include the cost of all controls or routine risk management activities embedded in business-as-usual
operational processes. It includes only the assurance activities that report upward to give us
confidence that our controls and mitigations are working.
NZD $
Estimated Assurance Cost
2.6
$xxx,xxx
Assurance Schedule
Refer to Section 3 for the schedule of assurance activities planned for FY16.
FY 2016 Assurance Plan – Version 0.9 (Web SAMPLE)
31 May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 11 of 24
3.
DETAILED ASSURANCE SCHEDULE
Below are the assurance activities that will occur in FY16 over ICT Operations:
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
1, 3
User access
reviews
Access to network /
system / folders is
authorised
ICT sends list of current users to
department heads and supplier
managers, also noting users with
remote access. Department
heads review and sign off
attesting that access for users in
their area is appropriate.
Exceptions must be noted with
evidence of follow-up attached.
ITSM reviews for completeness.
1
Remote
access token
audit
Remote access is
authorised.
1
User access
controls audit
Logical access is
generally wellcontrolled.
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
CIO
Department heads,
Supplier managers
ITSM reviews for
completeness
Quarterly
Information may be
accessed / accessible
by unauthorised
person.
Staff may be using
unlicensed software
and this may result in
a legal penalty or
security breach.
Physical stocktake of remote
access tokens and comparison
with token register maintained by
ICT.
ITSM
Security team
Q2
(Annual)
Information may be
accessed / accessible
by unauthorised
person.
Review of the design and
effectiveness of user access
controls. Internal Audit produces
a report with recommendations.
Management (department heads)
are responsible for providing a
response and remedial actions for
any findings.
Manager,
Internal
Audit
Internal audit
Q3 (Triannual)
Information may be
accessed / accessible
by unauthorised
person.
Department
heads
(response
and
actions)
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 12 of 24
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
1
Encryption
testing
Data is encrypted as
per our security
standards
Security staff run a series of tests
on network segments or functions
where encryption is required.
ITSM
Security team
Q1, Q4
(Twice
yearly)
Information may be
accessed / accessible
by unauthorised
person.
1
Review of
privileged user
access (logs)
Super-user access to
the network, operating
system and direct
access to the
databases is
authorised and
monitored.
Risk team reviews system activity
logs on a sample basis to
determine whether activity by
privileged users is appropriate.
Risk
Manager
Risk team
Q4
(Annual)
Information may be
accessed / accessible
by unauthorised
person.
1
Review of
privileged user
access
(controls)
Super-user access to
the network, operating
system and direct
access to the
databases is
authorised and
monitored.
Internal Audit reviews the design
and effectiveness of controls
related to super user and direct
data access.
Manager,
Internal
Audit
Internal Audit
Q3
(Annual)
Information may be
accessed / accessible
by unauthorised
person.
Suppliers may not be
protecting our
information (including
DR).
1
Sensitive data
alert review.
Super-user access to
the network, operating
system and direct
access to the
databases is
authorised and
monitored.
Internal audit tests alerts on
sensitive data tables to ensure
triggers are working, and reviews
a sample of historical alerts to see
whether appropriate follow-up
was done.
ITSM
Internal Audit
Monthly
Information may be
accessed / accessible
by unauthorised
person.
1,5
Site alarm
testing and
report review
Data centre is alarmed
at perimeter and at
internal doors.
Service provider tests alarms, and
the data centre manager reviews
and reports on the results of
testing, and on alerts and alarms
raised during the week.
Supplier
manager
Data centre
provider
Weekly,
reported in
data centre
provider’s
monthly
report
Information may be
accessed / accessible
by unauthorised
person.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 13 of 24
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
1,5
Review of door
/ server rack
access logs
Data centre door
access is limited to
authorised staff.
Data centre manager reviews
access logs for doors and server
racks and compares against
authorised access list. Signs
check sheet to evidence review.
Supplier
manager
Data centre
provider
Weekly,
reported in
data centre
provider’s
monthly
report
Information may be
accessed / accessible
by unauthorised
person.
1
Inspections of
locks, cabling,
network jacks
at all offices
Sensitive ICT
equipment and access
points at our offices
are secured.
Security team members inspect
for physical security exposures at
all sites using a good practice
checklist.
ITSM
Security team
Q1
(Annual)
Information may be
accessed / accessible
by unauthorised
person.
1,5
Review of site
visitor logs
Visitors to the data
centre are authorised.
Supplier manager compares
visitor access log and systemgenerated logs to the list of preauthorised visitors. Supplier
manager signs off that all visitors
were authorised.
Supplier
manager
Supplier manager
(Based on
documentation
provided by data
centre manager)
Monthly
Information may be
accessed / accessible
by unauthorised
person.
ISAE (NZ) 3000 Service
Organisation Controls Report on
AICPA Trust Service Principles.
The report follows the SOC 2
model (USA/Canada).
ITSM
1,3,4,5
SOC 2 report
on data centre
controls
Physical access is
generally wellcontrolled.
Devices / processes
ensure uninterruptible
power.
Suppliers may not be
protecting our
information (including
DR).
Data centre
provider orders
report by an
independent
service auditor
(Data centre
provider funds the
review)
Q1
(Annual)
Information may be
accessed / accessible
by unauthorised
person.
Suppliers may not be
protecting our
information (including
DR).
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 14 of 24
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
1,5
External
penetration
test
Network perimeter is
secured against
intrusion.
Set of tests run by a security
contractor simulating an attack via
the Web. Security contractor
provides a report with findings
and recommendations.
Supplier
manager
Security contractor
Q1
(Annual)
Information may be
accessed / accessible
by unauthorised
person.
1
Internal
penetration
test
Systems are secured
against internal attack.
Set of tests run by a security
contractor simulating an attack
from within the agency. Security
contractor provides a report with
findings and recommendations.
ITSM
Security contractor
Q1
(Annual)
Information may be
accessed / accessible
by unauthorised
person.
1
Fraud Risk
Review
Systems are secured
against internal attack.
Fraud risks are assessed and
ranked, possibly identifying ICT
exposures. Report produced, and
actions identified.
CISO (with
regard to
the ICTrelated
risks)
Internal audit
Q3
(Annual)
Information may be
accessed / accessible
by unauthorised
person.
1
Critical and
high security
patch level
reporting
Important software
patches are applied.
Security team reports on
outstanding critical and high
security patches, noting any
approved exemptions and
timetable for patching.
ITSM,
Technical
leads
(response
and
actions)
Security team
provides report.
Monthly
Information may be
accessed / accessible
by unauthorised
person.
Vulnerability
mitigation
reports
Vulnerabilities are
managed.
Security team reports on known
vulnerabilities and mitigations.
Report is updated monthly.
ITSM
Security team
(requires input from
technical leads)
Monthly
Information may be
accessed / accessible
by unauthorised
person.
1
Technical leads are
assigned to
complete
remediation.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 15 of 24
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
1
Privacy breach
reporting and
analysis
Privacy breaches are
reported and
assessed.
Privacy officer reviews and
reports on breaches reported
during the previous month,
identifying trends, internal control
weaknesses, and lessons
learned.
Privacy
officer
Privacy officer
Monthly
Information may be
accessed / accessible
by unauthorised
person.
1
Privacy
controls review
Privacy controls are
being followed.
Internal audit assesses the
privacy controls in place, testing
to for control effectiveness.
Chief
executive
Internal audit
Q1 (Biannual)
Information may be
accessed / accessible
by unauthorised
person.
1
Privacy impact
analysis (PIA)
updates
Privacy risks are
revisited when
systems undergo
changes impacting
privacy.
Triggered by CAB flagging of
changes that might have a privacy
impact, systems are re-assessed
for privacy. Artefacts are
produced that supplement the
original PIA.
Privacy
officer
Privacy team in
collaboration with
system owner and
technical leads
Upon
changes to
systems
that could
impact
privacy
Information may be
accessed / accessible
by unauthorised
person.
1
Privacy
maturity
assessment
Our privacy maturity is
known and
continuously improved.
Privacy specialists conduct highlevel maturity assessment of
privacy practices, assessing
against the Privacy Act.
Privacy
officer
Privacy contractor
Q4 (Biannual)
Information may be
accessed / accessible
by unauthorised
person.
1
Security
training /
induction
summary
reporting.
Employees and
contractors are
inducted and
periodically trained on
their security
responsibilities.
Security team verifies all new
starters during the previous month
(employees and contractors) have
received security induction and
have signed off on acceptable use
policy.
ITSM
Security team
Monthly
Information may be
accessed / accessible
by unauthorised
person.
1
Internal
security
breach
analysis
We use learnings from
internal security
breaches to strengthen
our security
programme.
Roll-up analysis of any internal
security breaches that occurred
during the previous two quarters,
to include instances of security
policy / acceptable use violations.
ITSM
Security team
Q2 and Q4
(Twice
yearly)
Information may be
accessed / accessible
by unauthorised
person.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 16 of 24
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
1
System
accreditation
Systems are
accredited.
Systems are formally accredited
and the residual risk accepted,
following a robust certification
process. (Cost estimate includes
certification)
Chief
executive
CISO
Upon
renewal of
accreditatio
n
Information may be
accessed / accessible
by unauthorised
person.
1
Accreditation
status
reporting
Systems are
accredited.
Monthly updates from CISO to
CIO on the certification and
accreditation status of systems.
CIO
CISO
Monthly
Information may be
accessed / accessible
by unauthorised
person.
2
Application
portfolio
analysis
We know where our
systems are providing
value and where they
are not.
We know what options
are available in the
market.
Complete the GCIO Application
Portfolio Management (APM)
survey, which will give insights
into our application portfolio,
including risks and opportunities
to increase value.
CIO / GCIO
CIO
Q2 (One
off, but
other
related
assurance
activities
will follow)
Our ICT services could
be providing greater
value.
2
Ageing
systems report
Software that is no
longer supported and
outdated infrastructure
is replaced.
Quarterly tracking of outdated
software and infrastructure to give
visibility on status of systems.
Report to the CIO.
CIO
ICT Operations
Manager
Quarterly
Our ICT services could
be providing greater
value.
2,4
Infrastructure
status and
strategy
report.
Infrastructure is well
managed to ensure it
is providing business
value.
Current and target state of
infrastructure is reported and
linked to current business strategy
/objectives. Report to the CIO.
CIO
Infrastructure
Manager
Q1
(Annual)
Our ICT services could
be providing greater
value.
2,4
Network
monitoring
summary
The network is well
managed and meets
business needs.
Performance reporting to CIO with
commentary on linkage to
changing business requirements.
CIO
Network
Administrator
Monthly
ICT systems may not
provide sufficient
storage and
performance.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 17 of 24
Risk
Area
(see
Legend)
2,4
Assurance
Activity
User survey
Control Objective
The network is well
managed and meets
business needs.
We track and follow up
on incidents related to
storage and
performance.
Specific Activity and Deliverable
Owner
Users complete a survey on a
number of areas such as network
latency, download speeds,
application crashes. Users are
asked to identify how IT
applications and infrastructure
can better help them achieve their
goals.
CIO
Assurance Provider
Frequency /
Timing
ICT Operations
Manager
Q1
(Annual)
Key Risk
High / Medium
Our ICT services could
be providing greater
value.
ICT systems may not
provide sufficient
storage and
performance..
Other objectives
2
Storage
monitoring
summary
Storage is well
managed and meets
business needs.
Performance reporting to CIO with
commentary on linkage to
changing business requirements.
CIO
Network
Administrator
Monthly
ICT systems may not
provide sufficient
storage and
performance.
2
Software
license audit
All our software is
properly licensed.
Compliance review and report of
software licenses across the
application portfolio.
CIO
Risk team
Q3
Our ICT services could
be providing greater
value.
Staff may be using
unlicensed software
and this may result in
a legal penalty or
security breach.
1,2
Unapproved
software audit
Staff are installing only
approved software.
Compliance review of installed
software using automated tools.
ITSM
Security team
Monthly
Information may be
accessed / accessible
by unauthorised
person.
1,2
Unapproved
cloud / web
service audit
Staff are not using
unapproved cloud
services (Dropbox,
Gmail).
Compliance review of installed
software using automated tools.
ITSM
Security team
Monthly
Information may be
accessed / accessible
by unauthorised
person.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 18 of 24
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
3
Disaster
recovery test
and report
Disaster recovery can
restore systems in
accordance with
business requirements
Test of disaster recovery plan,
and report of results with analysis
and recommendations.
CISO
ICT Operations
Manager
Quarterly
Capability / capacity to
provide IT services
may be lost following a
disaster / outage.
Suppliers may not be
protecting our
information (including
DR).
3
Independent
review of BCP
/ DR plans
Disaster recovery
plans and controls are
robust and fit for
purpose.
Review of disaster recovery plans
and comparison to recognised
good practice controls and
procedures.
CISO
Internal audit
Q3 (Triannual)
Capability / capacity to
provide IT services
may be lost following a
disaster / outage.
3,5
Reporting on
success of
power tests
Devices / processes
ensure uninterruptible
power
Results of power testing included
in monthly SLA reporting pack.
Supplier
Manager
Data centre
provider
Monthly
Capability / capacity to
provide IT services
may be lost following a
disaster / outage.
Suppliers may not be
protecting our
information (including
DR).
3,5
Test restore of
data from
backup
Our data can be
restored from backup.
Test restore of data, with
summary report and
recommendations.
ITSM
ICT Operations
Manager
Quarterly
Capability / capacity to
provide IT services
may be lost following a
disaster / outage.
3
Verification of
DR plan key
contact
numbers
Details in our disaster
recovery plans are up
to date.
Administrator verifies and updates
details.
ITSM
ICT administrator
Monthly
and as
needed
Capability / capacity to
provide IT services
may be lost following a
disaster / outage.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 19 of 24
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
3
Business
Impact
Analysis
Disaster recovery
plans are aligned with
business
requirements.
Critical functions are assessed in
a BCP / DR context and RPO and
RTO are reconfirmed.
CIO
Business continuity
response team
leads, with
business input
Q4
(Annual)
Capability / capacity to
provide IT services
may be lost following a
disaster / outage.
4,5
Performance /
storage
incident
reporting
We track and follow up
on incidents related to
storage and
performance.
Performance and storage
summary, including metrics and
incident summary.
ICT
Operations
Manager
Service desk
Monthly
ICT systems may not
provide sufficient
storage and
performance.
1,3,5
GCIO cloud
assessment
tool
Cloud systems can
provide sufficient
storage and
performance
Complete risk assessment and
related tool as per the GCIO
publication “Cloud Computing:
Information Security and Privacy
Considerations.”
Chief
Executive
CIO
One per
cloud
supplier.
For new
systems
this will be
done
alongside
certification
. For
existing
systems,
refer to
schedule.
Information may be
accessed / accessible
by unauthorised
person.
Suppliers may not be
protecting our
information (including
DR).
We have considered
good practice in
managing cloud
suppliers.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 20 of 24
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
4
Operational
staffing needs
analysis
We have sufficient
operations and
management staff with
the right skills.
Analysis of current staffing levels
vs. forecasted needs, considering
existing skill sets. Reporting to
CIO.
5
Supplier
Management
Framework
Review
We have considered
good practice in
managing cloud
suppliers.
1,3,4,5
Key supplier
SLA
dashboard
1,3,5
Supplier
issues /
breach report
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
CIO
ICT Operations
Manager
New
updates
monthly
following
last year’s
big review.
Q4 –
(Annual
major
review,
monthly
updates)
We may not have
enough staff with the
right skills to meet our
objectives related to
ICT.
Analysis of the framework and
templates for supplier
management plans.
CIO
Internal Audit
Q1 (Oneoff)
Suppliers may not
perform and/or
opportunities to
increase value may be
missed.
We monitor and
assess the reports
provided by suppliers.
SLA reports from suppliers rolled
up into monthly report on key
KPIs with additional analysis.
CIO
ICT Operations
Manager
Monthly
Suppliers may not
perform and/or
opportunities to
increase value may be
missed.
We track important
supplier issues to
resolution.
Incident and breach reporting
from suppliers rolled up into
monthly summary with additional
analysis.
CIO
ICT Operations
Manager (Based on
ongoing monitoring
of breach / incident
register).
Monthly
Suppliers may not be
protecting our
information (including
DR).
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 21 of 24
Risk
Area
(see
Legend)
Assurance
Activity
Control Objective
Specific Activity and Deliverable
Owner
Assurance Provider
Frequency /
Timing
Key Risk
High / Medium
1,5
Verification of
supplier
certifications
Supplier independent
certifications / reports
are sufficient and
current.
Review of current status of any
relevant third-party certifications
claimed by suppliers.
ITSM
Security team
Q1
(Annual)
Suppliers may not be
protecting our
information (including
DR).
4,5
Strategic
analysis of
projected
needs vs.
supplier
capability
Supplier strategy is
aligned with longer
term business goals.
Check-up on alignment of
business strategy, ICT strategy,
and supplier capability projected
to 1, 2 and 5 years.
CIO
CIO
Q3
(Annual)
Current suppliers may
not be able to continue
to meet business
needs into the future.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 22 of 24
The following activities have been deferred to FY17 for the reasons stated in Section 2.3:
Risk
Area
(see
Legend)
Assurance Activity
Control
Objective
Specific Activity and
Deliverable
Owner
Assurance
Provider
Frequency
Key Risk
High / Medium
5
Review of supplier
management plans
Controls and
procedures are in
place to manage
suppliers
consistently and
effectively.
Internal audit assessment of a
sample of plans to see if they
align with the supplier
management framework.
ICT Operations
Manager
Internal
audit
Bi-annual
Suppliers may not be
protecting our
information (including
DR).
Suppliers may not
perform and/or
opportunities to
increase value may
be missed.
5
Supplier health
checks
Suppliers are
reviewed for their
viability.
Analysis of factors that could
impact future performance key of
suppliers.
CIO
ICT
Operations
Manager
Annual
Current suppliers
may not be able to
continue to meet
business needs into
the future.
4
ICT governance
review
Our governance
groups have
sufficient ICT
understanding.
Survey of ICT and non-ICT
governance groups that impact
ICT. Do they need more training
to better inform decisions related
to ICT?
CIO
External
consultant
Bi-annual
We may not have
enough staff with the
right skills to meet
our objectives related
to ICT.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 23 of 24
Risk
Area
(see
Legend)
Assurance Activity
Control
Objective
Specific Activity and
Deliverable
Owner
Assurance
Provider
Frequency
Key Risk
High / Medium
4
Functional staffing
needs analysis
We have
sufficient second
and third line
(functional) staff
with the right ICT
skills. (e.g.
Security, Risk,
Internal Audit).
Input is solicited from ITSM,
Privacy Officer, Risk and Internal
Audit on the state of their current
skill sets with regard to ICT.
CIO
(Other functional
leads retain
accountability for
their staffing)
Functional
Managers,
reporting to
CIO
Annual
We may not have
enough staff with the
right skills to meet
our objectives related
to ICT.
4
Capacity planning
We forecast
demand to plan
strategically for
capacity.
Using modelling tools, update
capacity forecast, applying
scenario analysis. Report.
CIO
ICT
Operations
Manager
Quarterly
ICT systems may not
provide sufficient
storage and
performance.
Legend: Key risk areas = (1) Information Security Mgmt.; (2) Service Continuity Mgmt.; (3) Service Portfolio Mgmt.; (4) Capacity Mgmt., (5) Supplier Mgmt.
FY 2016 ICT Operations Assurance Plan (SAMPLE)
May 2015
This is an illustrative example only – it should not be taken as a benchmark or government policy
Page 24 of 24