While attending one of the ISACA continuous professional education (CPE) sessions related to optimizing IT spending using COBIT 5 practices, it was surprising to realize that many IT audit and assurance professionals who attended the session confided having difficulty in initiating governance of enterprise IT (GEIT) and wished they had more insight on where to begin when implementing GEIT in their respective organization. This article describes the experience of initiating GEIT at the Ministry of Manpower (MoMP), Sultanate of Oman.
The Primary Stakeholders
The MoMP was established to regulate the labor market by providing stable work environments with a productive national workforce with the contribution from all three stakeholders (government, employers and employees) and to increase the percentage of national man power in the private sector to enhance its role in supporting the national economy. One of the objectives of MoMP is building an integrated labor market informational system and preparing the national labor force register with the aim of developing human resources (HR) in the country and ensuring their optimum utilization.
The Information Technology Authority (ITA), Sultanate of Oman, was established to implement national IT infrastructure projects and supervise all projects related to implementation of the Digital Oman Strategy while providing professional leadership to various other e-governance initiatives of the Sultanate. ITA serves as a competency center on best practices in e-governance and in harnessing information and communication technologies (ICTs), thereby offering efficient and timely services, integrating processes, and improving efficiency in service delivery.
In alignment with the eOman e-Transformation vision of 2020 as part of the Digital Oman Strategy, ITA mandated services provided by all the Ministries to be transformed into electronic format and, consequently, qualifying as many as 145 key government services that MoMP provides to the sponsors (companies), residents (expatriates) and citizens (Omani nationals) as part of the e-governance initiative.
As a response to the mandate, MoMP’s network and information security department and systems and applications development department set out to first implement an information security management system (ISMS) across the entire Ministry, adopting ISO/IEC 27001:2005 in 2010 and, subsequently, getting certified in 2011. It took the initiative until 2012 to setup a project management department as a provision to effectively and efficiently manage several IT projects associated with MoMP e-Transformation Strategy. The project management department adopted a combination of the Projects in Controlled Environments version 2 (PRINCE2) methodology and the Project Management Institute’s A Guide to the Project Management Body of Knowledge (PMBOK Guide) for the project management system (PMS). Additionally, it adopted Information Technology Infrastructure Library version 3 (ITIL V3), as an ITSM methodology to manage the IT services provided to the internal and external stakeholders, and to manage the e-services provided to the MoMP beneficiaries.
The biggest challenge was the unstructured awareness, absence of training and the knowledge gap of IT governance among the stakeholders within MoMP. The situation was made trickier due to the prevalence of inaccurate information and incorrect perceptions about the term “governance” itself. The “unlearning” and “relearning” was quite an uphill task, and it took a majority of the time and efforts.
ITA also acknowledged1 the challenges of obsolete technologies, lack of sharing of infrastructure and data, ad hoc application development and manual government services. As a solution, it introduced an enterprise architecture framework specifically designed for ministries and other government entities. The framework was aptly titled the Oman e-Governance Architecture Framework (OeGAF), a set of standards/best practices and process management systems to enhance the delivery of government services in alignment with the mission of ITA.
At MoMP, the ISMS was already quite mature and generally accepted by the stakeholders; however, since the PMS and the ITSM were relatively new, there were mixed feeling about the effectiveness and value of additional systems. Furthermore, there were concerns raised about additional paperwork and documentation related to these 2 systems, which were perceived as a burden to an already overloaded MoMP staff of more than 5,000 employees across numerous branches, locations and directorates.
Another challenge was that while the ISMS was more prescriptive in nature, the PMS and the ITSM were more adaptive, more like guidelines. Hence, initially the ISMS team was somewhat reluctant to cooperate with the other two teams, fearing noncompliance in their control objectives.
Choosing a Framework
The PMS team realized that their current role needed enhancement to address the challenges at hand. Hence, it was transformed into a functional IT project and program management office (IT PMO), within the network and information security department and the systems and applications development department.
After conducting carefully facilitated workshops with the identified stakeholders, the IT PMO eased all fears and reluctance relating to common pain areas, and common functional and organizational objectives. Eventually, the ISMS and IT PMO teams joined hands forming the process engineering group (PEG) as a potential IT governance implementation team.
One of the critical points of initial discussions was how to integrate the external mandates, along with 3 somewhat divergent management systems (ISMS, ITSM and PMS). Some of the other points raised were: who would be held responsible and accountable for the different interdependent functional duties and who would provide direction for the strategies.
The PEG team was tasked to research, review and analyse the drivers and the pain areas. It determined that the gap or the missing piece was IT governance, especially since MoMP had already embarked on the e-governance journey. Various options for implementing IT governance and available frameworks were categorically and systematically reviewed and, finally, the PEG recommended COBIT 5 as the solution for the implementation of GEIT, specifically its 5 principles (figure 1).
Figure 1—COBIT 5 Principles
Source: ISACA, COBIT 5, USA, 2012
Steps to Initiate GEIT
MoMP took several steps to initiate GEIT (Figure 2).
Figure 2—Steps to Initiate GEIT
Source: R, Banerjee, R. A. Al-Lawati and M. M. Al-Balushi. Reprinted with permission.
Once the gap in GEIT was confirmed, the first task of the PEG was training on GEIT and COBIT 5. Weekly training workshops were held for all the PEG members to enhance their knowledge of the COBIT 5 framework (COBIT 5 Foundation certificate), and, in turn, the PEG members conducted awareness workshops and informal discussions about GEIT and COBIT 5 with the rest of the MoMP IT staff members.
Next, PEG drafted an outline of a business case for GEIT implementation, which was based on COBIT 5 Implementation.2 Since ITA helped tremendously by surveying the external stakeholders through a nationwide landscape survey, as part of the e-Transformation Business Process Re-engineering (BPR) initiative for MoMP, simultaneously the PEG also drafted a MoMP internal survey for assessing the IT challenges within the organization, especially for the network and information security department and the systems and application development department. The survey was modeled from the GEIT pain points to COBIT 5.3 To get better responses, the survey which was initially presented in English, was translated to Arabic as well, and distributed among the staff while attending a short awareness workshop regarding the same.
Both the ITA’s BPR Landscape Survey and MoMP’s internal IT Challenges Survey reports served as starting reference points to address any additional drivers and to initially identify the relevant COBIT 5 and MoMP business processes to prioritize. These details were added in an executive-level recommendation report and presented to the directorate general (DG) of planning and development of MoMP, along with the outline business case and the updated survey results. A short visual presentation further elaborating the need for GEIT and for adopting COBIT 5 was conducted for the DG.
As a result of this meeting, the scope of the GEIT implementation program was finalized, and the initial mandatory processes from COBIT 5 and key performance indicators (KPIs) were agreed upon with the DG. This helped secure executive sponsorship from a business stakeholder and a business champion, which helped ensure the sustainability of the GEIT program in MoMP in the long term.
The GEIT journey for the MoMP is a long, but strategically positioned initiative. The immediate next steps for GEIT include baselining the business case, preparing the GEIT implementation program plan, drafting and formulating IT governance polices and processes, forming the IT executive strategy committee and the IT governance steering committee in the MoMP, defining the IT-related goals, and conducting the “as-is” current state assessment using self-assessment guides such as the COBIT Process Assessment Model (PAM): Using COBIT 5 and ISO/IEC 15504.
- Dhulipalla, L. R. S.; “Nine Steps to Assess GEIT Processes,” COBIT Focus, 9 March 2015
- Atkinson, S.; Aucoin, R. F.; “Adopting COBIT 5 in a Government Entity,” COBIT Focus, 19 January 2015
- Bonneaud, A.; “Seven Tips for the Successful Improvement of GEIT,” COBIT Focus, 8 December 2014
- Davis, P. T.; “Five Tips on Using COBIT 5 Effectively,” COBIT Focus, 10 November 2014
Rohit Banerjee, CGEIT, COBIT 5 Implementation, ISO/IEC 38500 Lead IT Corporate Governance Manager, ISO 9001 LA & LI, ITIL V3 2011 Foundation, MSP Registered Practitioner, PMP, PRINCE2 Registered Practitioner, Six Sigma Black Belt
Is an IT governance and IT PMO consultant deputed at the Ministry of Manpower, Sultanate of Oman. He has more than 10 years of professional IT experience in IT solutions delivery, IT project and program management, and IT governance. He can be reached at RohitBanerjee@gmail.com.
Redha Ahmed Al-Lawati, C|CISO, DCES, DCIS, DCOM, ISO/IEC 27001 LA
Is the director of the network and information security department at the Ministry of Manpower, Sultanate of Oman. He is recognized as one of the outstanding contributors in the development of OeGAF, and is active in various GCC and international e-governance forums. He is globally recognized e-transformation and e-governance leadership dignitary.
Maqbool Mohammed Al-Balushi, CCNA, CEH, CISSP, ISO/IEC 27001 LA, MSCE
Is the deputy director of the network and information security department at the Ministry of Manpower, Sultanate of Oman, and is responsible for the network and information security. He has more than 14 years of extensive IT experience in IT strategy, information security, IT infrastructure and IT services.
1 United Nations Public Service Award, Public Administration, Oman eGovernment Architecture Framework: Sultanate of Oman (OeGAF), nomination profile
2 ISACA, COBIT 5 Implementation, USA, 2012, p. 71, Appendix D
3 Ibid, p. 61, Appendix A