In many local government units, more and more matters can be handled online, such as submitting applications to the communications department, accessing public information remotely or monitoring the status of a case. The same is true at Bydgoszcz City Hall.

IT increasingly important

As citizen facilities increase, so does the importance of the IT department. Customer service applications and the office’s internal IT systems (for resource management, finance, human resources), as well as the communications network, data center and virtual infrastructure, require competence and high standards of work.

In the Bydgoszcz office, nearly 1,000 users in seven locations are connected in a common network and work with more than 40 application systems. Data is stored and processed by 20 servers and more than 100 network devices in two data processing centers. The entire ICT infrastructure is supervised by 30 employees of the Information Technology Department.

Increasing the scope of services provided by IT to citizens and employees of the office and the associated increase in infrastructure spending is associated with a change in the perception of IT’s role. The department has become an important link in improving the efficiency of the office’s work and a partner for other organizational units in creating quality services.

This, in turn, necessitated a shift in priorities – now, instead of technology, operations are focused on process management and service delivery.

In the relationship between the IT Department and other departments, many analogies can be found with the “pure" service provider-customer business relationship. Consequently, the tasks performed by IT are subject to parameterization and evaluation, and it is natural to strive to improve quality and expand the scope of services.

The increase in responsibilities has resulted in a shortage of tools to measure indicators and the degree of achievement of goals when assessing the quality and efficiency of services and management of programs and projects carried out by the Bydgoszcz City Hall. It has also been diagnosed that changes are needed in the operating model and organization of work, and there is a lack of a process approach to the activities carried out.

IT management methodologies in Bydgoszcz

At the Bydgoszcz City Hall, work has been underway since 2008 to implement an Integrated Information Security Management System ISO/IEC 27001 and ISO/IEC 20000 IT Service Management System based on ITIL best practices.

The result of the project “Implementation of methodologies for managing IT services, projects and programs at the Bydgoszcz City Hall", supervised by an accreditation company, will be the application in the daily practice of the office of a system of principles and good practices created and developed by an agency of the British government – the Office of Goverment Commerce.

The project included the purchase of world-class IT applications necessary for the application of new working methods, a P2MSP application for planning and managing projects and programs, and IT service management systems software. A series of training courses covered dozens of employees of the office who supervise the smooth functioning of IT systems, use them in the work on the Bydgoszcz Development Program, and are also associated with investor services.

The project has received funding from Iceland, Liechtenstein and Norway through the European Economic Area Financial Mechanism.

Audit objectives, techniques and tools

One of the stages of the project, which is expected to culminate in obtaining ISO/IEC 27000 and ISO/IEC 20000 certificates, is an IT audit conducted by BCC specialists in November and December 2010. Its purpose was to check whether the adopted policies, procedures and standards are not only maintained at the level established at the beginning of the project, but also whether their development and improvement is taking place.

Security standards used in IT audit at UM Bydgoszcz

ISO/IEC 20000 – Information Technology Service Management Systems – introduces a process approach to IT service management. The standard consists of two parts, ISO/IEC 20000-1:2005 and ISO/IEC 200002:2005. The first presents the requirements that a management system must meet in order to be certified to the standard. The second provides guidance and indicates what must be done to meet the requirements outlined.

ISO/IEC 27001 – Information Security Management Systems – covers all issues related to the protection of information created, stored and processed within a company. The standard proposes the use of a process approach to establish, implement, operate, monitor, maintain and improve the effectiveness of an ISMS.

COBIT (Control Objectives for Information and related Technology) – a standard developed by ISACA and the IT Governance Institute, a set of IT Governance best practices that can be used in particular by information systems auditors.

ITIL (Information Technology Infrastructure Library) – a code of conduct for IT departments. A set of recommendations on how to efficiently
and effectively deliver IT services.

BS 25999 – a standard developed by BSI, deals with the area of business continuity management. The standard replaces the withdrawn PAS-56 specification. BS 25999 consists of two standards. The first – BS 25999-1:2006 is a set of guidelines that introduce processes, principles and terminology. The second – BS 25999-2 is the standard against which a certificate of conformity can be awarded. It defines the requirements for implementing business continuity control measures.

During the audit, BCC consultants used the following techniques and tools, among others: familiarization with documentation, obtaining explanations and information, observation of tasks performed, visual inspection, checklists, graphic analysis of processes.

In audits, tests performed on control procedures are based on samples, which does not detect all weaknesses in control procedures, other limitations may be due to errors or potential fraud.

Therefore, for an audit to be adequate, it is necessary to have a strong commitment from both parties – the inquisitiveness of the auditor and the integrity of the auditee.

Audit – first phase

At Bydgoszcz City Hall, the audit was divided into four phases. In the first, BCC consultants, together with the director of the IT Department, defined the scope and schedule of work. The structure of the department and external companies (suppliers, customers, service institutions) was analyzed, as well as the legal and technical-organizational conditions in the context of ISO systems.

For an IT audit to be adequate, a strong commitment from both sides is necessary – the inquisitiveness of the auditor and the integrity of the auditee

 

All departmental employees were interviewed, analyzing IT processes: service planning and deployment, reporting, service level and availability management, performance management, budgeting and accounting for IT services, incident and problem management, information security and relationship management (customers/suppliers), configuration, change and version management.

The consistency of assumptions and documentation with actual practices in the organization (security policy, organizational structure and process responsibilities, security organization, asset classification and control, personal, physical and environmental security, systems and network management, access control, system development and maintenance, business continuity management) was checked.

Based on the information obtained, a checklist was edited and used to interview end users from other departments. IT process documentation was also reviewed in terms of information and system classification, risk analysis, procedure and policy. Performance measures of the IT process flow in the IT Department were verified.

Second phase – IT service management

In the second phase, the level of adaptation of ISO/IEC 20000, ITIL v3 processes was verified. The following processes were audited:

  • Financial management for IT services – analysis of the financial policy of service management, which takes into account budgeting and accounting objectives,
  • IT service continuity management – ensuring agreed continuity and availability of services for the authority’s departments in all circumstances,
  • Capacity management – ensuring that the service provider’s capacity is consistently at a level that can meet the current and future demands of the Bydgoszcz City Hall,
  • Availability management – ensuring that IT services are provided within the commitments adopted in the SLA,
  • Information security management – ensuring efficient and effective protection of information in all service-related activities,
  • Incident management – bringing the agreed service back into service as soon as possible,
  • Problem management – minimize business disruption by identifying and analyzing the cause of incidents and bringing problems to closure,
  • Change management – gaining confidence that all changes are evaluated, approved, implemented and checked in a controlled manner,
  • Version management – delivering, distributing and tracking one or more changes that create a release in a production environment,
  • Configuration management – defining and controlling service and infrastructure components and maintaining accurate configuration information.

The third phase – information security

The ISO/IEC 27001 Information Security Management System audit, conducted in the third phase, covered activities within the processes defined in the standard:

  • Risk analysis, internal audits, management system review (review of procedures and risk handling plan, internal audit plan and reports; analysis of management system review data),
  • Information security policy (verification of the policy and its knowledge and implementation by the department’s employees; ways to promote ISO/IEC 27001 in the office; review and update of the policy),
  • Internal organization (role, function and responsibilities of the Information Security Management Forum; ordinances; main duties and responsibilities of the board’s information security officer; review of position cards and confidentiality agreements with suppliers),
  • Responsibility for assets (verification of the procedure for classifying information and assets),
  • Human resources security (verification of the recruitment procedure and management of access control in the event of a change of position or departure of an employee from the IT Department; analysis of contracts with subcontractors),
  • secured areas (verification of access control to the building, rooms and server rooms; verification of remote working rules),
  • Operational procedures and responsibilities (verification of the change management procedure; analysis of room allocation for test, development and productivity equipment; verification of vendor contracts for IT security and SLA parameters; verification of ongoing monitoring and tuning of productivity systems; analysis of on-call and monitoring records; verification of backup policy, antivirus and email usage policy),
  • Access control (verification of access control policies and password management),
  • Acquisition, development and maintenance of systems (verification of policies for the use of cryptographic security),
  • Incident management (verification of incident management procedure; incident records; corrective and preventive actions),
  • Business continuity management (verification of business continuity management strategy, business continuity plan procedures, test plan, test records),
  • Legal compliance (review of documentation required by GIODO; legality of software, license management; analysis of technology audits).

Dress rehearsal

I am convinced that in any institution or company maintaining its own ICT infrastructure as it grows, there will be a need for a structured management system. It is important to recognize this need at the right time. In an environment that is too small, formal management systems can only be unnecessary ballast for the organization, and their added value may be unnoticeable. Recognizing this need too late means a huge effort during the project due to the need to implement a major business change in a functioning environment.

Evaluating our project in retrospect, I think we should have done some activities a little earlier. On the other hand, I think it is extremely important that from the very beginning we looked for ready-made, working and proven solutions. That’s why we chose metadata, which is a collection of good practices that successfully operate in the British administration.

Using proven and generally accepted standards has a positive impact on the implementation itself, as well as making the way IT operates at Bydgoszcz City Hall clear and transparent from the point of view of both our internal customers and external partners or contractors.

The direct beneficiary of the IT management system, like any management system, is the management of the office. It is a tool for optimizing the costs of maintaining ICT systems that support the work of individual organizational units. From the perspective of employees, the management system means, on the one hand, additional responsibilities related to the need to record the activities performed, and on the other hand, clear and legible work rules. Although directly invisible to residents, the management system translates into improved efficiency and rationalization of public administration spending, which is in the interest of every taxpayer.

In preparing for the certification audit, we were looking for a company that would point out deficiencies and those elements that need to be improved in the internal audit cycle. The overriding value for us is a smoothly functioning management system, and the certificate is to be a confirmation of this, not a value in itself. That’s why we were looking for a partner who is competent in the area of methodical IT management, as well as using these principles himself. I must admit that we hoped that in addition to verification of the compliance of our system with the guidelines of the standards, we would also get guidance and recommendations based on experience and the use of good practices in daily operations. And we managed to find such a partner.

The value of the audit carried out by a consultant from BCC (currently All for One Poland), in my opinion, is mainly valuable comments and exchange of experience. We received recommendations in the area of service level management, resource management or business continuity. We have already implemented most of them. The recommendations, which I would particularly like to emphasize, are of a very practical nature, carrying real added value for the Bydgoszcz City Hall.

The management system will be verified by subjecting it to certification for compliance with the requirements of ISO 20000 and ISO 27000 standards. The certification audit will take place in January 2011. The certification body will be TUV Nord.

Marek Staniewski, Director of the Department of Information Technology, Bydgoszcz City Hall

The fourth phase – business continuity

In the fourth phase, the business continuity management strategy of the IT Department according to the BS 25999 standard was audited. Documentation was analyzed: construction of the procedure for creating business continuity plans, developed business continuity plans for IT systems, plans for recovery of lost resources (catalog of processes and applications covered by the project with specification of their POUZ parameters: RTO – Recovery Time Objective, RPO – Recovery Point Objective, BWO – Backup Window Objective, NRO – Network Recovery Objective, MDL – Maximum Data Loss, disaster scenarios).

Audit report

The result of the audit is a report presenting the current state and including recommendations for further improvement, corrective or remedial steps. The auditors’ recommendations concern procedures and organizational and technical solutions. Their implementation will help stabilize, standardize and clarify the scope of services and create consistent and complete documentation of IT infrastructure.

As a result, decisions will be made on the basis of available measurable indicators and targets, which will allow better use of internal resources and financial resources allocated for IT development at Bydgoszcz City Hall.

Defined ways of exchanging and distributing information will improve communication between customers, users and IT and thus better support business processes in the office. Flexible and fast operation of new requirements in the IT strategy will affect the market relationship between the IT Department and its customers.