IT Governance and Change Management Proposal Education Department Western Australia (Case Analysis)

1. Executive Summary

From recent information technology (IT) audit cycles during 2017 and 2019, multi-agencies of Western Australian (WA) State have resulted similar undesirable conclusions reported by WA Audit General. The audit findings were strongly concerned with weaknesses of IT security and business continuity across the agencies. To rectify these year-after-year issues, WA Department of Education (DoE) takes the initiative to design and implement a new governance framework as the first pilot to improve the IT governance system in responding to the weaknesses addressed in the audit reports. Control Objectives for Information and Related Technologies (COBIT) 2019 is used for the design of governance system, and Queensland Change Management Plan Workbook and Template is used for managing the implementation to ensure the effectiveness and its sustainability.

This proposal will provide an overview of the WA Audit General’s reports and DoE background. It will also analyse COBIT19 core models to produce an effective design of IT governance system and develop a sustainable change management for its implementation.

2. Understanding the Background

WA Audit General performed comprehensive IT audits between 2016 and 2018 across 14 agencies. The reports of 3 audits revealed that control weaknesses have been found existing repeatedly around IT system security, security of sensitive information and business continuity, arising in application control and general computer controls (Auditor General Western Australia 2017, 2018, 2019).

In July 2017, DoE was reformed by merging the Department of Education and Department of Education Services. The Department’s role has been influencing the whole education system in Western Australia (Department of Education 2018a). Since 2018, the department’s strategic plan is to provide up-to-date curriculum, high quality teaching, effective leadership, good governance, safe learning environment and strong collaboration (Department of Education 2018b). All schools are using Standing Operating Environment (SOE) for delivering online learning and content (MLA 2012). More than 100,000 of student, parents and teacher are using online communication (Connect) platform across 75 schools compared to approximately 70,000 users during last year (Department of Education 2018a).

As coupled the IT security weaknesses in WA agencies, and the growth of users on the online services in DoE, the department could face severe consequences ranking from disruption of online learning delivery due to system failures to personal information exposure in the events of data breach.

3. The Design of Governance Framework

3.1. Overview of COBIT19

COBIT19 is a framework for management and governance of IT. It guides enterprises how to develop an IT governance system, based on enterprise’s goals, with a dynamic and holistic approach that provides stakeholder value. It also focuses on end-to-end and tailored system where governance and management activities are clearly distinct (ISACA 2018b, 2018c).

3.2. Identifying and Analysing COBIT Core Models

To identify the governance and management objectives and practices, it is necessary to understand and associate the DoE environment with COBIT design factors. Below are the significant factors that drive decision making in achieving the governance system in DoE.

i.         Strategy:

DoE is a government agency and is currently focusing delivering high quality of education while facing financial constraint (Department of Education 2018a). As a result, the primary focus of the department is to provide stable service and the secondary focus is to minimise cost.

ii.       Goals:

DoE’s goal also pays high attention on information security and business continuity improvement.

Based on COBIT mapping table and an analysis of significant prioritisation (See Appendix 1), there is 1 governance objective and 3 management objectives that need to be adhered by to strengthen IT governance system. The governance objective is to optimise risk (EDM03), while management objectives are to manage security services (DSS05), continuity (DSS04) and security (APO13).

3.3. Defining Key Practices and Challenges

3.3.1.     EDM03 – Risk Optimisation

This governance objective is to ensure that IT-related risks in DoE are optimised and it is below department’s risk appetite and tolerance. Also, the impact of the risks is identified and managed. Governance bodies of the department must be the key involvement in implementing relevant practices including evaluating, directing and monitoring the risk management.

To ensure that the processes are effectively employed, Minister of Education and Training should take the accountability while Director and Deputy Director General Department of Education as well as Chief Information Officer and Director ICT Governance and Planning should take responsibility of practices performance.

By properly evaluating IT risks, IT security and business continuity risks in DoE are assessed and properly defined, and thus the establishment of related practices to manage the risks are being acknowledged and enforced more effectively. But there might be some cultural challenges involved since the ownership acceptance and commitment from Minister of Education and Training who is accountable for this object is required.

3.3.2.     APO13 – Security Management

This management objective is to limit the occurrence and severity of information incidents in DoE – to below risk appetite level. To achieve the objective, firstly, information security management system (ISMS) including standards, policy and approaches to secure technology and business processes need to be established and maintained in alignment with business needs. Then, a treatment plan is to be defined according to business cases with a comprehensive recommendation of how the risks are managed.  Also, regular communication of the plan and updates must be in place to provide ongoing assessment of the ISMS and its improvement.

Managing security requires Chief Information Security Officer’s (CISO) accountability in achieving it. However, since DoE does not have CISO (Department of Education 2018a, p. 186), this role should be temporary taken by CIO while other underline levels need to be delegated other responsibilities (See Appendix 2).

The proper implementation of security practices enables DoE to identify information security risks that the department is prone to and to develop a reasonable approach to address them in a cost-effective manner. For instance, the department might focus on the risks related could-based solution since student learning platform is an online solution. The main limitation that DoE is facing while adopting these practices is competency shortage. The department may need to employ a CISO who have enough skill and experience in information security strategy to lead the adaptation and to influence the aware of its necessity.

3.3.3.     DSS04 – Continuity Management

This COBIT core model is to make business and IT organisation properly respond to events causing business disruption. The important practices that DoE necessarily performs include defining continuity plan objectives and scope, developing and documenting business continuity plan (BCP) and disaster recovery plan (DRP). Training must also be provided to all relevant internal and external people, and the BCP and DRP test and assessment should be conducted regularly.

Deputy Director General Education Business Services should take the accountability of this core model and assign various responsibilities to other executives and directors underneath (See Appendix 2).

The benefit of this objective is to provide DoE a set of controls safeguarding the continuous availability of business operation. In the fact that the department using online solution to manage student information and learning, solid plans such deploying secondary cloud solution and having regular data replication can be defined as parts of the scope to ensure the online service continuity. Nevertheless, there are some challenges related to staff training because there are over thousands of stuff across the department and schools (Department of Education 2018a), and might not be cost-effective to acquire additional services.

3.3.4.     DSS05 – Managed Security Services

To answer the DoE’s primary focus – information security, this objective allows the department to create more concrete elements to protect information form identified information security risks and to minimise the impact of any incidents. To succeed that, various practices may also be required such as managing network and infrastructure security, user identity management, logical and physical accesses, and protecting the systems from malicious software.

It is also a key difficulty that all the practices need a competent CISO to be accountable for those beneath managements who are have responsibility to make it happen (See Appendix 2). In addition, it is a cost incurrence as comprehensive tools need to be employed – for example, security information and event management (SIEM), and it also involves culture adaptation to a more restrictive environment of user devices when identity and access management systems are implemented.

4. Change Management Strategy

4.1. Change Vision

This change management is made for IT governance system improvement. It will affect some changes in policies and processes in DoE. It aims to enhance IT system security, information security and business continuity. Without the improvement of IT governance, the risks associated to IT security and business continuity are less likely to be minimised while the scale of information is increasing. Failing to protect the information will result great reputation loss and make WA citizen’s personal information exposed to malicious activists.

4.2. Change Detail

Structure Change

1.     CIO’s role needs to be temporarily modified by including accountable and responsible for information security risk management until the department may place a CISO.

2.     CISO will have an independent office to oversee and operate all the information security matters and implementation.

People and Skills

Pre-requisite skills such as security service tools should be provided to IT team under CIO and CISO offices.

4.3. Approach

Stakeholders

Participating Level	Stakeholders
Driver	1.     Minister of Education and Training 2.     Director General Department of Education 3.     Deputy Director General Education Business Services
Advocating	1.     Chief Information Officer 2.     Director ICT Operations and Customer Services 3.     Director ICT Governance and Planning 4.     Director Integration, Build and Deployment
Active Participants	Relevant department officers who are working under the 4 Advocative.
Willingness	1.     WA Audit General 2.     Executive Director Finance and Commercial Services
Understanding	Director Business and Customer Services

Resistance Management:

Survey is to be conducted before the implementation start targeting CIO, Director ICT Operations and Customer Services, Director ICT Governance and Planning, and Director Integration, Build and Deployment offices to ensure all key players clearly understand the vision and to foresee future barriers.

Change Management Team

Role	Member
Project Steering Committee	1.     Minister of Education and Training 2.     Director General Department of Education 3.     Deputy Director General Education Business Services
Project Manager	Chief Information Officer
Communication Manager	Director ICT Governance and Planning
Governance Integration Manager	Director ICT Operations and Customer Services
Process Integration Manager	Director Integration, Build and Deployment

4.4.          Strategy

Action Plan

The main activities to be completed include the following (See Appendix 3 for more detail).

1.     Communication the change

2.     Pre-implementation survey

3.     Pre-requisite skill training

4.     Governance objective implementation

5.     Management objective implementation

6.     Awareness training

7.     Feedback survey

8.     Close of project

Communication Plan:

The communication plan consists of the following key information (See Appendix 4 more detail).

1.     Vision

2.     Key management involvement

3.     Project timeline

4.     Pre-requisite skill training

5.     Implementation specification

6.     Awareness training

7.     Close of the project

Training Plan

The trainings to be conducted include the following modules (See Appendix 5 for more detail).

1.     Overview of COBIT19 (For Executive and Director levels)

2.     Security awareness (For everyone)

3.     Business continuity (For everyone)

4.     Disaster recovery (For IT team responsible for recovering system)

5.     Security incident response (For IT team responsible for IT Security monitoring)

Resistance Plan

From the survey completed from the previous stage, it can identify who are likely to resist to the change in the department. The Project Communication Manager then can conduct a consultation meeting to assure that the resistance is caused by misunderstanding of the key message delivery or other factors and to find further remedial actions (See Appendix 6 for common change resistance and overcome factors).

4.5.          On-going Monitoring and Review

Upon the completion of the implementation, DoE should consolidate all the strengths and challenges, and properly document them as key lessons learn. This document can be used for evaluating the post implementation performance and effectiveness. In additional, regular on-going internal audit function should be performed to monitor the consistency of the performance. Where any business process changes are required, the IT governance should be re-evaluated, and new directions should be provided to align those changes.

5.       Conclusion

In conclusion, this report is written as a solution to strengthen IT governance coping with IT system security, information security and business continuity weaknesses addressed by Western Australian Audit General in the context of piloting in Department of Education. four COBIT core models are to be adopted into the department, including risk optimisation, security management, security service management and continuity management. To some extent, there are some challenges foreseen in the new governance system including culture change, competency need and cost incurrence. However, with the use of adequate change management (Queensland Change Management Plan Workbook) which responsibilities are communicated, strategies and approaches are followed, it will ensure that the transition of the new governance system will not impact daily operations and will be sustainable in the Department of Education.

6.       Appendices

Appendix 1: Mapping Process

From mapping the enterprise goals (ISACA 2018a, pp. 139-140), it provides the following objectives:

Education Department’s Goals	Remark
(EG02) Managed business risk (EG06) Business continuity	Based on 2 the goal of ensuring IT security and business continuity.
Alignment Goals	Remark
(AG03) Managed I&T-related risk (AG07) Security of information, processing, infrastructure and application and privacy	AG03 is excluded because most of its objectives are the same as AG07 and it is less significant.
Governance and Management Objectives	Remark
(EDM03) Ensure risk optimisation (APO12) Managed risk (APO13) Managed security (BAI10) Managed configuration (DSS04) Managed continuity (DSS05) Managed security Services	APO12 and BAI10 are excluded because they are less significant and due to DoE budget constraint.

Appendix 2: RACI Charts

Security Management

           Continuity Management

Management Practices	Deputy Director General Education Business Services	Chief Information Officer	Director Business and Customer Services	Director ICT Operations and Customer Service	Director ICT Governance and Planning	Director Integration, Build and Deployment	Information Security Manager
1.     Identifying plan object and scope	A	R	R	C	I	R	I
2.     Developing and documenting business continuity plan (BCP) and disaster recovery plan (DRP).	A	R	R	C	I	R	I
3.     Reviewing and test the plan	A	R	R	R	C	R	I
4.     Conduct training	A	I	R	C	C	I	I

            Security Services Management

Management Practices	Chief Information Officer	Director Business and Customer Services	Director ICT Operations and Customer Service	Director ICT Governance and Planning	Director Integration, Build and Deployment	Information Security Manager
1.     Network and infrastructure security	A	I	R	I	R	C
2.     User identity and logical access	A	C	R	I	R	C
3.     Physical access	A	C	R	I	R	C
4.     Protecting against malicious software	A	I	R	I	R	C

Appendix 3: Action Plan

Activities	Responsible Person	Timeframe
Communication the change	Communication Manager	01-Jan to 15-Jan-2020
Pre-implementation survey	Communication Manager	15-Jan to 15-Feb-2020
Pre-requisite skill training	Process Integration Manager	15-Feb to 30-Mar-2020
Governance objective implementation	Governance Integration Manager	1-Apr to 15-May-2020
Management objective implementation	Process Integration Manager	1-Apr to 15-Aug-2020
Awareness training	Governance Integration Manager and Process Integration Manager	15-Aug to 7-Sep-2020
Feedback survey	Communication Manager	8-Sep to 30-Sep 2020
Close of project	Chief Information Officer	1-Oct-2020

Appendix 4: Communication Plan

What	Who	How	When
1.     Vision	From: Director General Department of Education To: Chief Information Officer, Director ICT Operations and Customer Services, Director ICT Governance and Planning, Director Integration, Build and Deployment	Meetings	After the Proposal Approved
2.     Key management involvement	From: Project Manager To: Other Executive and Director Under Deputy Director General Education Business Services	Meetings	Early Jan-2020
3.     Project timeline	From: Project Manager To: Other Executive and Director Under Deputy Director General Education Business Services	Email and Meeting	Early Jan-2020
4.     Pre-requisite skill training	From: Process Integration Manager To: Underneath Team	Workshop and Meeting	Mid Feb-2020
5.     Implementation specification	From: Process Integration Manager To: Underneath Team	Email and Meeting	Early Mar-2020
6.     Awareness training	From: Communication Manager To: Director ICT Operations and Customer Services, Director ICT Governance and Planning Director Integration, Build and Deployment Offices	Email	Early Aug-2020
7.     Close of the project	From: Project Manager To: All offices under Deputy Director General Education Business Services	Email, Department Announcement	Early Oct-2020

Appendix 5: Training Plan

Module	Outcome	Delivery Mode
Overview of COBIT19	-        DoE will understand the benefit of good IT governance. -        Promoting effectiveness of IT governance in the department	Online learning
Security awareness	-        DoE will understand the significance of IT security. -        Promoting individual awareness	Online learning
Business continuity	-        DoE will be able to act accordingly in the event of any business disruption.	Workshop
Disaster recovery	-        DoE will be able to act accordingly in the event of IT system failures.	Workshop
Security incident response	-        DoE IT team will be able to act accordingly in the event of IT security breach.	Workshop

 

Appendix 6: Change Resistance Root Causes and Overcome Factors

ISACA (2018d, p. 39) identifies some common root causes and overcome factors of resistance to change as the table below.

Root causes	Overcome Factors
-        Misunderstanding the usefulness of the requirements -        Afraid of increase in workload and cost -        Unwilling to admit fault -        Threat to role and power	-        Provide awareness based on educating rather than instructing -        Employ change agents who have both IT and business experience -        Create a sense of success after each implementation milestone. -        Boost the sense of recognition in every small win -        Focus on enabling or empowering people by training, coaching, mentoring, transferring skills.

Reference List

Auditor General Western Australia 2017, Information Systems Audit Report 2017, ISSN: 2200-1921 Western Australian Auditor General’s Report 7th Floor Albert Facey House 469 Wellington Street, Perth.

Auditor General Western Australia 2018, Information Systems Audit Report 2018, ISSN: 2200-1921, Western Australian Auditor General’s Report 7th Floor Albert Facey House 469 Wellington Street, Perth.

Auditor General Western Australia 2019, Information Systems Audit Report 2019, ISSN: 2200-1921, Western Australian Auditor General’s Report 7th Floor Albert Facey House 469 Wellington Street, Perth.

Department of Education 2018a, Department of Education Annual Report 2017–18 ISSN: 1843–2396  Department of Education - Government of Western Australia.

Department of Education 2018b, Strategic Outline, ISBN 978-0-7307-4617-1, Department of Education Western Australia, 151 Royal Street East Perth WA 6004.

ISACA 2018a, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, ISBN 978-1-60420-765-1 ISACA, 1700 E. Golf Road, Suite 400 Schaumburg, IL 60173, USA .

ISACA 2018b, COBIT® 2019 Framework: Governance and Management Objectives, ISBN 978-1-60420-764-4, ISACA, 1700 E. Golf Road, Suite 400 Schaumburg, IL 60173, USA .

ISACA 2018c, COBIT® 2019 Framework: Introduction and Methodology ISBN 978-1-60420-763-7, ISACA, 1700 E. Golf Road, Suite 400 Schaumburg, IL 60173, USA .

ISACA 2018d, COBIT® 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, ISBN 978-1-60420-766-8, ISACA, 1700 E. Golf Road, Suite 400 Schaumburg, IL 60173, USA .

MLA, JW 2012, The role of ICT in Western Australian Education: Living and Working in a Digital World, ISBN: 978-1-921865-59-6, Parliament of Western Australia, Perth, < www.parliament.wa.gov.au/ehsc>.

Queensland Government Chief Information Officer Change Management Plan Workbook and Template <http://www.nrm.wa.gov.au/media/10528/change_management_plan_workbook_and_template.pdf>.