Improving government information and communications technology assurance

1 confirmed that the overarching objective for improving system-wide Information and Communications Technology (ICT) assurance is to provide stakeholders with confidence that ICT risks and processes within the State Services are identified and effectively managed;

2 noted that there is currently no single agency with responsibility for providing a system-wide view of government ICT assurance;

3 noted that improving system-wide ICT assurance is critical for the ICT-led business transformation set out in the ‘Government ICT Strategy and Action Plan 2017’ [CAB(13) 20/12];

4 agreed that, as part of the ICT functional leadership role, the Government Chief Information Officer (GCIO) will have responsibility for coordinated oversight and delivery of system-wide ICT assurance;

5 agreed that the GCIO provision of system-wide ICT assurance will include:

6 noted that the GCIO will introduce Technical Quality Assessment (TQA) for ICT projects, where appropriate, and will strengthen the Independent Quality Assessment (IQA) of ICT projects by establishing an independent panel of providers for TQA and IQA services;

7 directed Public Service departments and the New Zealand Police, New Zealand Defence Force, New Zealand Security Intelligence Service and Parliamentary Counsel Office to use the TQA and IQA panel referred to in paragraph 6 above, as directed by the GCIO;

8 noted that the State Services Commissioner will encourage chief executives and board chairs in the wider State Services to use the TQA and IQA panel referred to in paragraph 6 above;

9 invited the Speaker of the House to direct the Office of the Clerk and the Parliamentary Service to use the TQA and IQA panel referred to in paragraph 6 above;

10 noted that to provide the system-wide ICT assurance referred to in paragraph 4 above, the GCIO will require the ability to:

11 noted that departmental chief executives will support the GCIO in the assurance role by providing the GCIO and central agencies with the information needed to provide a system-wide view of ICT risks and performance, and by lifting their own ICT risk management and performance;

12 directed Public Service departments and the New Zealand Police, New Zealand Defence Force, New Zealand Security Intelligence Service and Parliamentary Counsel Office to provide ICT assurance information to the GCIO upon request;

13 directed the agencies listed in paragraph 12 above to work with the GCIO where issues of concern related to ICT assurance are raised;

14 agreed that the GCIO has a mandate to provide Ministers with advice on whether ICT projects and programmes should proceed, and on the suitability of current ICT systems and processes, as the GCIO sees fit or at the request of Ministers;

15 noted that the State Services Commissioner will ensure that improving ICT assurance is part of Public Service chief executives’ performance plans;

16 noted that the State Services Commissioner will discuss issues of concern relating to ICT assurance raised by the GCIO with chief executives of Public Service departments;

17 noted that the State Services Commissioner will encourage chief executives and board chairs in the wider State Services to provide ICT assurance information to the GCIO on request;

18 invited the Speaker of the House to direct the Office of the Clerk and the Parliamentary Service to provide assurance information to the GCIO upon request;

19 invited Ministers to use all mechanisms available to them to ensure that agency chief executives and board chairs are made aware of government’s expectations that ICT assurance information will be provided to the GCIO upon request;

20 noted that the State Sector and Public Finance Reform Bill amends the Crown Entities Act 2004 to support functional leadership, by expanding the purposes for which a whole-of-government direction can be applied (including purposes relating to functional leadership);

21 directed the GCIO to work with the State Services Commission to prepare a draft whole-of-government direction to Crown entities, to give effect to the GCIO assurance role, in preparation for the enactment of the State Sector and Public Finance Reform Bill expected in July 2013;

22 directed the GCIO to provide an initial assessment of the status of system-wide ICT assurance by September 2013, and to report to Cabinet six monthly thereafter;

23 directed the GCIO to report significant ICT assurance concerns immediately upon identification to relevant chief executives, board chairs, and/or the State Services Commissioner and the responsible Minister;

24 directed the GCIO to provide regular update reports on ICT assurance issues to the Government ICT Ministerial Group;

25 noted that central agencies and the GCIO will work closely together on ICT assurance, including directly exchanging all relevant information;

26 directed central agencies to review Cabinet Office Circular CO (10) 2, ‘Capital Asset Management in Departments and Crown Entities: Expectations’, to ensure that it is up-to-date and aligned with the functional leadership role and with requirements to improve system-wide ICT assurance;

27 authorised the Minister of Finance, the Minister of State Services and the Minister of Internal Affairs, in consultation with the Cabinet Office, to update CO (10) 2, and to approve any such circulars as may be necessary to clarify the government’s intentions relating to the management of information and ICT assets and infrastructure;

28 noted that on 20 August 2012, Cabinet agreed to a coordinated approach for managing the government’s adoption of cloud computing, and directed the Department of Internal Affairs to report back on a cloud computing risk and assurance framework [CAB Min (12) 29/8A];

29 noted that adopting cloud computing safely requires agencies to follow standard information management processes, such as appropriate data classification, risk assessment and mitigation processes;

30 agreed that the cloud computing risk and assurance framework will be included as part of the system-wide ICT assurance framework outlined in the paper under CAB (13) 329;

31 noted that improving ICT system assurance is a new role for the GCIO;

32 noted that the GCIO assurance role will have system-wide benefits by helping all agencies to maintain the public trust and confidence necessary to allow the full benefit realisation of digital technologies and ICT-led business transformation;

33 noted that new Crown funding is required for the GCIO to establish the standing capability to successfully carry out the assurance role;

34 agreed that a fee-for-service funding model will apply for assurance intervention services provided to agencies by the GCIO;

35 approved the following changes to appropriations to give effect to paragraphs 33 and 34 above, with a corresponding impact on the operating balance:

Changes to appropriations: Vote Internal Affairs, Minister of Internal Affairs

Department Output Expense: Information and Technology Services MCOA; Cross-Government ICT Strategy and Planning, Service Delivery and Investment Proposal (funded by revenue Crown).

$ m[illion] increase/(decrease)

• 2013–14: 1.500
• 2014–15: 1.500
• 2015–16: 1.500
• 2016–17: 1.500
• 2017–18 and outyears: 1.500

36 agreed that the above change to appropriations for 2013–14 above be included in the 2013–14 Supplementary Estimates and that, in the interim, the increase be met from Imprest Supply;

37 agreed that the expenses incurred under paragraph 35 above be a charge against the between-budget operating contingency, established as part of Budget 2013;

38 invited the Minister of State Services and the Minister of Internal Affairs to release communications about improvements to ICT assurance, which may include the proactive release of the paper under CAB (13) 329 and its associated minute, subject to any deletions that would be justified if the information had been requested under the Official Information Act 1982.