Good Governance - Effective use of IT

Written evidence submitted by NLAWARP (IT 51)

Preface

 

This paper presents the response from the National Local Authority WARP to the Public Administration Select Committee’s inquiry into the Effective use of ICT by Government.

The NLAWARP is an umbrella project for Local Authority Warning, advice and Reporting points. It represents approximately 100 Local Authorities and other public sector organisations which share knowledge, expertise and experience on both the technical and also policy sides of Information Assurance.

The NLAWARP promotes the CPNI (Centre for the Protection of National Infrastructure) WARP concept, which aims to provide three core services to members: Advice brokering, Trusted sharing of incidents, and the ability to receive updates on developments, threats and vulnerabilities in the area of Information Assurance. Additionally, NLAWARP members are regularly updated on the policies and guidance coming from Central Government.

The NLAWARP works closely with Socitm and the Local Government Association to both deliver effective guidance based on industry best practice, but also to lobby central government policy makers on behalf of our members.

1. How well is technology policy co-ordinated across Government?

 

1.1. There is very little co-ordination on technology policy across Government. Security Policies and frameworks which Local Authorities must work towards are often written for Government Departments and bare little consideration for the wider public sector.

2. How effective are its governance arrangements?

 

2.1. Local Authorities have little if any input to the Governance of Information Security. The importance of good information governance has become increasingly apparent, however, many areas of the business still don’t understand this and in the current austere climate, securing funding for Information Security is far more difficult than ever before, despite the increasing cyber security threat.

2.2. While the Security Policy Framework (SPF) mandates the appointment of a Senior Information Risk Owner (SIRO), the SPF itself cannot be mandated on Local Government as each Local Authority is a sovereign democratic entity. This can create issues as policy writers often assume that Local Authorities are working the SPF and this then creates a further disparity between policies written by Central Government that are not fit for purpose in a Local Authority.

2.3. The Local CIO council has created an avenue into Central Government, but there is a feeling that the wider public sector is still consulted too late in the policy making process.

3. Have past lessons from NAO and OGC reviews about unsuccessful IT programmes been learnt and applied?

 

3.1. OGC focuses on central government, so their work apart from PRINCE, MSP and other standards they have developed have been of little use. The OGC approach towards large frameworks also precludes small companies from bidding for government work, to the point where smaller companies are sub-contracted in by larger ones, to deliver work, simply because the smaller companies could not bid themselves. This wastes huge amounts of money.

4. How well is IT used in the design, delivery and improvement of public services?

 

4.1. In these austere times, cost reduction is almost the only driver for change that has remained. IT is seen as a key cost reduction mechanism: Delivering services digitally is far cheaper than other, more traditional delivery mechanisms, but strong Information Governance is required to enable these services. As citizens increasingly carry out transactions over the Internet and services are shared both in and between organisations, maintaining control over data becomes more complex. Even though the majority of citizen services are delivered at the local level, Local Authorities have not seen a single penny of the £500 million spent on cyber security.

5. What role should IT play in a ‘post-bureaucratic age’?

 

5.1. IT and data should become commoditised and be used to facilitate and drive business operations. Aggregating separate datasets will allow the business to far more effectively utilise the data it already holds, but there are privacy implications associated with this that need to be taken into account.

5.2. The key message is that IT must be aligned to the businesses goals and requirements of each individual organisation.

6. What skills does Government have and what are those it must develop in order to acquire IT capability?

 

6.1. There have always been a number of facets to the ICT world, the one often ignored, is procurement, only through smarter procurement can we ensure the right solutions at the right price.

6.2. We need standards, world class ones, which will ensure full integration and inter-operability. We need excellence in enterprise and security architecture. We need our own capability to develop the services and systems that government needs for the future,. Good governance, programme management and audit.

7. How well do current procurement policies and practices work?

 

7.1. There is much room for improvement on the procurement front. Much of the inefficiency is due to the EU procurement regulation’s, these often bind government into bureaucratic contracts, which do not deliver best value and can even become systems in their own right. We need an appropriate regime for our government.

8. What infrastructure, data or other assets does government need to own, or to control directly, in order to make effective use of IT?

 

8.1. Government must maintain its own strategy, policy, standards and security capabilities. We need our own network and authentication mechanism. Aspects of this will be outsourced, but we must maintain our own capability to ensure that we have the security, resilience and capabilities necessary to deliver government systems.

9. How will public sector IT adapt to the new ‘age of austerity’?

 

9.1. Government needs to carefully consider the overheads of procurement, the procurement exercise should itself be a measured percentage of the overall contract price. The government needs to understand the assets it already owns and ensure that the maximum use of these assets is being made. Where new initiatives are planned, fully implement the gateway review process and ensure that best value is being realised. Check before buying new, that there isn’t already something similar, no longer required elsewhere, but still contracted to be paid for, that cannot be re-purposed.

10. How well does Government take advantage of new technological developments and external expertise?

 

10.1. Government does work with industry; there are many forums and a whole micro-industry around this. However, it is very difficult for smaller SMEs to engage. There is a vast amount of knowledge and expertise in the civil service, it doesn’t always get used to its best advantage.

10.2. Money should be invested in developing communities of practice. Collaboration and knowledge sharing is critical for the retention of knowledge, skills and experience moving forward.

11. How appropriate is the Government’s existing approach to information security, information assurance and privacy?

 

11.1. Government does work with industry, there are many forums and a whole micro-industry around this. However, it is very difficult for smaller SMEs to engage. There is a vast amount of knowledge and expertise in the civil service, it doesn’t always get used to its best advantage.

11.2. Money should be invested in developing communities of practice. Collaboration and knowledge sharing is critical for the retention of knowledge, skills and experience moving forward.

12. How well does the UK compare to other countries with regard to government procurement and application of IT systems?

 

12.1. Government has over a long time, got the security and information assurance and resilience basically right, although it is not very well co-ordinated. Resilience especially is not being properly invested in. The new cyber approach is wholly focused on the central government and defence, ignoring the wider public sector. A holistic approach needs a holistic solution. As more services get devolved and delivered locally, the threat surface will change and the capability and focus to respond to new threats, needs to change with it.

January 2011